Operational Technology: Securing Pivotal Organizational Assets
By Matt Phillion
We often think of cybersecurity breaches in terms of personal information. Yet an attack on operational technology (OT) can be even more devastating. Bringing down a healthcare organization’s critical infrastructure could leave providers locked out of facilities, unable to access patient files, or even barred from using certain medical equipment. Today’s wireless, interconnected facility has helped advance patient care, but securing the OT environment involved in modern technology takes significant awareness and preparation.
“[Modern] technology expands beyond treatment options to the actual facility. This means new techniques, new equipment, and potentially new entry points for bad actors if proper safeguards aren’t in place,” says Mirel Sehic, global director of cybersecurity at Honeywell Building Technologies. “We typically don’t remove the old equipment—and instead often rush to plug it in, ensure that it works as intended, great, let’s go!—which has been fine in terms of serving patients and giving them the help they need, but can be detrimental given these systems may not have been configured to interact securely with other systems. This is particularly concerning as more and more of our work is starting to become comprised of systems connecting and communicating with one another.”
The interconnectivity of the instruments making up OT environments offers better visibility and efficiency, but increases the cyberthreat footprint. “We have these legacy and newer systems, all typically connected in an insecure network segment, and now you’re trying to connect these systems to the outside world. It’s almost a perfect recipe for a disaster,” says Sehic. “If they’re not designed with security in mind, a disaster is likely close.”
Organizations introduce these systems and technologies to improve patient care, and they get the right personnel, training, and devices to ensure the improvement happens. Yet they often fail to consider the wider cybersecurity threats that the additions bring, says Sehic.
A research-bound industry
By nature, healthcare can be slow to adopt new technology. “It’s an interesting industry because it’s research-bound,” says Sehic. “You’re dealing with life, and it’s the most precious thing we have.”
To protect patients’ lives, organizations will often hold back on technology until it is proven and broadly affordable. During the COVID-19 pandemic, though, advances in telehealth, remote services, and more became mainstream to accommodate the safety of patients and staff. “This expanded the digital doors, inviting more patients in,” says Sehic. “Groundbreaking technology in these fields does tend to move slowly, but there’s been a lot of breakthroughs, especially in new ways to triage and treat patients remotely.”
Yet organizations don’t generally discuss how new technology will interface with legacy equipment, he explains. Introducing new technology in isolation is a start, but it doesn’t address the whole environment. “If you break one link in the chain, the whole ecosystem comes down,” says Sehic.
Due to COVID-19, healthcare facilities have stepped up their critical infrastructure rating. “It’s been seen as critical, but now it’s highly critical, keeping facilities operating and patients’ information secure,” says Sehic. “I always argue that you might keep patient records safer with local storage and protective measures, but how are you assessing risk?”
With the relatively rapid advancement of technology, healthcare is experiencing what is best called cybersecurity fatigue. “We’re inundated,” says Sehic. “People seize up. There are too many options.” Assessing risk appropriately for your organization and basing your security on that can help lessen the overload, he says.
“We call it a risk-based approach. For example, if you’re a healthcare facility in New York, with lots of patients coming and going, your appetite for risk may be a lot lower than a smaller organization that is equally as important but sees fewer patients,” says Sehic. “The operative question to ask is, ‘What are the protective layers I want to introduce to reduce my risk, based on the organization’s profile?’ ”
When considering risk profiles, an organizations must examine its crucial legacy systems. “They’re inherently different, and you can’t eliminate risk in OT as much as you can in an IT-based environment,” says Sehic. “Legacy systems that aren’t readily upgradable require mitigating risks. In other industries, you can usually make the leap to eliminate them.”
Security leaders in the healthcare environment must take stock of the organization’s assets and how they talk to each other. When considering cybersecurity, there are essentially three corners: confidentiality, integrity, and availability—in that order for IT, but not so for OT. “With OT, it’s availability first. Not that you don’t need confidentiality and integrity, but systems need to be online,” says Sehic.
So how can an organization reconcile availability and security for legacy systems that can’t be upgraded? First, “you’ve got a choice: You could turn the device off and not use it, which limits the number of patients you can help, or you can continue to use the risk-based approach to reduce the threat footprint,” says Sehic. “Simple measures like employing segmentation between systems in the network and adding specific layers around the system will reduce the threat footprint, minimizing risk and retaining usability of the system for patients.”
No matter what, there needs to be an upgrade path, rather than staying pat. “What’s being done is the opposite: a ‘Nah, it’s fine’ mindset,” says Sehic. “It’s not negligence, but rather a lack of education of the risks. Any time we remove the ability to use a piece of equipment or tool citing certain cyber-risks, there is resistance, and combating this resistance with increased education is the key to seeing real reduction in the threat footprint.”
Second, where upgrading is impossible, it’s time to look at hardening the defenses around these legacy systems. If a device is running on Windows XP—a surprising number of them do, though Microsoft hasn’t supported the operating system since 2014—look at what’s running in the background. Start eliminating what runs on the device, down to the bare bones, to decrease its vulnerability footprint.
Third, Sehic recommends configuring the network so legacy devices are isolated and segmented from other areas. “Perform the hardening exercise, but then put it in specific zones and add conduits to those zones so that communication coming and going are securely handled,” says Sehic.
Everything leads back to assessment
Systems require protection, data recovery, and testing, says Sehic. They should also have online and offline modes so that they can resume operation after a breach.
“What follows from secure configuration (hardening) and design (network segmentation) is naturally patch management,” says Sehic. “One of the most difficult things in these OT environments is shaking off the legacy mindset and thinking that patches are harmful. We have heard it time and time again: One time a patch was deployed and something broke or caused problems, and so they don’t want to go through that again—but that was eight years ago.” Again, education is key to help end users understand the importance of patching for security.
Maintaining strong cybersecurity posture doesn’t end with the initial assessment. Ongoing monitoring must happen as well. “What we want to get to is continuous monitoring: eyes on the prize, the entire OT stack and the accompanying assets, what’s happening, what’s communicating with and to what, which will help in proactively addressing potential vulnerabilities before they are exploited,” says Sehic. This can often be a matter of budget, but focus on the selling point that eliminating risks at the top will pay off down the line.
“Having eyes on these specific assets leads us to the final point: having an incident readiness plan,” says Sehic. “If something happens, who do you call? Where are the backups? Do you even have backups? What do you do with regards to media? Have you involved the right people?” In the past, cybersecurity has been a mashup of responsibility, involving the CIO, the CTO, or a CISO, says Sehic. “They would have full responsibility for it, and having that person is great, but we extend that responsibility across IT and OT,” he says.
“The challenges is that OT systems are critical assets but have not been looked at in the same way as IT. We’ve seen that once that responsibility is assigned, the right governance structure falls into place. We’ve got to put the right people in the position of authority and responsibility.” Doing so means these leaders can better ensure the security of the organization’s OT systems.
The OT environment “is classified as critical infrastructure,” stresses Sehic. “We need to give it more focus, build on this responsibility to deploy a governance structure, and follow a risk-based approach.”
Matt Phillion is a freelance writer covering healthcare, cybersecurity, and more. He can be reached at email@example.com.