When it comes to industrial cybersecurity, there has long been a partition between the information technology (IT) and operational technology (OT) sides. The IT/OT divide isn’t exactly the Sharks versus the Jets, but it is hampering efforts to secure industrial facilities.
Cybersecurity is generally considered the domain of information technologists, or data professionals. But modern buildings are connected in ways facility managers never dreamed of 30 years ago. Everything from lobby signage to elevators to surveillance cameras is now web-enabled, which means it is ripe for anyone with computer savvy and malicious intent. In the modern environment, OT professionals must be just as aware of threats and vulnerabilities, and know how to defend against them.
“It’s interesting because most [industrial facilities] are actually vulnerable honestly everywhere,” said Bryan Bennett, cybersecurity practice leader at Environmental Systems Design, a CFE Media content partner. “Anything that is on the network, whether it’s IT, OT, even the guest WiFi, if it is somehow connected to your internal environment, it could be a vulnerability.”
Bennett is a longtime IT professional who spent years protecting major companies like Dell and Wal-Mart, but he also has extensive facility experience, so he understands the IT/OT divide well. According to Bennett, modern hackers will often look for something obscure, or not as heavily guarded, on a network – something OT professionals don’t consider a vulnerability or haven’t been trained to protect. If there is a web-enabled security camera or lobby television that is still using the default password or hasn’t been patched, that’s enough of an opening to allow a bad actor to pounce. Once they get access, they will just sit in the system and slowly look around, trying to remain undetected.
“Most intrusions are over 200 days before they’re detected,” Bennett said. “So somebody literally has seven months-ish, on average, just to look around and see what they can find.”
So how can smart building managers protect their facilities? The only way to determine your industrial facility is secure, Bennett said, is to do an overall health check of the entire environment. He lists three primary tools that can help improve security: multifactor authentication, encryption of important files and regular patching.
“A hacker is probably better at infiltrating your environment than you are at protecting [it],” Bennett said. “Anything you can do to ensure that it’s really difficult for a hacker, they’ll simply move on, unless they just get obsessed with your environment. They’ll move on, and, sadly, that’s better than [them] hanging out in your world.”
Many companies believe all cybersecurity operations can be done in-house with their own IT team. But Bennett said bridging the IT/OT divide with communication and getting a third-party entity to “check the checkers” are essential steps.
“Every year, all the accounting departments everywhere go through an audit to make sure that the books are right so they can publish their financials,” Bennett said. “Security should be no different. You should have an outside source validate what you’re doing.”
In Part 2 of our interview with Bennett, he will discuss what IT security experts need from their OT counterparts, and vice versa. And watch for future installments from our expert interview series in the coming weeks.
Mitigating OT cybersecurity risks, enforcing best practices
Six reasons why centralized cybersecurity doesn’t delver value to OT
Four ways to achieve physical and cybersecurity integration in industrial operations