By Facility Executive Staff
From the August 2021 Issue
Cyber security threats are of significant concern to organizations, across virtually all industries. Historically, IT infrastructure was the target of hackers seeking to breach digital assets. Today, with the evolution of building systems and industrial control systems into the digital realm, these operational technology (OT) systems are now ripe targets as entry points for hackers. NIST (National Institute of Standards and Technology), part of the U.S. Department of Commerce, defines OT as follows: Operational technology (OT) encompasses a broad range of programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial control systems, building management systems, transportation systems, physical access control systems, physical environment monitoring systems, and physical environment measurement systems.¹ Facility Executive spoke with Marty Edwards, vice president of OT security for Tenable, Inc., a cyber security firm based in Columbia, MD, about his insight on OT security for facility management leaders. The company is relied upon by over 30,000 organizations around the world to help them understand and reduce cyber risk.
Edwards is an OT and Industrial Control System (ICS) cyber security expert who collaborates with industry, government and academia to raise awareness of the security risks impacting critical infrastructure. At Tenable, Edwards works with government and industry leaders to reduce their overall cyber risk. Prior to joining Tenable, Edwards served as the Global Director of Education at the International Society of Automation (ISA), as well as the longest serving Director of the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
Facility Executive (FE): What is OT (operational technology) as it relates to buildings and related infrastructure?
Edwards: Industrial control systems (ICS) and operational technology (OT) are, simply put, the very fabric of the critical infrastructures that surround us. From the perspective of buildings and real estate, this could be systems involved with HVAC, energy usage, lighting controls, or even elevators—almost all of which have migrated to computerized systems and are now at risk from cyber-based incidents.
FE: Increasingly, cyber security breaches are in the news. For those related to OT, what observations do you have on the vulnerabilities that may have allowed these breaches?
Edwards: We are seeing an uptick of rogue actors accessing OT environments in a variety of ways. Not surprisingly and most typically they are performing reconnaissance and finding the “weak link” in the system. Oftentimes, OT environments are outdated, and were built for safety and reliability rather than security. We are seeing more attacks that start on the IT side and move to the OT side. This is often seen in converged IT/OT systems where the level of security is not where it needs to be. Increasingly, however, these same attacks are occurring in “air-gapped” systems. Historically, OT systems were air-gapped, meaning critical systems were physically isolated from other networks with the intention to keep them more secure. The reality is that even the most secure air-gapped environments may experience “accidental convergence,” where systems are unknowingly connected.
FE: Whether speaking to the previous question or OT cyber security in general, what “weak links” do you see as it pertains to buildings? What can facility executives do to strengthen their defenses?
Edwards: With the increase of sophistication in OT environments comes additional risk, particularly when IT and OT environments converge.
Each vendor or provider of a specific service usually will supply their own technology and network. Most of the time, these networks are interconnected into some type of building maintenance network. Unfortunately, it is often the case that “nobody” is given the responsibility to secure this environment; security falls between the cracks.
The reality is that OT security is hard—these systems were often not designed with security in mind. The opportunity for cyber attackers to probe and test them for vulnerabilities can have unintended consequences on the physical infrastructure they support. That’s why it’s critical for OT operators to get the basics right–everything from asset and identity management to prioritized mitigation of overall risk—to keep bad actors out.
Organizations must understand that securing OT systems also requires securing the IT side of the house. Most automated building environments are no longer air-gapped, which means they’re exposed to the outside world. This creates an expanded attack surface and provides cybercriminals with an opportunity to move laterally from IT to OT, or vice versa. Visibility and control over converged environments are foundational to any security program.
FE: Organizations across the U.S. (and the world) are at different places of the spectrum, when it comes to OT cyber security. Still, looking at the next 12 months or so, what should OT-focused professionals think about moving forward?
Edwards: Threat actors have been targeting OT environments across the world for years. Just look at the Ukraine power grid attack in 2015. Or Triton [malware] in 2017. Over the next year, I am confident that threat actors are going to continue this trend, poking and prodding at OT networks for a variety of reasons—instilling fear, monetary gain, etc. This includes the real estate and building automation sectors. Imagine having the heating system of a building in Chicago out of service during the winter because of ransomware.
Regardless of the adversary’s motivation, OT security professionals must not get distracted. They need to remain focused on the security basics. A little vigilance goes a long way. They should obtain visibility into their networks to understand the full threat landscape, work alongside IT teams to break the traditional IT/OT divide, and think carefully about risk mitigation plans—even considering an, “if, not when” mindset to ensure true preparedness for all potential threats.
¹ Source: https://csrc.nist.gov/
To learn more about Tenable, visit www.Tenable.com, a cyber security firm based in Columbia, MD. Through its Tenable.ot, the company’s customers use a single solution for visibility and control to secure IT assets alongside OT systems.
Share your thoughts in the Comments section below, or send an e-mail to the Editor at firstname.lastname@example.org.