As a first-grader walking twilight streets with classmates in Youngstown, OH, I learned about Halloween’s best practices: knock on a neighbor’s door, recite the “Trick or Treat” mantra, open my pillowcase to receive candy, move on to the next house. I also learned that some people begrudged such traditions, mistrusted young masked children, and anticipated potential cheaters. One woman accused me of being a repeat visitor because of the black construction paper witch’s hat I work. Intimidated (but recognizing the injustice of false accusation), I protested that our whole class at St. Edward’s School had made the same hats. I also realized that what I had considered an asset (strength)—my handmade costume accessory—was also a vulnerability (weakness).
Disappointed that my pillowcase was not an ounce heavier and perplexed by the conflicting perceptions of my witch’s hat (after all, parochial school teaching encouraged clear definitions of right and wrong), I retreated to the sidewalk to wait for my friends to continue our quest for Halloween loot. My confidence was shaken.
Technology implementations often show this kind of duality. For example, connecting factory systems (operational technology) to front/back-office systems (information technology) sounds like a good idea for streamlining business-related activity—something like having everyone in class work on the same (witch)craft project. But this newly integrated asset can also create a new attack surface or vulnerability. In the case earlier this year of a US natural gas producer, an email message carrying a ransomware payload was opened by an employee using the information technology (IT) system, which was connected to the operational technology (OT) system of the gas compression facility. This compromised OT-driven machines, leading to their malfunction and consequent shut down to prevent further damage. The collateral effect was that the pipeline was unavailable for two days. Such attacks on industrial control systems have increased over 2000% in the past year, according to a recent IBM report.[i]
The lesson here is not to stop modernizing production facilities through the integration of IT and OT systems. The lesson is just to move cautiously. During a panel discussion on “securing the connected and digitized factory” at the October 13 ManuSec Summit, panelists from Nexteer, Petronas, and Fortinet commented that such connectivity is becoming more relevant in the Covid era and can be helpful as a means to reducing the health risks associated with many personnel being on-premise. As with my witch’s hat, technology can be both trick and treat, asset and vulnerability.
Reflecting back on the lessons I learned from my first Halloween outing, there are some tips for prudent technology implementation:
- Magic phrases don’t always work. (Even “please and thank you” and knocking on wood have limited protection qualities.)
- Unique proof of identity is important. (Multi-factor authentication is really, really a terrific tool to prevent access across systems.)
- An unprotected asset can create risk. (Segregate systems into distinct, identifiable protection zones. As a child, I could have just painted a green stripe on my hat to differentiate from all the others!)