Podcast transcript: How Operational Technology (OT) security can safeguard companies
07 min | 26 October 2023
In conversation with:
Sambit Sinha
EY India Cybersecurity Consulting Partner and Leader – OT Security
Tarannum: Welcome to the EY India Insights podcast. As part of our Cybersecurity Awareness Month special, we are running an ongoing series titled ‘Navigating Cyber threats,’ where we explore how, as a leader, you can effectively approach the cybersecurity challenges of today and tomorrow. In this episode, we will focus on the security challenges of Operational Technology (OT) and how to overcome them.
I am your host Tarannum Khan and our guest for today is Sambit Sinha, Cybersecurity Consulting Partner and Leader – OT Security at EY India. Sambit brings over 30 years of experience in IT, OT and cyber (security) across various sectors. Welcome to our podcast, Sambit. It is a pleasure to have you.
Sambit: Thank you, Tarannum. A pleasure to be here.
Tarannum: Sambit, for our listeners who may not be familiar, can you explain what operational technology (OT) is and how it differs from information technology (IT), particularly in the context of cybersecurity?
Sambit: Operational technology is a generic term. It usually refers to systems like distributed control systems (DCS), programmable logic controllers, supervisory control, and data acquisition (SCADA) systems. OT systems are the ones that run industrial plants, such as refineries, power, and cement plants.
To understand the difference between IT and OT systems, IT systems are primarily used for the storage and processing of data, whereas OT systems control physical processes and systems. From a cybersecurity point of view, cybersecurity in IT is focused on protecting sensitive information such as our Aadhaar numbers, health information, education records, and so on. The impact of a cyberattack on sensitive data could lead to reputational damage, financial losses, or penalties for organizations. OT focuses on ensuring the safety and reliability of critical infrastructure in industries.
OT networks are fragile and traditional vulnerability scanning systems do not work in this case. In fact, there is a risk of the entire plant going offline. So, the repercussions of a cyberattack on OT systems in critical infrastructure can result in dire consequences, including possible facility shutdowns, equipment malfunctions, and even explosions, leading to a detrimental impact on human health and safety.
Tarannum: Perhaps the distinction becomes even more crucial when we consider the increased nature of digitization and automation of OT. Speaking of which, why do you think our OT assets are now considered to be at greater risk than ever before?
Sambit: All these years, OT systems were sitting in islands, air-gapped from the rest of the organization's technology footprint, with the sole purpose of ensuring that the plant’s production was at the pace it was configured for. Because they were not connected to the rest of the organization, there was very little cyber threat to the networks in the OT systems.
Increasingly, the management of all organizations is demanding real-time information from their plants. This necessitates the integration of OT systems into IT, thereby exposing them to potential cyber threats. Additionally, there are other reasons that necessitate the integration of OT with IT, which could be connecting them to the Pollution Control Board systems to monitor compliance with pollution norms at the plants; or the need for speedy maintenance, for which systems need to be connected remotely to Original Equipment Manufacturers (OEMs) for maintenance purposes.
All this connectivity exposes the OT assets to greater risks of cyberattacks.
Tarannum: What are the key challenges and vulnerabilities that organizations face today when it comes to securing their OT systems?
Sambit: The biggest challenge is the lack of awareness about cybersecurity among people who manage OT. This is something we see and experience on a daily basis. The environment is known to be complex, and the rapid digitization has brought about connectivity of IT systems with OT systems at different levels.
There are benefits to connecting IT with OT, but what has been done to ensure that one puts in an adequate security layer around the connectivity? That needs to be focused upon. There are challenges around legacy systems. Most of the OT systems used today are manufactured or possibly deployed with very limited security features. They are insecure by design.
Traditionally, OT and industrial control system (ICS) communication are not authenticated, and protocols are unencrypted during transit. So, most ICS systems utilize proprietary protocols and vendor-specific protocols. There are issues around latency that arise when their legacy systems or high-speed, real-time operating systems are used with multiple firewall rules and ineffective micro-segmentation. Last but not least, from a technology standpoint, there are not too many consistent processes to secure the OT setup from a cyber(security) standpoint.
Tarannum: Thank you Sambit for joining us and sharing your valuable insights on these critical aspects of OT cybersecurity. We are sure it has been an enlightening conversation for our listeners.
Sambit: Thank you, Tarannum.
Tarannum: To our listeners, if you have feedback for today's episode or questions for us, please do feel free to share it on our website or email us at markets.eyindia@in.ey.com. Until next time I am Tarannum, and this is the Cybersecurity Awareness Month special podcast series by EY India. From all of us here at EY India, thank you for listening in.