Apart from one another, information technology (IT) and operational technology (OT) are two separate entities that perform different functions. But together, they make up the backbone of a nation’s security and economic stability—both in the private and public sectors. Governments, utility companies and transportation departments must ensure, at all costs, that critical infrastructure protection is not compromised. And this means that several challenges must be addressed.
According to the U.S. Department of Homeland Security, critical infrastructure is comprised of the networks, systems and assets—both virtual and physical—that are so vital that their incapacitation would compromise security, health and safety. There are a lot of challenges involved in the maintenance of such infrastructure; so with so much at stake, providers must protect both IT and OT systems to develop a robust critical infrastructure protection solution.
One of the main differences between IT and OT infrastructure is that IT systems can be replaced. A server or PC, for instance, can be easily fixed or replaced and likely will not pose a threat to human life if destroyed. But when OT systems are compromised, the effects can be devastating. This is because OT infrastructure manages systems such as power grids and gas lines. It is the difference between a loss of information and potential loss of life. And it is often the difference between a common technology mishap and a potential attack from paramilitary threats, foreign governments or terrorist organizations.
In this regard, it is important to prevent the collapse of critical infrastructure. Attacks or threats from both known and unknown enemies or organizations continue to be the main threats to operational safety. Thus, the North American Electric Reliability Corporation (NERC) provides strict guidelines for compliance. Aside from the physical risks associated with compliance failures, organizations that do not adhere to guidelines can face penalties of up to $1 million—each day.
NERC compliance involves a complete facility assessment, and mandates that each organization develop and maintain a list of critical cyber assets (CCA) that are essential to that facility’s main operation. Further, Critical Infrastructure Protection (CIP) standards are designed to ensure that each network is segmented for the purpose of isolating attacks to individual sectors in hopes of preventing its spread.
Further challenges associated with NERC compliance include mandatory password changes, including random-character generation and the issuance of digital certificates to computers, servers and mobile devices. This is for the purpose of ensuring that only authorized devices can connect to a network. While past solutions such as personal identification numbers (PIN) and biometrics have been utilized, these are now only preliminary security measures and must be backed up with digital certificates to verify employee credentials. Strong authentication of the individual identity accessing operation and information systems is crucial, including remote, physical and logical access.