Threats are potential sources of cyber-attack. They can be from within the organisation, such as dissatisfied and compromised employees or from external entities, such as competitors, and enemy countries. Generally, threats have motivations to attain sense of achievement or commercial gain. Sometimes, threats can be imposed because of revenge. It is impossible to eliminate such threats from the cyberworld considering the current geopolitical scenario and a highly competitive environment.
Vulnerabilities are the weaknesses in the system. There can be vulnerabilities in the computers, software, processes and even in people. Threats exploit these vulnerabilities to launch cyber-attacks.
Exposure is the accessibility of computer systems and people to the potential threats. When we are connected to Internet, our computer/device is exposed to billions of users on the Internet. If our device has a vulnerability, a hacker (threat) can steal the data stored in our device.
Mitigating security risk involves:
- Identifying and controlling the vulnerabilities present in our systems and processes.
- Limiting the exposure to the extent it is required.
- Constantly monitoring the threats (based on intelligence from recent attacks across the globe) and implementing controls.
In the past, OT systems in factories were isolated from enterprise network and only few people in the factory had access to it. Most of the systems were proprietary and they were not interconnected. Though these systems may have had many vulnerabilities, the threats were not able to gain access due to the limited exposure. However, organisations today are adopting IT/OT integration as it is proving to be a game changer for them. This integration exposes the OT systems to the external world, thereby increasing the security risk.
Since OT systems have limited hardware resources, it is not possible to run CPU intensive advanced security software on these devices. Also, modern IoT/IIOT systems run on standard operating systems, such as Linux and Windows are prone to more known vulnerabilities. Unlike the enterprise IT systems, it is not practical to update security patches frequently in OT systems. So, these vulnerabilities continue to be present for a longer time.
The result of a cyber-attack on OT systems could be catastrophic. This could cause a power plant to shut down, chemical plant to explode and disrupt an entire transport network. The communication protocols in an OT network are different from an enterprise IT network. They are deterministic, time sensitive, fault tolerant and provide guaranteed delivery of commands and information. The security solutions of an IT network cannot be applied for OT systems.
In summary, OT security threats are real and OT systems are more vulnerable compared to IT systems. Securing OT systems require domain expertise in OT devices, networks, and protocols. It is critical that organisations approach OT security in a holistic manner instead of merely extending the currently available IT security solutions.