Is Operational Technology Creating Cybersecurity Vulnerabilities at Your Institution?

Officials responsible for cybersecurity can't overlook the devices and systems connected to their network.
Published: October 28, 2016

With so much focus on securing information technology, institutions might be exposing themselves to attacks through the operational technology connected to their networks.

Operational technology, or OT, can be hardware or software that controls physical devices or processes in a building. For many institutions, that includes systems like climate control, access control, lighting, video surveillance, aspects of electrical infrastructure and more.

“These [OT systems] are typically older, more vulnerable systems, with owners that haven’t necessarily been trained in cybersecurity best practices,” says Jon Williamson, a communications officer with Schneider Electric.

Williamson recently gave a talk on the dangers of exposed security systems as part of the Smart Security Summit at the University of Massachusetts Boston. In his presentation, Williamson encouraged security managers to assess the cybersecurity measures they have in place for OT systems.

——Article Continues Below——

Get the latest industry news and research delivered directly to your inbox.

The Operational Technology Landscape
People have been stressing the importance of securing information technology, or IT, since hackers first started disrupting businesses. Critical sectors of the economy, such as the banking and financial industries, depend on the security of their IT. As a result, IT has become what Williamson terms a “hard target.”

OT, on the other hand, is usually comprised of older systems with far longer life cycles. Many OT systems are insecure by design.

“There’s still a lot of maturing that needs to be done when it comes to OT building automation controls, typically things like temperature control, lighting control, access control, video,” Williamson says. “While it may sound funny, some of the physical security systems like access control are actually behind the climate control systems from a cybersecurity standpoint.”

RELATED: How to Confront the Cybersecurity Challenge

“It’s worth asking, ‘Do I really need this device smart and connected or can this be handled locally, away from the cloud?'”-Jon Williamson

Despite the potential dangers, many institutions across the country have sought to capitalize on the proliferation of the Internet of Things, investing in ‘smart’ systems that can optimize the performance of buildings. These systems can provide valuable data, streamline processes and communicate with other systems.

But the rush to leverage these features shouldn’t come at the expense of cybersecurity considerations. Security managers should look at every device that’s connected to their network as an opportunity for hackers to launch an attack.

“We’ve had smart and connected devices for years, but what’s happening is more and more devices are becoming smart and connected,” Williamson explains. “So now we’re seeing trash cans and bicycles that are smart and connected, but you’ve got to be mindful of those devices being a new attack vector. It’s worth asking, ‘Do I really need this device smart and connected or can this be handled locally, away from the cloud?'”

Institutions using OT systems, particularly universities with their transient population, should seek to lower their systems’ online footprint as much as possible.

Effective OT Management is Key
As institutions report an increasing number of cyberattacks on things like surveillance cameras and access control systems, security managers are realizing the need to shore up any network exposures caused by OT systems.

Fortunately, the list of possible methods to improve OT system security is long and familiar. General cybersecurity best practices like changing passwords regularly, updating your systems and educating your employees also apply to OT security.

Williamson thinks it’s important to put protections in place during the installation of systems.

“Anytime you read about a new vulnerability or attack vector, you should be asking your vendor about your system’s protections against it.”– Jon Williamson

“When you design your network with OT systems, you can segment things, so as you move from one layer to another you have higher security measures in place,” Williamson says. “You also want to make sure you’re only letting the right piece of information go through a device. For example, you could use a firewall with deep packet inspection, so if you’re using video cameras you can make sure that only things that are in video format are being streamed through the firewall and not some other message.”

Institutions can also monitor their OT systems for hacks, although that may be more difficult for universities. Checking login information, looking for both successful and failed attempts and other unusual activity, is a good way to find any threats. Paying special attention to remote connections that occur at odd times is a good way to recognize cyberattacks. Monitoring services that offer anomaly protection are especially useful for alerting officials if something doesn’t seem right.

Another step institutions should take is enforcing and, if necessary, defining their agreements with security contractors. Who is responsible for scanning your OT systems?

“Anytime you read about a new vulnerability or attack vector, you should be asking your vendor about your system’s protections against it,” Williamson says.

Of course, all these measures are only necessary if your OT systems are connected to your network. In some cases, it may make sense to cut off your OT systems or have them operate on a separate network altogether.

Overall, Williamson thinks a shift in focus toward OT cybersecurity is long overdue.

“You want an IT-grade firewall for your OT systems,” Williamson says. “People always talk about protecting their perimeter, but if you scan the internet you’ll find hundreds of OT devices on networks, and some of them don’t have any protections at all. That just can’t happen.”

Read Next: How to Protect Your ID Card Access Control System From Getting Hacked

Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series