Over the past two decades, the focus has been on information security to protect data. This priority remains important.
What is operational technology? While information technology covers your email, relational databases, documents, and other data applications, operational technology performs non-data functions. Some companies don’t have a lot of non-data functions. Banks and insurance companies, for example, are almost entirely data-driven – their products and services are all easily expressed in ones and zeros. But heavy industry is different. Manufacturing facilities, railways, pipelines, oil fields, chemical processing plants are all operations that can be improved through the application of technology. But this technology makes the operation of physical machines and tools more efficient and effective.
But the change of administration and the Continental Pipeline incident shifted attention to operational technology and functional resilience. Protecting data is important, but ensuring that the business continues to operate is vital.
According to the NIST Glossary, Operational Technology describes “programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems / devices detect or cause direct change through monitoring and / or control of devices, processes and events. Examples include industrial control systems, building management systems, fire control systems, and physical access control mechanisms. Most companies operate these systems, but for some, the systems are the heart of their business.
Recent government actions have focused on protecting critical infrastructure, which may be data-driven, such as the health and finance sectors, or operational technologies, such as the energy, transportation, and health sectors. the making. The Department of Homeland Security released new pipeline security requirements this summer. The National Institute of Standards in Technology has updated its extensive set of standards and recommendations for operational safety, covering manufacturing, energy and transportation protections. The presidential decree on cybersecurity pushes federal agencies to demand operational protection and resilience, and to propose standards to help this cause.
The government is focusing on protecting these systems with new sets of requirements and standards. In these discussions, data is not the central element. The watchword of operational technology is resilience. A business must be able to protect these systems from attack, isolate them from the most exposed information networks, and be ready to replace or reactivate them if something goes wrong.
One of the most obvious ways to protect operational systems is to “space” them out from the rest of the business systems. In other words, we know that hackers and ransomware actors can use the complexities and vulnerabilities of data networks to gain access to corporate systems. When these information systems are directly connected to operational systems, then an attack against the former can lead to the infiltration of the latter. It is important to build firewalls between the systems.
But, in today’s data-driven businesses, firewalls can be porous as enterprise-wide management systems and newly connected IoT devices return an ever-growing supply of operational data. to management for analysis and assistance. Every business that harnesses the power of its own operational data runs the risk of allowing hackers to access these channels. If you can access the machine then a bad guy may be able to access the machine just by pretending to be you. For this reason, every connectivity and sharing decision regarding operational systems must also consider whether an intruder in the data systems can gain access to the operational systems.
Even if the working technology is properly isolated and hackers cannot access other business systems, simple security procedures should be in place. There is no network security without physical security – physical access to any machine creates opportunities for hacking. So while network security can prevent hackers from reaching halfway around the world, physical security can outsmart local saboteurs and hackers. But your own operators need to access the data on these machines and the operational management technology that controls them, and your business needs to minimize the risks associated with this process. For example, most companies with strong security systems keep machines available on-site to perform checks on USB drives that operators use to interact with company systems. Insert the USB drive, run diagnostics to confirm that it does not contain malware or open unwanted communication channels, and record the results before the drive is inserted into corporate operational systems. For minimal cost in time and money, a major risk is mitigated.
When it comes to risk management, nothing beats personal responsibility. Only one person within your organization should be responsible for protecting operational systems and should report at least to senior management, and possibly the board of directors, at least annually, on the progress of securing this asset. essential of the business. And nothing supports personal responsibility like a budget. The assigned Operational Security Owner must also propose a budget and receive corporate funds to achieve corporate security goals. Designating someone to handle the problem without funding the priorities can be used by adversaries in litigation or by regulators to show that a company is not taking the problem seriously. Additional security is always difficult to defend with the CFO of the company, but a company’s budget is an indicator of its priorities. Adequate funding for resilient operations will always be important.
Many other operational protections are specific to the types of machines and the hazards they deal with. Protecting a factory will always be different from fighting fires in an office complex or protective pipelines. Complexity cannot be an obstacle to prioritizing protections. We have talked for two decades about the importance of data security. It’s time to shine the spotlight on the equally important task of sustaining resilient, technology-driven operations.
Summary of the news:
- What is operational technology, the new target of network security obligations?
- Check out all the news and articles about the latest security updates.
Disclaimer: If you need to update / change this article, please visit our help center.
For the latest updates Follow us on googIe New