Why OT cybersecurity should be every CISO’s concern

Some CISOs believe there is no need to assess risks in operational technology (OT) or establish an enterprise OT cybersecurity standard — because they don’t run OT. However, I believe OT is a blind spot that is often overlooked.

If your office resides in a building, you are already relying on the safety and availability of building management systems. This comprises a slew of hardware and software – lifts; heating, ventilation and air-conditioning (HVAC); a door access control system; as well as the internet of things — which all fall under OT.

As we observe greater IT/OT convergence and the growing prevalence of smart buildings, the risk of exposure to cyber threats is larger than ever — and therefore requires a concerted effort to manage such risks. OT that was previously unexposed is now increasingly vulnerable, thanks to the acceleration towards Building 4.0. — in which smart sensors are deployed extensively, alongside remote access for predictive analytics.

A few examples

A prime example of this was when hackers exploited a smart thermometer in a fish tank to gain access to a casino’s network and database. In this case — which was reported in 2018 — hackers allegedly pivoted through the compromised IoT thermometer and stole information from the casino’s high-roller database.

Some research also shows that hackers can use a tool like HVACKer to breach seemingly innocuous air-conditioning units, sending instructions to targeted hosts. Cyber-attacks involving HVAC systems have already taken place. In 2013, two security researchers found that they could hack Google Australia’s network through the HVAC system in the company’s building — and in 2016, Kaspersky researchers also exposed how a hacker could exploit air conditioners across a city to turn them on and cause a power surge that would cripple a town’s power grid.

More recently in 2022, it was also reported that uninterruptible power supply (UPS) products made by a renowned industrial-equipment manufacturing company were affected by critical vulnerabilities that can be exploited to remotely hack and damage devices. Purportedly, hackers can remotely update the UPS firmware and use it as an entry point for a ransomware attack or other malicious operations. In fact, a proof-of-concept exploit was developed that caused a UPS’s internal circuitry to heat up until it emitted smoke and became completely damaged.

Potential breaches to OT and the industrial internet of things (IIoT) including those used in smart buildings were concerning enough for Singapore to develop a technical reference in 2023 to provide guidance in securing cyber-physical systems in smart buildings.

Do we sweat the small stuff?

But how much should enterprise CISOs focus on protecting OT that is not typically considered ‘core’ to their business? Companies don’t often place much importance on securing building lifts and air-conditioners. Does the lower likelihood of an attack on ‘peripheral’ OT or IIoT mean less resources should be allocated to protecting them? How can security leaders strike a good balance between ‘not sweating the small stuff’ but at the same time take this seriously?

Ultimately, it all boils down to adequate threat modelling and risk assessment to determine what these risks mean to the enterprise. The extent to which we need to manage non-core OT would not be less than managing test and development environments, digital supply chain, and shadow IT. We often learn of breaches in these areas and the ensuing collateral damage to the enterprise due to a lack of focus arising from inadequate threat modelling and risk assessment. The ‘balance’ is achieved when there are risk governance processes in place and risk treatment is optimal.

To achieve that, we first need to identify all such ‘peripheral’ OT and IIoT assets. After all, we can only protect what we know. Performing a business-impact assessment by evaluating the threat vectors as well as the impact of breaches in relation to the organisation’s operations, safety, reputation, financial health, and regulatory commitments (just to name a few) must minimally be in place.

The bigger picture

Beyond protecting the enterprise alone, OT security is also about playing our part in securing the ecosystem. In 2016, hackers used Mirai Botnet to launch successful DDoS (distributed denial-of-service) attacks against DynDNS — disrupting websites such as Reddit, Twitter, Amazon, Netflix, and the BBC. As many as 300,000 IoT equipment that were insufficiently secured – including baby monitors and security cameras — were compromised and controlled by such botnets. An enterprise could also be brought to task if negligence was found to have resulted in weakly secured enterprise IoT equipment being used to attack critical information infrastructure.

So the next time a CISO claims that his enterprise does not employ any OT — ask if there is HVAC running within the data centre, how employees access the office, and whether there is a lift in the building. As for those who deem these inconsequential to the overall security of an enterprise, it’s time to think again.