The world of industrial control systems (ICS) has been changing rapidly in recent years, with digital convergence and the industrial internet of things placing almost everything on networks. While this can be good for productivity, it also opens up a whole new universe of cybersecurity risk.
While most of the recent attacks, especially ransomware attacks, have targeted information technology (IT) systems, that doesn’t mean operational technology (OT) is in the clear. There are many more endpoints on the OT side, and the systems tend to be much older, making them uniquely vulnerable to attack, said Albert Rooyakkers, founder, chief executive officer (CEO) and chief technology officer (CTO) of Bedrock Automation. This can put businesses and national critical infrastructure at risk.
“For the most part, the installed base are kind of old,” Rooyakkers said. “They’ve been installed some of them even as far back as the late ’70s and early ’80s, at the dawn of the digital systems, going back to the early PLCs (programmable logic controllers) and RTUs (remote terminal units) and supervisory control and data acquisition (SCADA) systems. They simply weren’t designed to exist in this modern digital phenomenon where cybersecurity became an issue, and so there’s no real thought to the architecture. There’s no sense of understanding the sophistication.
“It’s kind of like they’re taking a stick to a gunfight. And through the exponential acceleration, Moore’s law and software development, the capabilities for cyber offense far, far exceed what is in the install base for cyber defense. They’re really highly vulnerable in so many ways, it’s almost impossible to describe or to create a reasonable impenetrable defense mechanism for many of these sites.”
There is one piece of good news: A sophisticated attack on an OT system is more difficult to orchestrate, and there is some intrinsic safety in that. Consider the recent spate of ransomware attacks: Those have been cases where cyber criminals attack IT systems and encrypt files to extract money from corporations. To launch a sophisticated attack on an OT system, the hacker would need an understanding of how the system under attack actually runs. For example, the attacker who infiltrated the water treatment facility in Oldsmar, Florida, understood what to do to upset the process. It’s not all good news, however.
“Always, always trust the people closest to the process. Trust the operations. They understand the intrinsic risk that you’re not going to get in the textbook. You’re not going to get with a computer degree. They understand where the ghosts are in the machine.”
“If it transitions, as a lot of people fear and concern for, from criminals to terrorists, where their intents are different, the damages will be far more severe because they’re not after the money, and they’re not going to get any money, either,” Rooyakkers said. “If you create an OT attack or an OT event, virtually without exception, these processes, these infrastructures, whether it’s a chemical plant, water, wastewater treatment plant, you will damage infrastructure. You will damage the process. People could get hurt, and the damages and downtime and other things will be far in excess of what they typically get in a ransomware attack.”
OT systems cannot be protected in the same manner as IT systems, and vice versa. But collaboration between the two sides is essential. According to Rooyakkers, there’s a lot IT and OT can learn from each other. Sadly, that communication doesn’t always happen
“There’s no successful plan, there’s no successful thing, that can be done in a process without full collaboration between operators, engineers, the people that are inside the process, along with the people that own the business systems and responsibilities for those,” Rooyakkers said. “They cannot operate in isolation. Now, we see it in our customers, there’s lots of convergence where OT organizations are now reporting to IT, especially where they become more cyber sensitive because IT has some intrinsic knowledge of even the most fundamental terms and technologies and so on.
“But then you also see conflicts within the organization because an operator or an engineer or an applications person is saying, ‘These guys don’t know anything about the real-time world. They don’t understand real-time process control. Blah, blah, blah.’ That’s not going to work. You must have a coordinated effort, and always, always trust the people closest to the process. Trust the operations. They understand the intrinsic risk that you’re not going to get in the textbook. You’re not going to get with a computer degree. They understand where the ghosts are in the machine. It’s like any organization, you have to have good communication and collaboration or else you’ll fail.”
When it comes to replacing and updating legacy control systems, it can be a complicated process, but it’s not impossible. The key question is: What’s the appropriate evolution? Every site is different, and every customer has different needs and requirements. Older systems must evolve intelligently.
“You want to protect your system as long as possible, and you want to protect it in the lowest-cost, most evolutionary way,” Rooyakkers said. “You don’t want to spend millions for the sake of spending millions. You cannot disrupt or shut down a process unless it’s in a scheduled shut down or some major window of repair. So all these factors have never changed. It’s always been that way and always will be. But in these sites where you do have CapEx (capital expenditures) and OpEx (operating expenses) projects or maintenance repair operations budgets, you need to spend that money in the most wise and appropriate way.”
Different vendors provide different evolutionary ways to upgrade equipment. Decision makers need to quantify and qualify the life cycle cost variables that matter most to them and compare that against vendors and technologies. Then they can come up with concrete decisions based on logic and data. According to Rooyakkers, the world needs new and different types of control systems. Time is moving forward, and systems need to respond to that natural, technological evolution.
“We are in a digital age, and this process of digitization is accelerating, so you need more advanced cyber tools and more advanced cyber technologies,” Rooyakkers said. “And I say ‘cyber’ as in computation. So control systems are a victim of the legacy and the infrastructure and the companies that have provided them for years and years and years. You now have five or six behemoth companies that fundamentally own the market, and they’re very, very vertically integrated.
“Solution is vertically integrated, and that would make good business sense as the companies and the technologies evolved, but it doesn’t necessarily make good sense anymore. You have to be able to fragment the stovepipe, as we say, so that you can get best-in-breed technologies from the sensor and actuation to the I/O (input/output) all the way through, say, the Purdue Model or all the way through the stovepipe. You want to ensure that you have interoperability across the suite.”
In Part 2 of our interview with Bedrock Automation’s Albert Rooyakkers, he will discuss zero trust architecture, its benefits and how some companies are using it successfully. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.