It’s hard to overstate the transformative nature of cloud computing. Cloud’s many benefits—agility, flexibility, scalability—are being utilized by organizations of all sizes. Even technology-based critical infrastructure like water purification, electric grids and traffic systems are being deployed and managed in the cloud.
That’s why the recent headline—“Dangerous Stuff: Hackers Tried to Poison Water Supply of Florida Town”—caught my eyes, in much the same way those sensational headlines on supermarket tabloids do. But this was no joke: If not for the alert eye of a municipal employee, thousands of residents could have been drinking water with dangerously high levels of the main ingredient in drain cleaner.
Of course, this was hardly the first time operational technology (OT) systems have been attacked and, in many cases, breached—sometimes with stunning impact. You don’t have to be in the international intelligence community to have heard of Stuxnet and to see how OT systems can be surreptitiously attacked.
And more than a decade ago, the Idaho National Laboratory tested the potential for a cyberattack to disrupt and disable key components of the local electric grid. The short answer: Yes, It could very well destroy those components.
An Attractive Proposition
As more OT systems go digital, it makes more business sense to consider whether to move them to the cloud. And, for many of the same reasons organizations moved IT to the cloud—improved agility, faster responsiveness, economic benefits, greater flexibility on resource utilization, to name a few—moving OT to the cloud can be an attractive proposition.
But securing OT systems in the cloud is quite different from securing cloud-based IT systems. It’s important for business executives and board members to recognize that these newsworthy hacks of OT systems are just the tip of the iceberg. Undoubtedly many organizations have had their OT systems breached and have simply not been aware—yet. And OT systems, many of which are part of the overall national critical infrastructure, especially those that are the responsibility of municipalities (electric grid, water supply, traffic management), are ripe targets for ransomware and other malicious attempts by groups as diverse as rogue nation-states and disgruntled employees.
Organizations also must make security a priority for cloud-enabled OT systems for another reason: The increasing propensity for remote workers to access and manage cloud-based OT systems remotely, away from an office setting. This is not a trivial issue, and it is going to spur organizations to think about cloud-based security from a platform perspective, rather than as a series of individual point products.
The good news is that cloud security is more robust, stable and feature-rich than ever. Approaches like Zero Trust, the shared-responsibility model of cloud security and platform-
based cloud security have served to dramatically enhance security at all levels—data, application, device and platform. And organizations are taking cyber risks very seriously, as evidenced by the fact global spending on OT security will soar to $37.6 billion by 2023.
But business and technology leaders who want to move OT systems to the cloud need to keep a few fundamental things about OT for the cloud in mind.
OT in the Cloud Makes Sense, But…
First, most OT environments are “aged,” in that they’ve been around forever and have not always been updated with modern, cloud-ready digital technology. Most OT systems were never actually designed for the Internet; employees responsible for patching OT systems have been doing it through command lines and serial cables.
Second, many OT systems have been designed and managed in what I call a “castle and moat” defensive framework. In this model, security is delivered by physically and virtually walling off access to systems using zones to separate systems, and unidirectional data flow, all managed through very tightly controlled credentials. But in moving to the cloud, organizations may find that losing that “moat” around OT systems like water purification, SCADA, traffic and irrigation control makes people feel more than a little uneasy.
Third, it’s important to keep in mind that dealing with virtual infrastructure (the cloud) to manage and secure physical systems with knobs, faucets and valves is new territory to organizations.
These and other factors result in an important truth: Moving OT to the cloud expands the cyber risk footprint, and cloud security strategies and tactics should be rethought and rearchitected.
What’s Your OT Security Strategy?
One thing business leaders have always understood, and have typically used in evaluating the benefits of moving IT to the cloud, is assessing new risks and weighing those against new benefits. The same should be done for OT-based cloud security.
But as I mentioned earlier, your OT-based risks are very different, and are often far, far more devastating to the organization, than IT-based risks. I’m not going to diminish the impact on productivity, user experience and customer relationships if a cloud-based customer self-service portal goes down. Those and other IT workloads are very important to the organization and carry both tangible and intangible risks.
However, compare that with what happens if a robotics-based assembly line is hacked, or a cloud-based air filtration system is compromised. Those carry substantial regulatory, legal, and, of course, safety risk that can undermine an organization’s core mission to its stakeholders and even cause physical harm. Many CEOs, especially those in place for more than a few years, may not have fully understood what it would be like to have computer-controlled assembly lines secured in the cloud.
This requires not only new, purpose-built security tools that go beyond what your cloud service provider delivers, but a new way of strategizing OT security. For instance, looking at cloud security at the platform level, rather than as a series of disparate devices and tools, is a much smarter way to go. This cloud security platform needs to be planned, designed, deployed and managed in a way that accounts for an increasingly remote workforce.
And you need to develop that strategy before you make the move, not after it. After all, as exciting and beneficial as cloud computing is, we need to acknowledge that cloud technology is less mature and certainly changing much more rapidly than older technologies like industrial control sensors.
Another thing to consider: a hybrid model of cloud-based OT security. Most organizations have become very comfortable with the idea of hybrid IT security, with solutions both in the cloud and in on-premises environment. The same approach makes a lot of sense for OT, as well.
Ask Key Questions
If you’re a C-level executive or a board member, and your CIO, CTO or CISO come to you about moving OT systems to the cloud, here are some key things to keep in mind and some questions to ask:
- Do we need to run a parallel system so we don’t disrupt core operations of the legacy equipment being phased out as we move to this system cloud?
- What will that cost us?
- What new risks will we need to be aware of, and how are we mitigating them?
- How bad can things get if we are breached or if our cloud provider is attacked?
- What are you going to do proactively to minimize risk, in terms of detecting, preventing and remediating breaches?
At the end of the day, we all are in the risk mitigation business. And while I think moving OT systems to the cloud should be on every executive’s consideration list, it would be reckless to do so without a thorough and honest assessment of risks and rewards.
Kevin O’Malley is chief information security officer for Lee County, Florida.