Friday 29 September 2023

IT and OT - a relationship?

The recent annual national conference of Cyber|Ireland, the national cyber security cluster organisation that brings together Industry, Academia and Government to represent the needs of the Cyber Security Ecosystem in Ireland was held in Galway city last week (27 September 2023).

Cybersecurity is of course on everybody's lips these days, particularly hear in Ireland after the criminal attach on the health services systems in the midst of the COVID 19 emergency forcing our already overburdened health professionals back to using pen and pencil as the Information Technology (IT) people struggled to bring the software systems up and running again. Many attending the conference were worried about this type attack on their IT systems. Some were also interested in the workings of their factory, Operational Technology (OT) and how exposed they were to attack. This vulnerability can be, and usually is, very different to that of IT.

The day before the actual conferences there were a number of special meeting examining various sectors effected in different ways by this ever-present threat of infiltration or disturbance, malicious (isn't it always?) or otherwise.

Automation professionals became acutely aware of a threat to their systems in July 2010 when we first heard the word Stuxnet. We first heard about it from an Americal pioneer in security, Eric Byres. Semantic's Liam Ó Murchú, one of the first to understand it described his reaction, “Everything in it just made your hair stand up and go, this is something we need to look into.” The Signpost instituted a page as a guide to developments and articles on STUXNET, "the little varmint!" as Byres called it. This ran from July 2010 to 2013 and is still accessible.

Of course things have progressed since then and most, if not all, of the major process and manufacturing entities are aware of the threat and are taking steps to defend themselves. The International Society of Automation, the automation Standards organisation in particular sprang into action and quickly strengthened their security committee developing over time the Cybersecurity Series of Standards now adopted by the IEC - ISA/IEC 62443.

Speakers at Cyber|Ireland OT Forum
LtoR: Damian White, Billy O'Connor, Ita O'Farrell, Dónal Óg Cusack, Eoin Byrne.

The OT Forum.

Cyber|Ireland, as one might expect,  has established a special OT Security Special Interest Group, The Cyber Ireland OTSec SIG,   under Dónal Óg Cusack (yes the hurler!) of DePuy Synthes as chair, with members from industry, vendors and other experts. One of the meetings was organised by this group. The introduction gave an interesting break down of the leading manufacturers/processes in the country and where they stand in the European marketplace (see slide reproduced above).

The first speaker, Ita O’Farrell, Head of Compliance, National Cyber Security Centre (NCSC), outlined the work of the NCSC, set up by the Government, and outlined the law and clarified those responsible or answerable. The political agreement (NIS2) was formally adopted by the European Parliament and then the European Council in November 2022. It entered into force in January. Member States now have until 17 October 2024, to transpose its measures into national law. The NCSC are expanding their services now to small and medium-sized enteprises(SMEs) through the development of an SME Cyber Security Document. 

Dónal Óg Cusack introduced
the OT Forum

Damian White, of DataLogiX Solutions, specialists in securing OT networks used by manufacturers and processes. He stressed the importance of ensuring that management were aware of the importance and the very different challenges facing the production process in their factories.

The view of the user was presented by Johnson & Johnson's Billy O'Connor. Again he spoke of the importance understanding of the differences experience from the IT perspective and the operators' integrity. There has always bee a tension here and his final comment was humorous but emphasises the importance of dialogue. "The IT people are trying to break away from their relationship with OT and the OT didn't know that there was a relationship!"

Perhaps the real answer is communication and trust.

Cyber|Ireland OT Security Special Interest Group

@CyberIreland @ncsc_gov_ie @DataLogiX #CINC2023 #PAuto #Cybersecurity #Ireland

No comments:

Post a Comment