(161b) OT Cybersecurity: What Is This All about?

It seems like almost every day we hear about some cybersecurity breach potentially impacting business operations. In most cases (that we hear about after the fact), these breaches relate to information technology (IT) systems (e.g., emails, business financial records, employee records). However, IT systems are not the only systems being attacked by cybercriminals. Companies operating in the process-industry market space, such as refineries, pipeline operations, chemical plants, paper mills, etc., have operational technology (OT) systems (e.g., SCADA systems, process controls, safety instrumented systems) that can be and have been breached by cybercriminals. Some OT cybersecurity breaches have been publicized, but many have not. Nonetheless, these OT cybersecurity breaches have occurred and often resulted in significant impacts on the affected companies.

The paper provides an overview of OT cybersecurity (i.e., what it is) and common vulnerabilities in OT systems. In addition, the potential impacts of OT cybersecurity breaches on plant operations, plant safety, environmental compliance, and business reputation are discussed. Because of the potential for impacts on the country’s critical infrastructure, federal regulations addressing OT cybersecurity are being developed. Therefore, this paper also provides an overview of cybersecurity-related requirements of CFATS, CISA, and other potentially applicable regulations.

The final aspect discussed is a practical approach that a company may be able to utilize to help it start and progress on protecting itself from an OT cybersecurity breach.