This article first appeared in Digital Edge, The Edge Malaysia Weekly on October 18, 2021 - October 24, 2021

Most companies are familiar and equipped with information technology (IT) security infrastructure, but for factories and companies that have on-premises devices, operational technology (OT) security infrastructure is often ignored. 

Industry players often pay little attention to or completely overlook the cybersecurity needs of their industrial control systems, which Sakthivel Narayanasamy, chairman of Quantum Computing Sdn Bhd, says is the heart of an automated plant. Traditionally, these plants have a dedicated IT team that oversees the security of management systems that are commonly made up of software, PCs, laptops and mobile devices.

Operational technology is a cyber-physical environment that involves machines, sensors, dashboards and the many desktops and mobile devices it communicates with. It is a different ecosystem that requires more dynamic and robust cybersecurity coverage.

While OT threats are similar to those that affect other industries and mirror IT threats like malware, ransomware and phishing, the impact and mitigation methods differ significantly.

“IT mostly encompasses accounting systems, emails, human resources and so on, where the damage is mostly limited to financial risk. So, if someone attacks the IT system, it cripples the computers within your organisation, meaning you can’t carry out business as usual,” Sakthivel explains.

“But if you cripple an OT system, it is a safety risk to a human life. This is because an OT attack can cripple machine operations or cause machine breakdowns, which affects the environment it sits in, risking the safety of people working in that area too.”

A notable OT cyberattack happened in 1982 where a large section of the (then) newly built trans-Siberian pipeline was vapourised, after the attackers modified the Soviet Union’s computer technology. The pipeline’s supervisory control and data acquisition (SCADA) software, which was used to control the pumps, turbines and valves, was programmed to go haywire and, after a certain interval, to reset pump speeds and valve settings to produce pressure far beyond those acceptable for the pipeline joints and welds. The result was the most monumental non-nuclear explosion and fire ever seen from space.

“There were no known casualties, but imagine if it had been in a populated area. On top of the immense equipment damages, people would have died. There would have been a massive environmental impact as well. This is why OT risks are far greater,” Sakthivel says.

Most OT operations are automated, he says, as it is mostly a set of hardware within a factory environment, where about 80% of the OT function is automated and the balance is operated by humans.

“For example, if we’re making biscuits, the human will key in the recipe, how big the batch will be and so on. After that, they will just need to push a start button and the machines will take care of the rest. All the work is done by the OT system,” Sakthivel explains.

OT and IT intrusions and attacks look similar, says Sakthivel, but the most significant difference happens when using external devices. While it is common knowledge not to plug in an unknown external device (such as pen drives and hard disks) into your computer, the impact of doing so greatly differs when it comes to OT infrastructure.

“Although you may format the device before plugging it in, the moment it is plugged in, the malware is still deployed. This is what happened in Iran in 2010 when a computer worm, Stuxnet virus, was deployed via a USB drive to manipulate the speed of the sensitive enrichment centrifuges — causing them to spin out of control and damaging them,” he says. “The intent is a lot more malicious and, at times, can be used as an espionage technique.”

Insider OT cyberattacks are also possible. This happens when someone within the organisation purposely keys in incorrect instructions to cause harm to the machinery. An example, Sakthivel says, would be something as simple as inputting the wrong amount of catalyst needed for a chemical, with the intent of causing an explosion.

Remote viewing and maintenance can also mask OT cyberattacks: for example, if a US-based vendor has supplied products to a factory in Malaysia and wants to dial in to carry out remote servicing. At the same time, cybercriminals can use this as an entry point to plant themselves within an OT system to manipulate it.

“The cyber-criminal steals user IDs and passwords to get into the system. In essence, the intrusions are similar in IT and OT attacks, but OT protection is not widely utilised here, which means organisations are vulnerable.”

Sakthivel estimates that 95% of organisations are not protecting their OT. He says most small and medium enterprises he has talked to see no return on investment in installing OT security, but what they fail to understand is that the benefits can be seen only over the long term or when it protects the company against an unforeseen attack.

“Their whole livelihood could disappear if they are attacked. People don’t talk about OT cybersecurity enough because it is a proactive form of protection as opposed to reactive,” says Sakthivel.

Before installing OT security protection on the premises, Sakthivel says, a company would need to do an OT cybersecurity audit, which looks at the overall landscape of the factory floor (such as the number of machines, how many are automated and connected to the network). This is to identify the number of things that need to be protected.

The next step would be a risk assessment. Sakthivel says Quantum Computing carries out a common vulnerability and exposure (CVE) audit to gauge the likelihood of an attack. 

“We will then gather all of this data and make sense of it and, from there, we will propose what kind of OT protection is needed,” says Sakthivel.

“This is one part of our service and this study is done in accordance with International Electrotechnical Commission (IEC) or International Standard of Automation (ISA) ISA/IEC 62443 standards.”

While the conversation surrounding OT security is typically focused on manufacturing plants, other sectors can implement it too. In fact, governments and hospitals are encouraged to look into implementing OT cybersecurity systems to save them from unnecessary attacks.

“For example, if a hospital has a CT scanner or respiratory device in the operating theatre, they need to be protected so that the life on the [operating] table isn’t compromised,” Sakthivel explains.

The OT cybersecurity space is set to see exponential growth over the next decade. With the rise of 5G, Quantum Computing will be venturing into advanced artificial intelligence to improve its security detection capabilities, Sakthivel says. 5G will also see AI applications become more sophisticated and advanced, prompting the need for security infrastructure to keep up.

The company, which has a presence in Malaysia, Singapore, Vietnam, Indonesia and the Philippines, is looking to expand its reach beyond Southeast Asia.

Save by subscribing to us for your print and/or digital copy.

P/S: The Edge is also available on Apple's AppStore and Androids' Google Play.