Operational Technology (OT) refers to the hardware and software used to change, monitor, or control the enterprise’s physical devices, processes, and events. Unlike traditional Information Technology (IT) systems, OT systems directly impact the physical world. This unique characteristic of OT brings additional cybersecurity considerations not typically present in conventional IT security architectures.

The convergence of IT and OT

Historically, IT and Operational Technology (OT) have operated in separate silos, each with its own set of protocols, standards, and cybersecurity measures. However, these two domains are increasingly converging with the advent of the Industrial Internet of Things (IIoT). While beneficial in terms of increased efficiency and data-driven decision-making, this convergence also exposes OT systems to the same cyber threats that IT systems face.

Unique Cybersecurity Considerations for OT

Real-time requirements

Operational Technology systems often operate in real-time and cannot afford delays. A delay in an OT system could lead to significant operational issues or even safety hazards. Therefore, OT cybersecurity measures that introduce latency, such as multi-factor authentication, just-in-time access request workflows, and session activity monitoring, may not be suitable for OT environments.

Note that the impact of these features on system performance can vary based on the specific PAM solution and how it’s configured. Therefore, it’s crucial to thoroughly test any PAM solution in a real-time environment to ensure it meets performance requirements while still providing necessary security controls.

Legacy systems and connectivity

Many Operational Technology systems are still old in the tooth. They’re proprietary and customized to meet the needs of longevity and resilience under harsh conditions. Cybersecurity was not a high-priority consideration for legacy OT systems, so they lack resilience against contemporary OT cybersecurity threats, resulting in high risk.

They may lack basic security capabilities such as encryption, authentication, and Multi-Factor Authentication (MFA.) Modernizing these systems presents significant challenges in terms of cost, operational disruptions, and compatibility issues. People with knowledge and skills may not be available, making understanding the design and the code impossible.

With the increasing integration of these systems into IT networks and, occasionally, the internet, their susceptibility to cyber threats is amplified. While beneficial for operational efficiency, this connectivity inadvertently expands their attack surface, thereby escalating their vulnerability.

Some examples of unique security challenges include:

• Outdated Hardware and Software: Obsolete hardware and software introduce significant security challenges due mainly to incompatibility with modern off-the-shelf security solutions and best practices. This exposes legacy OT systems to unauthorized surveillance, data breaches, ransomware attacks, and potential manipulation.
• Lack of Encryption: Encryption is crucial for safeguarding sensitive data and communications. Nonetheless, older OT systems might not have the capability to support encryption, which exposes them to attacks that could jeopardize the confidentiality and integrity of data.
• Insecure Communication Protocols: Legacy OT systems may use insecure communication protocols that attackers can exploit. For example, Modbus, a widely used communication protocol in legacy OT systems, does not include authentication or encryption, making it vulnerable to attacks.
• Limited Ability to Implement Cybersecurity Controls: Traditional OT systems frequently have a restricted capacity to apply cybersecurity measures. For example, they might have been provided before the importance of cybersecurity was recognized and managed by OEMs, complicating their security.
• Third-Party Remote Connections: Older OT systems might support remote connections from third parties to manage OT devices linked to an internal network. Intruders can target a network established by a vendor and exploit it to contaminate other devices.
• Lack of Security Awareness: Operators and technicians who manage legacy OT systems may lack security awareness and training, making them vulnerable to social engineering attacks.
• Embedded or Easy-to-Guess Credentials: Certain OT devices, such as those in the IoT category, might possess inherent or predictable passwords, along with other potential design shortcomings.

Safety and reliability

In Operational Technology environments, the primary focus is maintaining the safety and reliability of the physical processes they control. This is a significant departure from traditional IT environments, where the focus is often on the confidentiality and integrity of data.

• Safety: OT systems control physical processes that can have real-world consequences if they malfunction. For example, in a power plant, a failure in the control system could lead to a shutdown or even a catastrophic event. Therefore, ensuring the safety of these systems is paramount.
• Reliability: OT systems must be available and function correctly to ensure the smooth operation of physical processes. Any downtime can lead to significant operational disruptions and financial losses.

In contrast, in OT environments, confidentiality (preventing unauthorized access to information) and integrity (ensuring that data remains accurate and unaltered) often take a backseat. While these elements are significant, they usually don’t hold as much weight as safety and reliability.

This order of priority can affect the implementation of cybersecurity measures. A cybersecurity action that safeguards data (boosting confidentiality and integrity) but jeopardizes the dependability of an OT system might not be deemed suitable. For instance, a security patch could rectify a known vulnerability (improving integrity), but you might consider it unsuitable if it results in system instability (undermining reliability).

