Mar 29 2023

ISC West: How IT and Operational Tech Put Energy and Utility Companies at Risk

Although a vital aspect of Industry 4.0 initiatives, businesses must double down on their threat prevention and response.

Marco Ayala says he’s not an IT security professional. But to a large extent, he’s had to become one in his position protecting some of America’s most critical infrastructure: its energy facilities and chemical plants.

“I’m an automation professional with a background in control systems and safety,” Ayala said, speaking at ISC West, the leading trade show for physical and converged security, which is running through March 31 in Las Vegas. “These are things that run the plants in oil, natural gas and chemical facilities.”

Ayala, the global director of cybersecurity with the engineering firm Burns & McDonnell, said that that energy, utility and chemical companies are in greater peril today, as the operational technologies they use to run their businesses are increasingly networked and “smart.”

“The traditional things you’re used to working with — such as cameras, gates and access control systems — that protect you on the physical side tend not to be very effective on the cyber side,” he told show attendees. On the contrary, those very technologies can themselves becomes sources of risk: “The technologies that you deploy, like video surveillance systems, have really evolved. Now they’re networked, they have internet protocol addresses, they have artificial intelligence. Even logbooks are digital, so we have to be very cognizant of the physical security implications of someone trying to sabotage, tamper, defeat or degrade your systems.”

Click the banner below to follow receive the latest content after ISC by becoming an Insider.

Why IT and OT Are Converging

The convergence of IT and operational technology is a relatively new trend within the manufacturing, chemical and utility industries. For years, these organizations kept such systems separate, complete with siloed personnel departments to manage them. Businesses kept their OT systems off the internet.

The dawn of cloud computing and Industry 4.0, which ushered in advancements like smart factories and the Internet of Things, has changed that. Today, connected devices and real-time data are vital to automate and inform factory and plant operations.

But it does create a raft of emerging cybersecurity challenges that such industries are struggling to catch up with. “Here’s the thing,” Ayala said. “A lot of people can’t handle the truth, but the fact is, threat actors are going to get in, and we need to get past that.”

To illustrate his point, Ayala showed a graphic displaying the major security incidents affecting companies within the manufacturing, chemical and utility industries. The number of incidents occurring since 2010 were at least triple the number that occurred during the first 10 years of the century. One reason is the advancing sophistication of hackers, but another is the growing digitalization of systems that had previously been “isolated, siloed islands,” Ayala said.

Today, “we’ve enabled remote access,” he says, and the pathways used by authorized parties to access applications can be compromised.

DIVE DEEPER: Learn about 2023 energy and utilities tech trends.

Three Steps Utilities Can Take to Thwart Cybercrime

What can businesses do? First, they can look at what’s networked and ask themselves, on a case-by-case basis, whether it really should be. While much of the connectedness of modern industry is necessary, Ayala argued, some of it isn’t.

“All of this connectedness has made us vulnerable,” Ayala said. “I’m not saying that connectivity is not good. I’m just saying that we have to use sense in deploying these things.” For example, in most industries, making life more convenient for employees is a critical differentiator in the competition for talent. But for, say, an electric utility, is it worth the risk to allow an engineer to log in from home?

In the utility industry and within other critical facilities, many pandemic-related work-from-home adaptations should probably be rolled back, he said: “We do a lot of things for convenience, and convenience is our biggest enemy.”

Another counterintuitive step for such businesses might be to eschew a certain degree of vendor standardization, he said. It may seem reasonable to have the same company’s cameras facilitywide, for example, but it makes life a bit easier for hackers, who appreciate a nice, easy horizontal attack surface.

Finally, security leaders on both the physical and IT sides must ensure implementation of the standards-based security protocols, such as the 62443 series of standards, produced jointly by the International Society of Automation and the International Electrotechnical Commission. The 62443 standards are themselves itself built on the broader National Institute of Standards and Technology’s Cybersecurity Framework, a critical guidebook for security professionals in every industry.

Keep this page bookmarked for articles from the event, and follow us on Twitter at @BizTechMagazine and the official conference Twitter feed, @ISCEvents.

industryview/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.