Discussing cyberattacks vs system failures.

This week at SecurityWeek’s ICS Cyber Security Conference, OT/ICS Security Practice Manager at IBM David Lancaster Jr. led a session called “Was it an OT Cyberattack or a System/Asset Failure or Both?” He talked about how in the past, if an incident occurred, it was a system failure, but today, we have to distinguish what could be a system failure, asset failure, or cyber incident.

Air-gapped systems no longer exist.

“Fully air-gapped systems where we are today truly don’t exist,” Lancaster said. He goes on to explain that a convergence of OT and IT is here; that as legacy systems go out of commission and get replaced, digitally-connected IoT systems replace them. Manufacturing and critical infrastructure are also increasingly targeted by malicious actors.

Anyone who makes or moves something.

Lancaster references an IBM study that said that the industrial sector (which he defined as “anyone that makes something or moves something”) is ranked number one for attacks, and that 67% have had a security incident related to IoT or unmanaged devices. He also notes how this affects healthcare, as it is a major issue for that industry as well. A lot of security incidents also go unreported, referencing a story from his daughter-in-law that works at a manufacturer that had an incident.

Unique challenges for OT/ICS security.

“OT/ICS security comes with its own set of challenges,” Lancaster said. Challenges include a lack of knowledge about cyber assets, a limited understanding of OT system vulnerabilities, lack of OT cyber manpower, too many legacy systems, and a lack of preparation for OT/IT integration. “Some of the techniques that you use in IT just do not work in the OT space, so that’s part of that work we’ve got to do as practitioners and teams to figure out how are we best going to make this work,” Lancaster explained, highlighting a need for dedicated OT manpower.