Cyber criminals will weaponise operational technology environments to harm or kill humans in the next four years, according to the US consultancy Gartner.
Operational technology is a type of computing and communication system – including both hardware and software – that controls industrial operations, mainly focusing on the physical devices and processes they use. They are used to gather and analyse data in real time, which is further used to monitor a manufacturing unit or to control equipment.
Various industries, such as telecommunications and oil and gas, use operational technologies to ensure different devices work in co-ordination. For example, in the oil and gas industry, operational technology ensures that all safety systems are in place; in the telecoms sector, it alerts engineers beforehand if there is a potential snag in the network.
Attacks on operational technology environments have evolved from “immediate process disruption” such as shutting down a plant – for example, the recent Colonial Pipeline ransomware attack – to compromising the “integrity of industrial environments” with intent to cause physical or reputational harm, Gartner said.
“In operational environments, security and risk management leaders should be more concerned about real-world hazards to humans and the environment, rather than [the] information theft,” said Wam Voster, senior research director at Gartner.
The research firm predicts that the financial impact of cyber-physical systems (CPS) attacks resulting in fatalities will reach more than $50 billion by 2023.
The security-breach incidents in the operational technology and other CPS cases have three main motivations – actual harm, reduced output and reputational damage that makes a manufacturer mistrusted or unreliable, Gartner said.
Even without taking the value of human life into account, the costs for organisations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant, Gartner added. It predicts that most chief executives will be held “personally liable” for such incidents.
“Inquiries with Gartner clients reveal that organisations in asset-intensive industries like manufacturing, resources and utilities struggle to define appropriate control frameworks,” Mr Voster said.
Gartner said appropriate policies must be in place for automated logging and reviewing of potential and actual security events to minimise the damage from operational-technology attacks.
“Create a policy to ensure all portable data storage media such as USB sticks and portable computers are scanned, regardless whether a device belongs to an internal employee or external parties such as subcontractors or equipment manufacturer representatives,” Mr Voster said.
“Only media found to be free from malicious code or software can be connected to the OT [operational technology].”
All operational-technology staff must have the required skills for their roles, Gartner said, adding that employees at each facility must be trained to recognise security risks, the most common attack vectors and what to do in case of a security incident.
Ensure each facility implements and maintains an operational technology-specific security incident management process that includes four phases – preparation, detection and analysis, containment and recovery, and post-incident activity, Gartner said.
The increased risk of cyber threats has also boosted the cyber security market, which is forecast to be worth $363.05bn in 2025 – almost 125 per cent more than the amount spent in 2019, according to Mordor Intelligence, a research consultancy. The industry is projected to grow at an annual 14.5 per cent rate over the next five years.