Cyberattacks on industrial manufacturing and government facilities have been on the rise, but securing facilities takes more than just a shrewd and effective information technology (IT) department. There also needs to be buy-in from operational technology (OT) professionals, and perhaps someone to help bridge the IT/OT divide, according to Bryan Bennett, cybersecurity practice leader at Environmental Systems Design.
One of the roadblocks to getting OT professionals on board is that, for years, cyberattacks were simply not in their purview. Things like elevators, building signage and HVAC controls were all offline and fairly well protected from bad actors. But in the web-enabled present, everything from lobby TVs to company refrigerators, can be on a network and therefore become a vulnerability. In this modern environment, Bennett said, it’s more important than ever that IT and OT professionals learn to communicate and work together in securing facilities.
“Whether we’re talking about general facilities, HVAC, power, cooling, lighting, etc., those things used to not be on a network,” Bennett said. “Most IT leaders and IT managers … they have not historically ever been involved with anything facility related because there’s no data. Everybody manages their data environments. IT. Information technology. Not operational. So passwords get overlooked. They could just be all default passwords. Security patches are definitely overlooked.”
The ideal situation is for IT and OT professionals to communicate and work together organically, but it also helps to have a conduit between the two, somebody in the middle who can speak both languages. Some facility leaders have been in their buildings for decades, and these technologies were not in place for the great majority of their careers. They have to learn how to patch things without causing a facility outage, in the same way IT professionals do.
“As IT grows with technology, a lot of the facility leaders haven’t,” Bennett said. “They haven’t made that adjustment because it hasn’t been a requirement. Now that it is a requirement, I think it’s easier, in my personal opinion, to have that middle person rather than expect long-term facility leaders who haven’t been exposed to this learning curve [to get up to speed on their own]. To just dump it all on at once, they’re either not going to do it or they’re not going to do it well.”
Bennett is quick to mention that this has nothing to do with their commitment to the job or willingness to learn. They simply need someone who can walk them through the process. But it’s also useful to have a second set of eyes, whether that’s internal or external, to validate the work. Bennett likens this to leaving your house and then going back to double check that you’ve closed the garage door.
“They need to be able to be trained and know what’s important and how to do it,” Bennett said. “Then … there needs to be a point of validation. If somebody says, ‘I’ve done it;’ if you have an IT security guy who goes, ‘We’re good. I’ve checked it. I’ve done it,’ someone else has to look at it just to make sure.”
This advice isn’t just relevant to company employees; it’s also essential for outside vendors. Anyone hired to work in a building can threaten security, especially if they’re using their own external machines. As Bennett said, securing facilities can seem complicated, but it’s always more complicated to recover from a successful cyberattack than to prevent one in the first place.
In Part 1 of our interview with Bryan Bennett, he talked about the kinds of vulnerabilities hackers are looking for and the importance of enlisting a third party to check company defenses. And check out our ICS Pulse YouTube page to view previous installments from our expert interview series.