Using standardisation to bullet-proof your operational technology cybersecurity system

Internationally recognised cyber security standards could prevent attacks on OT tech using SCADA and PLS systems that carry significant safety risks and downtime risks

South Africa is not being spared the scourge of cyberattacks on operational technology (OT) networks.

As recently as June 22, the National Health Laboratory Service was hit by a ransomware attack that blocked communications between its information systems, resulting in serious delays in lab testing.

According to a recently released report by global industrial control system vendor Waterfall Security Solutions, OT networks at more than 500 sites worldwide were impacted by 68 recorded cyberattacks last year. Many of these were medical sites.

The “2024 Threat Report – OT Cyberattacks with Physical Consequences” details the targeting of building automation, manufacturing, heavy industry and critical industrial infrastructures in 2023.

Eighty percent of attacks were ransomware-based, while hacktivist activity accounted for 15% of the overall data set.

Where traditional IT systems are more focused on managing data and supporting business operations, OT systems ensure continuous operation and safety of physical processes in industry – manufacturing, energy production, water treatment and mining – as well as in public services.

There are two key components of OT systems.

Supervisory Control and Data Acquisition, or SCADA, is a system used for remote monitoring and control that operates with coded signals over communication channels to provide control of remote equipment.

Programmable Logic Controllers (PLCs), meanwhile, are Industrial digital computers adapted for controlling manufacturing processes, such as assembly lines, robotic devices or any activity that requires high reliability and ease of programming.

Muhammad Ali, managing director of South African ISO specialist World Wide Industrial & Systems Engineers (WWISE), says vulnerabilities in an OT system usually relate to it being outdated or no longer supported, “mainly on LINUX or Windows”.

“Some applications are still being run on Windows XP and present huge security vulnerabilities. The problem is that vendors who develop the applications have not kept up to date with adapting to more secure operating systems,” Ali says.

“The other vulnerability is that most SCADA and OT system user access is role-based as opposed to user-based. It means that passwords are generic and devoid of strong configurations.

In Ali’s view, the main threats to OT systems are malware infiltration through external hardware and removable media; human error; DDoS attacks and IoT-botnets; malware infection via the inter- and intranet; and compromised cloud components.

He cautions that no organisation should underestimate the potential impact of an OT system attacks.

An elevator shaft carrying 50 employees underground can be stopped midway, or a power grid, train route or hospital badly compromised.

“These systems are not always carefully monitored or budgeted for and are easy targets for cybercriminals. There is not enough investment in cybersecurity in South Africa’s public sector, in particular. Recovering from the consequences of hospital or power grid shutdown can take more than two weeks.”

Rising incidents of OT cyberattacks have compelled the International Organisation for Standardisation (ISO), the world’s leading international standard development body, to act swiftly by creating standards such as ISO/IEC 27001:2022 and IEC 62443.

Ali explains these standards assist in improving the process to manage changes in IT.

“In the OT systems space, emergency changes can be a matter of life and death. The changes need to be deployed immediately and then documented. These are governed by ISO best practice standards which assist organisations to be flexible in responses that are relevant to their industries and processes.

“They also take into account the complex environment of electronic engineering coupled with operational technology.”

He adds it is essential for an organisation’s top management to be committed to this process and highlight its benefits. This will aid in the process of getting engineers on board.

“Businesses should also continuously assess and improve their OT systems cybersecurity defences. This can occur through Gap Assessments of ISO/IEC 27001:2022 or IEC 62443, reviews of the network Infrastructure, and a Cyber Maturity Assessment to understand vulnerabilities and threats.”