- Threat actors are weaponizing OT environments to the point that by 2025 they will have the capability of injuring or killing humans, according to a report by Gartner.
- Security incidents in OT environments or other cyber-physical systems are driven by three main motivations: the desire for commercial vandalism or reduced output by these organizations; the desire for reputation vandalism; and the desire to inflict actual harm.
- The financial impact of such attacks on cyber-physical systems will reach $50 billion by 2023, according to Gartner research. Organizations will incur a wide variety of costs from such incidents, including insurance, regulatory fines, litigation, compensation and reputational costs.
The threat of attacks on OT has existed for years. In 2017, a Saudi Arabian petrochemical facility was attacked by a malware called Triton, which was used to disable safety systems at the plant, according to Wam Voster, senior research director at Gartner.
More recently the attack on the Oldsmar, Florida water treatment facility greatly enhanced awareness of the risk of targeted cyberattacks against critical infrastructure. During that incident, unknown threat actors exploited TeamViewer remote access software to raise the level of sodium hydroxide to dangerous levels in the local water system.
One concern about securing OT environments is that many facilities have systems that are more than two decades old, have not been updated and may still use outdated Windows software, according to Voster. The Oldsmar water treatment plant was using outdated Windows 7 software that was no longer getting security updates.
"We need to make sure nobody can get to the system since there are no updates, no patches," Voster said. "That's why network segregation is so important."
The report makes three overall recommendations to reduce the safety risk to humans:
- Security and risk management leaders should implement a control framework that addresses potential threats to humans.
- Security leaders should deploy an internal OT security standard that is designed to create a common approach to security throughout the organization.
- Organizations should implement an architecture that clearly segregates networks for both OT and IT.