As cyber attacks grow more sophisticated and the risks to critical national infrastructure increase, utilities need robust safeguarding of their Operational Technology. Esther Bellingham, Head of Cyber Services at Enzen UK, explains why it’s important to differentiate between OT and IT and why a holistic view anchored in balanced risk management is paramount.
The digital frontier is evolving quickly, merging the once-clear lines between Information Technology (IT) and Operational Technology (OT).
This intermingling within the UK's utility sectors presents heightened vulnerabilities to core infrastructure, a concern underscored by the National Risk Register 2023. This register alarmingly predicts a 5% to 25% likelihood of a major cyber attack on the UK's energy infrastructure over a mere two-year horizon.
Ofgem, the UK's energy regulation authority, has discerned the intensifying cyber threat landscape. Its proactive response has transitioned from the basic Cyber Assurance Framework (CAF) to an Enhanced CAF (eCAF). This leap indicates a recognition of the evolving challenges and demonstrates a commitment to bolstering cyber resilience in the utility sector.
A fundamental directive of the CAF mandates organisations to establish and maintain an exhaustive asset inventory while proactively addressing unauthorised assets. For many in IT, manual inspection combined with basic tools like Excel spreadsheets, suffices. However in the OT realm, such rudimentary measures, devoid as they are of live data insights and nuanced system simulations, are inadequate.
Harnessing advanced tools for enhanced security
The superiority of passive asset discovery tools in this context is evident. Operating continually and autonomously, they pinpoint unauthorised devices and activities, leveraging historical data. Such tools are invaluable in OT environments with older systems that resist new software agent updates.
Data vs process: delineating the divides
Within cybersecurity, distinguishing IT from OT is paramount. Succinctly, IT centres around data protection, while OT revolves around process safeguarding. Missteps emerge when IT-centric security mechanisms are imposed on OT settings. Consider the scenario of legacy Rockwell Automation switches within OT frameworks. These aged switches present many challenges, from non-existent patches to vulnerabilities against aggressive scanning.
From methodology to desired outcomes
However, ensuring their security demands versatile, proactive measures – distinct from tools like passive asset discovery. This highlights the necessity for an integrated, nuanced strategy to bridge the IT-OT cybersecurity divide, driven by end goals rather than pre-existing methods or processes.
Utilities must navigate the intricacies and overlaps within IT and OT frameworks. A holistic view anchored in balanced risk management is paramount, superseding a mere emphasis on technical control uniformity.
As the shadow of cyber threats grows, stakeholders in critical national infrastructure must espouse a comprehensive, outcome-oriented approach to ensure their organisations' security.
The introduction of Ofgem's eCAF signals a pertinent shift in this direction. Embracing this shift, while understanding the inherent challenges of OT, is the roadmap to a future that marries technological advancement with robust security.
If you’d like to discuss the issues raised in this article, contact Esther at esther.bellingham@enzen.com.
About the author
Esther Bellingham has more than 30 years of industry experience across energy, utilities and manufacturing. Her specialist areas include cybersecurity, OT security, risk management, cloud security and IT/OT convergence, focused on preparing organisations for Industry 4.0 and beyond. As Head of Cyber Services at Enzen, she is responsible for developing best-practice cyber solutions for our utility customers so they can transition to become the digital utilities of the future.