Operational technology (OT) environments are by definition complex. Manufacturing or pharmaceutical companies, just to name two sectors, are rife with thousands of applications to be managed and a constant stream of suppliers and M&A activity adding to the mounting complexity.
Inevitably, plant operators and engineers are in a constant struggle to keep up with the technical debt that is no doubt impeding their ability to innovate or proactively combat risk.
In this episode of the Claroty Nexus Podcast, Istari Chief Technology Officer and Head of Advisory Abel Archundia joins to discuss the implications of complexity within critical infrastructure from his 20-plus years working among some of the world’s biggest manufacturing and life sciences companies, many of which are decades old and have accumulated assets that are still part and parcel of their core businesses.
“There's tens of thousands of devices that have been adding up over the years and they have [now] become digital so you have all kinds of software assets that are piling up on top of others and that produce datasets some of which are very sensitive,” Archundia describes.
“Attackers are coming at industry both in frequency and impact with a diligence that is only matched by the profits they make.”
—Abel Archundia
Attackers, meanwhile, are leveraging this complexity in several ways. As manufacturing and pharma steam ahead toward implementing advanced technologies such as AI, digital twins, and more in the Industry 4.0 parlance, they’re becoming increasingly attractive targets. These critical infrastructure industries process unimaginable amounts of data that feeds into systems producing life-saving drugs or services central to our way of life.
“Attackers are coming at industry both in frequency and impact with a diligence that is only matched by the profits they make,” Archundia said. “That is imperiling the service levels, the operations, the stability, the uptime of a plant. OT is changing to ensure that resilience is met and I think this is an increased responsibility for the enterprise.This is uncharted territory now. Plant leadership is looking at enterprise IT for guidance that is consistent with what they have dealt with for the last few years and how that applies to critical infrastructure. These are steep walls to climb.”
Regulations, meanwhile, are also creeping in that govern not only business decisions but also how technology is deployed and secured. Archundia cautions that security leaders must view regulatory compliance as a minimum standard that must be met, and not the equivalent of a secured environment.
“When you think about cybersecurity, the reality is that the attacker sets the pace of what we should be doing, not the regulator,” Archundia said. “The regulator is oftentimes unaware of the latest vectors that the attacker follows. I think that the responsible leader in IT has to look at operations in critical infrastructure and continually assess the vectors of threat, the vectors of risk, and the vectors of compliance to find the right balance.
"You have to triangulate: Is this plant on the radar for an attacker… Is this plant on the vector of regulation and what do I need to do to stay compliant and lastly, is this plant on the vector of safety," he said. "What do I have to do to ensure service levels and safety standards.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.