= = = =

What happens if a patch means replacing a $500,000 piece of equipment?

 

Malicious actors are equal-opportunity attackers. Of course, they will go after federal agencies in the cloud; they will also attempt to penetrate systems through good old-fashioned industrial equipment, assets, and processes – what has gotten the label “Operational Technology.”

 

We take it for granted that when an exploit is discovered we can patch our systems, whether in the cloud or on-premises. There is a much different story when we switch from patching Information Technology to Operational Technology.

 

Today’s interview brings together observations on reducing risk in operational technology from experts as varied as the NSA, CISA, and industry experts.

 

Tony DiPietro from NSA highlights facts like OT can be widely dispersed geographically. Further, many of these systems are not as flexible as an app in the cloud. In other words, you cannot rule out a patch and correct the patch the next day. Some OT systems take a long time to propagate. Further, because of the high degree of variability, one patch will not work for all OT systems.

 

The good news is that organizations like CISA have teams looking for vulnerabilities in OT. For example, Brandon Tarr discusses the fact that CISA has a five-phase method to seek out OT vulnerabilities. They work with over 3,000 independent researchers and that occurs across six hundred different vendors.

 

Marty Edwards suggests that many software applications are designed to look for vulnerabilities in standard IT systems, but few for OT. He reiterates the assertion that you cannot protect what you cannot see. The idea is one must have a thorough understanding of all aspects of OT in the system you manage.

 

One takeaway from the discussion is the dilemma that some organizations are facing. For example, what if you are in a hospital and have an MRI machine running Windows 95? The system cannot be patched and must be replaced. Can you justify a $500,000 expense for a new MRI?