A multi-billion-dollar OT security industry has evolved around this narrative. They are here to help you to “keep the lights on”, or, with a tad more ambition, to “safeguard civilization”. They can do so because they can fend off the hackers, so they say. Relevant product offerings usually have “defense”, “guard” etc. in their name already.
But even though you keep hearing about such OT security risks all the time, you rarely hear how big that risk is. It must be big, right?
Wait. One thing’s for sure: Most OT asset owners has not experienced a cyber-attack on their OT systems. There only were so few on the record that are documented and undisputed. As an indicator of the situation, note that most of the alleged OT hacks that are presented regularly, did in fact not involve any compromise of OT systems: The Colonial Pipeline hack, Maersk, Norsk Hydro, JBS… All of them are brought up as substitutes because the victim also used digital operations technology. In reality, only IT systems were affected.
The fact that virtually all proponents who warn you about OT cyber risk essentially point to IT attacks should tell you something: Actual OT attacks, meaning compromises of industrial control systems with direct physical consequence, are extremely rare. If you don’t happen to operate a Uranium enrichment facility in Iran, or the power grid in Ukraine, you haven’t experienced a successful cyber-physical attack.
Shocker: Many discussions about risk are anything but rational and fact-based
Why the hype then, you may ask.
Think of the risk of getting killed by a shark. Many people are afraid of getting eaten alive by the killer fish. Yet in statistical terms, more die from participating in stupid TikTok challenges. Funny if you think about it, isn’t it? And if you are interested what your most likely cause of death is going to be, it’s rather simple: cardiovascular disease, the number one killer of all.
The important takeaway here is this:
When assessing risk, dramatization and instinctive reactions sometimes distort our perception of reality.
There’s a psychology of how people conceive and react to risk. Apart from fact and reasoning, some risks are much more compelling than others. Especially those that are instinctively getting our attention because they can be visualized easily and trigger a fear reaction. Sharks! Jaws! Blood!
In OT, you can see the same phenomenon.
Think about the practice of the OT security industry to stick suggestive names to malware samples and conceptualizations (that didn’t cause any disruptions worth mentioning): Industroyer! Crashoverride! Cyber Kill Chain! Just like in our example of leading causes of death, the risk of getting hacked by the threat actor du jour (Cryptonite! Sibnonite! Shniptonite!) and suffering disastrous consequence is astronomically low.
Everyday OT cyber risk: Unsexy, but real
At the same time, other but less dramatic risks are almost commonplace. How about these:
The risk that you miss firmware updates that fix functional and safety issues. If you are a control engineer, you are most likely subscribed to your automation vendor’s product notification service, where you regularly learn about product flaws that the vendor identified, that can/will result in safety hazards or downtime. How could you miss to fix any such problems? Simple, because you may not know all the places where the respective equipment with the respective firmware version is installed.
The risk that ageing OT equipment becomes obsolete and replacement parts are no longer available. OT products are built to last in harsh environments, but they certainly don’t last forever. Most of the installed OT base is ripe for retirement – but rarely being let go until it dies of old age, figuratively speaking. Some asset owners are then in for a surprise – when replacement parts are no longer available. This could have been known beforehand, and a replacement/migration strategy could have been furnished in ample time. If only somebody had checked where all the obsolete equipment was.
The risk that staff retires before having passed configuration knowledge to the next generation. If you have spent some time on the plant floor, you will undoubtedly have met more than one genius control engineer who could tell you right away what a specific PLC does, its IP address, which sensors and actuators are attached to it, and much more. A living miracle! But after the miracle retired, it was found out the hard way that he took his knowledge with him. If there had only been a solid effort to capture all that knowledge in a capable documentation tool, making it accessible for those who followed in his footsteps!
The risk that aged Windows computers crash due to resource exhaustion and cause downtime. Dated PCs are a common sight on plant floors. How long is that (by today’s standards) very limited hard disk capacity, free memory, and CPU power going to sustain before a breaking point is reached? More than one asset owner found out the hard way. Guess what, resource consumption can be measured easily, and should be the norm for aged PCs in OT environments.
The risk that it is only discovered after a system crash that a critical OT system was not backed up properly. Some of your engineering teams made sure that their critical PLCs and Windows boxes are backed up automatically. Others did not. Wouldn’t it lower cyber risk substantially if you had a clear system of record that all critical systems are backed up and can be restored easily? It would certainly reduce your cyber risk dramatically because system failures had much lower cost of consequence if disaster recovery can be accomplished in hours, rather than days. This is true no matter what the cause of the crash is, i.e., it also applies to cyber-attacks.
It doesn’t require much to assert that your company has experience more than one of these, and more than once. And it doesn’t require a psychic that you will experience even more of these in the future. It’s the everyday, non-fancy cyber risk, that cannot be dramatized easily. Hence it doesn’t draw a lot of attention, even though it probably should.
Cyber risk that just keeps growing, no threats needed
Here’s another noteworthy insight:
None of the cyber risks presented above are caused by external threats.
The presence of a threat actor, no matter how potent, is not required. Just like cardiovascular disease, this risk just builds up by itself over time if you do nothing. That’s really bad news. Think of it: At some point in time, your OT systems will become obsolete with certainty. They will fail with certainty. Your seasoned control engineers will retire with certainty. And so on. No hackers required! Yet few asset owners take efforts to mitigate these risks, in the same manner that so few people engage in physical exercise in the attempt to lower their risk for cardiovascular disease.
How did we get here? Well probably due to two factors.
First, the enormous amount of marketing dollars that venture backed OT security companies have invested to convince you that hackers will ruin your day, with catastrophic results. When pretty much all vendors in this sector sell detection technology, they will try to convince you that detecting network anomalies is important and worth the money. If you don’t find that convincing, the same companies pay teams of “researchers” to find new vulnerabilities in OT products, only to make your risk of getting hacked appear even higher. Some even publish exploit frameworks to make the hacker’s job easier. It’s called demand generation in marketing.
Second, the software industry didn’t address systemic OT cyber risk at a generic level. Automation vendors offer isolated tools for addressing parts of the systemic risk for their product families, but not in the form of generic platforms. This has changed with the advent of the OTbase OT asset management system offered by Langner.