Malicious actors who threaten information technology (IT) can have disastrous outcomes for businesses, but attacks on operational technology (OT) can be fatal.
The culture in the OT world is intolerant of failure, says Professor Iain Murray, Deputy Head of School for the School of Electrical Engineering, Computing and Mathematical Sciences at Curtin University, and co-chair of the Curtin Cisco Centre for Networks.
This leads to simplicity rather than efficiency as the risk of greater complexity is too high.
"When you start to bring in things like operating systems on a control device, we've got the complexity, which means there's bugs, which means it's dangerous. So people will tend to keep things simple, rather than making them more efficient, if it adds complexity because of the risk of the complexity," says Murray.
“As soon as you start connecting things to the internet, you've got holes, and there's no way around it, you're always going to have holes. And the amount of damage you can do to an OT system with any sort of real access is severe. Simply injecting incorrect readings can cause catastrophic failures.”
According to Murray, the physical security of OT was traditionally where efforts were directed.
“There was no connection, if you couldn't get physical access to the equipment, you couldn't do anything. So there was very little thought given to securing it from the network protocols or the connectivity side of things. There was a lot of effort taken to ensure that things were physically secure. So operators couldn't get to things if they weren't meant to.”
The protections that existed were to minimise operational error and to create fail-safes to prevent mistakes, says Murray.
“Things go wrong in the OT environment, people can die. So it's a very different sort of environment and a much different priority. So your priority is not so much on your uptime, it's on your no failures. And things can fail and you can still have things up and running or running slowly, for example.”
“If something is up and running, but it's running slowly, and that thing was checking the temperature of a nuclear reactor, that's a major issue. And that's a danger.”
The key advantage in connecting operational technology to the internet comes down to one simple reason: data.
When data sits separately to IT, it can prove difficult to extract and analyse, he says.
“If we can start providing links out securely to the cloud, or to the IT infrastructure, analysis can be done on that data. And we can find marvellous new ways of doing a vast array of things, even if we just look at predictive maintenance. So we fix things when we think they're not going to fail, not at fixed intervals or after they’ve failed.”
“This brings in the machine learning and the AI on that large data and it just has fast benefits to the industry.”