OT security is a priority for organizations

The growing number of cyberattacks against IT networks invariably impacts critical OT systems. (Source – Shutterstock)

Smart Nation Singapore: Time to renew the focus on OT Security

Article by Rafael Maman, VP of OT Security at Sygnia

As Singapore charts its path toward a world-class, tech-driven city-state, the potential for a successful cyber-attack on the myriad of technological systems required to power this vision must not be overlooked. Digitalization is only accelerating the threat.

The modern metropolis has no dearth of critical infrastructure, from its highly automated ports, vital desalination and water treatment plants, and globally renowned airport. In terms of industries, there are the petrochemical and energy hubs on Pulau Bukom and Jurong Island, high-value semiconductor plants, as well as scores of data centers – the list goes on.

Critical infrastructure is crucial to public health, safety, and economic prosperity. At the heart of these installations is a multitude of hardware and software known collectively as Operational Technology (OT). Operating far from the public eye, OT systems ensure the smooth and efficient functioning of physical systems such as industrial machinery and equipment.

Like all digital systems, OT systems can be compromised by malicious actors. However, while corporate cyber security incidents are often localized in scope, the potential for cyber-attacks to successfully sabotage critical infrastructure can have a significant and wide-ranging impact. Indeed, incidents abroad have demonstrated that such attacks can disrupt national security, precipitating economic turmoil and profoundly impacting entire communities.

OT Security

Sygnia is investigating companies affected by MOVEit hack.

The OT security vulnerability

OT systems are hardly new, so what has changed to amplify the threat? Where OT systems previously operated within standalone, isolated environments, driven by the fast pace of digital transformation initiatives, today’s systems are increasingly interconnected with traditional corporate information technology (IT) networks.

For instance, manufacturers often run their enterprise resource planning (ERP) systems from the cloud or deploy smart sensors on the manufacturing floor, while airports and public transportation are turning to artificial intelligence (AI) and analytics platforms to enhance security and improve passenger comfort. Organizations like hospitals, for example, or commercial offices and shopping malls with their ever more sophisticated Building Management Systems (BMS) have more OT systems than most realize.

Making these systems work entails connecting the traditional operational systems, cameras, and other Internet of Things (IoT) devices to existing IT systems. Consequently, many OT networks now interconnect with IT networks.

This is a problem, as the inherent security weakness of OT systems is well-known and indisputable. This is partly because the vast majority of OT systems are powered by old paradigm Programmable Logic Controllers (PLCs) and Distributed Control Systems (DCSs), which are designed for reliable operations in harsh industrial environments. In fact, the first commercial PLC system was introduced in 1969, a few years after the independence of Singapore in 1965.

It would be fair to say that the security considerations envisioned by the inventors of the PLC and the DCS more than four decades ago differ significantly from the present day. To strengthen OT systems, the Purdue framework, first created in the early 1990s, was deployed as an underlying framework to segment the system to shield OT systems from malware and cyber-attacks. However, it is inadequate to meet the growing digitalization over the last decade.

Experts have advocated for the creation of “air gaps” or the complete separation of OT systems. While this may work as an interim measure, such demarcations greatly hinder businesses’ ability to reap the benefits from their technological innovation and digital transformation efforts. In the long run, this harms their competitiveness.

Businesses need more visibility on their OT security systems.

OT systems can be compromised by malicious actors. (Source – Shutterstock)

Adopting a new paradigm

The growing number of cyberattacks against IT networks invariably impacts critical OT systems. Today, we must adopt a holistic approach toward securing industrial systems and treat such systems as an integral part of the broader digital estate of the enterprise. This means identifying critical facilities to adequately monitor and protect them in the context of the wider enterprise, as well as investigating attacks and remediating breaches with security teams well-versed in both IT and OT systems.

The only viable long-term strategy is to adopt a new architecture for OT designed from the ground up for today’s and tomorrow’s threats, adhering to a concept called “secure by design”. The industry is making a concerted effort on this front through initiatives such as the Open Forum Automation Forum (OPAF). With a vision to design a standards-based and secure architecture, OPAF currently has hundreds of active members, including the largest global manufacturing companies, suppliers, academics, consultants, and numerous end-users of OT systems.

To progress this vision, the Open Group has developed the Open Process Automation Standard (OPAS) for the development and deployment of open, secure, and internet-native OT systems. By advocating for vendor-neutral technology standards and certifications, the group seeks to offer a pathway toward this future through a gradual transition.

Similar initiatives are being undertaken by others that share the same vision. One worth mentioning is NAMUR, an association of automation technology and digitization in the process industry. Its concept is similar to OPAF, albeit not as far developed. The good news is that the teams behind OPAF and NAMUR have already started working on integration, hopefully ushering in the long-awaited transition to a more secure OT architecture.

As organizations move to tap the capabilities that technologies such as AI, autonomous mobility, and edge computing offer, it is vital that we safeguard our industrial capabilities from malicious digital disruption. Only by prioritizing the security of critical infrastructure can nations such as Singapore guarantee the smooth functioning of a digital-first nation in the face of ever-evolving cyber threats.

With initiatives such as OPAF and NAMUR, the road ahead looks promising. Yet, the stakes are simply too high for us to demur or wait for future transitions to take hold. The threat to critical infrastructure is clear, and we need to renew our focus on OT Security sooner rather than later. The time to act is now.

The views in this article is that of the author and may not reflect the views of Tech Wire Asia