While many cybersecurity best practices and frameworks focus on traditional IT environments, OT can also benefit. For example, OWASP Top 10 addresses web application cybersecurity concerns such as injection, broken authentication, sensitive data exposure, and security misconfigurations, which are common vulnerabilities that can also be found in OT environments. OWASP also has a separate list for the Internet of Things (IoT), which is often a significant component of OT environments.

Cybersecurity strategies in OT environments must be carefully designed to balance the need for safety and reliability with the need for data confidentiality and integrity

Thus, cybersecurity strategies in OT environments need to be carefully designed to balance the need for safety and reliability with the need for data confidentiality and integrity. This often requires a different approach than traditional IT security, focusing more on minimizing disruptions to physical processes. It’s a delicate balancing act that requires deep knowledge of operational processes and potential cyber threats.

Securing OT environments requires a different approach compared to traditional information technology security. It requires understanding OT systems’ unique characteristics and requirements, as well as designing cybersecurity measures that can protect them without compromising their operation.

As IT and OT continue to converge, the importance of OT cybersecurity will only increase. The use of encryption is crucial for safeguarding sensitive data and communications. Nonetheless, older OT systems might not have the capability to support encryption, which exposes them to attacks that could jeopardize the confidentiality and integrity of data.

What does cybersecurity like this cost? Not as much as you think. Get a quote for the easiest-to-use enterprise-grade PAM solution available both in the cloud and on-premise.

The U.S. Department of Justice (DoJ) announced the indictment of a 38-year-old Chinese national and a California resident of allegedly stealing proprietary information from Google while covertly working for two China-based tech companies.

Linwei Ding (aka Leon Ding), a former Google engineer who was arrested on March 6, 2024, “transferred sensitive Google trade secrets and other confidential information from Google’s network to his personal account while secretly affiliating himself with PRC-based companies in the AI industry,” the DoJ said.

The defendant is said to have pilfered from Google over 500 confidential files containing artificial intelligence (AI) trade secrets with the goal of passing them on to two unnamed Chinese companies looking to gain an edge in the ongoing AI race.

“While Linwei Ding was employed as a software engineer at Google, he was secretly working to enrich himself and two companies based in the People’s Republic of China,” said U.S. Attorney Ismail Ramsey.

“By stealing Google’s trade secrets about its artificial intelligence supercomputing systems, Ding gave himself and the companies that he affiliated with in the PRC an unfair competitive advantage.”

Ding, who joined Google as a software engineer in 2019, has been accused of siphoning proprietary information related to the company’s supercomputing data center infrastructure used for running AI models, the Cluster Management System (CMS) software for managing the data centers, and the AI models and applications they supported.

The theft happened from May 21, 2022, until May 2, 2023, to a personal Google Cloud account, the indictment alleged, adding Ding secretly affiliated himself with two tech companies based in China.

This included one firm in which he was offered the position of chief technology officer sometime around June 2022 and another company founded by Ding himself by no later than May 30, 2023, acting as its chief executive officer.

“Ding’s company touted the development of a software platform designed to accelerate machine learning workloads, including training large AI models,” the DoJ said.

“A document related to Ding’s startup company stated, ‘we have experience with Google’s ten-thousand-card computational power platform; we just need to replicate and upgrade it – and then further develop a computational power platform suited to China’s national conditions.'”

But in an interesting twist, Ding took steps to conceal the theft of trade secrets by purportedly copying the data from Google source files into the Apple Notes application on his company-provided MacBook and then converting the notes to PDF files before uploading them to their Google account.

Furthermore, Ding allegedly allowed another Google employee in December 2023 to use his Google-issued access badge to scan into the entrance of a Google building, giving the impression that he was working from his U.S. Google office when, in fact, he was in China. He resigned from Google on December 26, 2023.

Ding has been charged with four counts of theft of trade secrets. If convicted, he faces a maximum penalty of 10 years in prison and up to a $250,000 fine for each count.

The development comes days after the DoJ arrested and indicted David Franklin Slater, a civilian employee of the U.S. Air Force assigned to the U.S. Strategic Command (USSTRATCOM), of transmitting classified information on a foreign online dating platform between February and April 2022.

The information included National Defense Information (NDI) pertaining to military targets and Russian military capabilities relating to Russia’s invasion of Ukraine. It’s said to have been sent to a co-conspirator, who claimed to be a female living in Ukraine, via the dating website’s messaging feature.

“Slater willfully, improperly, and unlawfully transmitted NDI classified as ‘SECRET,’ which he had reason to believe could be used to the injury of the United States or to the advantage of a foreign nation, on a foreign online dating platform to a person not authorized to receive such information,” the DoJ said.

Slater, 63, faces up to 10 years in prison, three years of supervised release, and a maximum monetary penalty of $250,000 for each count of conspiracy to transmit and the transmission of NDI. No details are known about the motives or the real identity of the individual posing as a Ukrainian woman.