Editor Speak: Protecting Legacy Critical Infrastructure

Why engineering OEMs and security vendors should collaborate

Recently, I had the opportunity to be part of a discussion about how critical operational technology—such as plant automation—is becoming far more vulnerable. Why, a presentation from a security firm even warned us that even air gaps—keeping the operational technology isolated from the information network—may not be adequate to keep them safe. We have all heard stories of how two countries came together to create a malware to bring another’s nuclear reactions to a halt—by distributing them through unattended USBs.

Possibilities are scary.

And contrary to what we are told by vendors, it is not that the manufacturing companies are unaware. As I spoke to a few senior executives—some heads of operational technology and some CISOs—I realized that both the communities are extremely sensitized to the issue.

Where they hit a road block is that unlike the IT infrastructure, most of the operational technology infrastructure are big boxes built by big engineering companies, such as Siemens, ABB, GE or Honeywell. And unlike IT, the original suppliers do maintain those equipments. They are not open technologies, unlike in IT world.

So, any threat to those systems cannot be tackled without involving the original vendors. While the vendors (OEMs) are today sensitized to these new threats (and the possible opportunities), they often fail to keep pace with the dynamic changes happening to the threat landscape. They, after all, are not specialists in security.

But there’s little choice before the users. Even if they are proposed solutions by independent third party vendors, they cannot even experiment, without involving the original suppliers. If they do, that violates their maintenance contracts and they have the risk of losing the assurance from these vendors.

While awareness was an issue just a few months back, today, we have moved forward. It is this dependence on suppliers—something IT has moved out of years back—that is holding them back.

It is time for the user companies to collectively take this up with both engineering OEMs and IT companies which should make the two vendor groups work with each other to deliver the solution.

Add new comment