Myths and Superstitions
This part contains the most common responses to the topic of cybersecurity of OT systems. Many responses come from the past, low knowledge of the issue, or simply from underestimating the significance and importance of addressing cybersecurity.
Myth No. 1
“till now we haven’t needed it and nothing has happened“… we add “yes, but only so far”. Implementation of new technologies for industrial control systems based on microprocessor solutions and emergence of new types of malicious codes (malware) inevitably require to address cybersecurity.
- More information in Security of Industrial Operational Technology Systems
Myth No. 2
“we have a separate LAN technology that is secured by a firewall”. Separation of LAN networks through a separate firewall is currently insufficient as statistics show that about 80% of cyberattacks are “from inside”, what means that a malicious code is infiltrated via a direct connection to an internal LAN network or even via a direct connection to end devices of OT systems. The reasons therein may be also common, whether the activity is intentional or unintentional, such as service works, planned changes on devices, and so on. Effective and proven security is ensured by thorough implementation of the principles described in the defense-in-depth concept in each end device of OT systems.
Note: At present, each end device of IT system (computer, server, notebook,…) has its own separate firewall, antivirus and encryption functions implemented. However, most current OT devices do not contain such functions.
- More information in Recommendations for Energy Sector
Myth No. 3
“our systems are secured with usernames and passwords”. Currently using only a username and a password no longer provides a sufficient level of security for OT systems. The fact is that the process of assigning and managing login names and passwords is based on the “human factor” and brings vulnerabilities into the system. The solution is to implement the principles described in the defense-in-depth concept.
- More information in Recommendations for Energy Sector
Myth No. 4
“our IT staff deals with it”. A typical reaction reflecting a low knowledge of differences between IT and OT systems or the human quality “to pass the problem on somebody else’s shoulders”. Cybersecurity of IT and OT systems is very similar in basic features. Nevertheless, OT systems have their own particularities exceeding IT requirements. Moreover, OT devices do not belong to the management and maintenance of IT engineers.
- More information in Technological and Functional Difference between IT and OT
Cybersecurity of OT systems requires a comprehensive approach and needs to be solved at the level of internal processes, competences and responsibilities, and the organizational structure will be adjusted accordingly.
Myth No. 5
“manufacturers of OT systems declare that they have everything under control“. It is another typical response like “one lady said…” or “paper does not blush” (with the meaning that paper will bear anything that is written on it) or “no one can give you as much as I can promise you”. The truth is that we face the pressure of misinformation, half-truths and compromised information. We also experience cases in which a manufacturer submits a cybersecurity certificate issued by himself.