Weaponised operational tech to harm or kill humans: Gartner

Cyber-attackers pose threat not only to the sensitive data of an organisation but also to humans. A recent report by Gartner predicts that cyber criminals will have weaponised operational technology (OT) environments by 2025, posing risk to human life.

OT attacks are becoming increasingly prevalent. They have progressed beyond causing immediate process disruption, like as shutting down a plant to jeopardising the integrity of industrial environments with the intention of causing physical harm. Other recent events like the colonial pipeline ransomware attack have highlighted the need to have properly segmented networks for IT and OT.

“In operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft,” said Wam Voster, senior research director at Gartner. “Inquiries with Gartner clients reveal that organisations in asset-intensive industries like manufacturing, resources and utilities struggle to define appropriate control frameworks.”

According to Gartner, security incidents in OT and other cyber-physical systems (CPS) have three main motivations: actual harm, commercial vandalism (reduced output) and reputational vandalism.

Gartner predicts that the financial impact of CPS attacks resulting in fatal casualties will reach over $50bn by 2023. Even without taking the value of human life into account, the costs for organisations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant. Gartner also predicts that most CEOs will be personally liable for such incidents.

10 Security Controls for Operational Technology

Gartner recommends businesses should implement a framework of 10 security controls to strengthen security posture across their facilities and prevent digital incidents from having a negative impact on the physical world. Well-defined roles and responsibilities, appropriate training and awareness, proper backups, an up-to-date asset inventory, collection logs and the ability to implement real-time detection, a formal patching process, and establishing proper network segmentation are among the 10 controls recommended to ensure the safety of operational technology systems.

Read: Worldwide public cloud spending to grow 23% in 2021: Gartner

Last year, Dubai became the first emirate in the UAE to put security standards on industrial control systems (ICS) as there is an increase in OT security incidents in the Middle East.

Dubai Electronic Security Centre (DESC), the regulatory authority in Dubai stepped in at the right time as IT and OT systems were merging and getting connected to the internet.