If you think about operational technology (OT) at all, you probably think about big factories, water treatment plants, power generation and transmissions, pipelines, etc. And you would be right, all of those industries rely on OT technology and protocols to keep the equipment functioning and the people monitoring and operating safe. Threat actors have targeted these “critical infrastructure” operations for years, slowly exploring the environments and protocols; occasionally causing mayhem.
Governments focus their security services on keeping these critical infrastructures safe. There is a lot of information sharing. Warnings are issued and reports are published. This is appropriate. In cold climates in Winter and hot climates in Summer, loss of energy supply is a serious issue. People die. All of this focus threatens to miss other big targets. Like the buildings that use the energy to keep people warm or cool.
Like an industrial plant, large buildings run on operational technologies too. We use sensors to monitor temperatures and pressures, computers to aggregate and alert on data, and human machine interfaces (HMIs) to allow remote control — just like a power plant, refinery or water treatment plant. The specific technologies are different, but the approaches and outcomes are the same. Large scale industrial plants can afford more engineers and rigid change control procedures so their OT environments are arguably more secure. From a physical threat perspective this makes sense, since disabling one power plant can have a huge impact.
But from a digital perspective the risks to one industrial plant or 1,000 buildings isn’t as different. Imagine all apartment buildings in your city use one of two OT technologies to manage heating and plumbing. Threat actors find a vulnerability in one of these technologies and then disable half of the apartment buildings. One building inconveniences a few hundred people. Half of the apartment buildings in a city is a crisis.
It is a matter of scale. With limited cyber resources we are focused on the things that individually have the largest impacts. But we can’t afford to ignore targets whose impacts isn’t quite as large. With everything interconnected on the network, the concept of “individual targets” isn’t as obvious as it is in the physical world.
