Image: © Elena Abrazhevich/Stock.adobe.com
Prof Tom Newe from University of Limerick delves into the escalating significance of OT security.
As Ireland’s industrial landscape undergoes transformation to accommodate the burgeoning demand for data to streamline and expand operations, the integration of operational technologies (OT) with external IT networks becomes an inevitable progression. This convergence, often termed IT-OT convergence, injects security complexities into both IT and OT infrastructures.
OT refers to the hardware and software utilised for monitoring, detecting and controlling changes in devices, processes and events within industrial environments and systems. These encompass critical infrastructure such as power stations, water and sanitation plants, transportation networks, and smart city apparatus.
While conventional IT systems are multifunctional and often engineered with cybersecurity at their core, OT systems are purpose-built for specific tasks and can span decades of operation, often referred to as legacy systems. These legacy systems were initially designed without stringent security measures, as they were typically inaccessible to external users and disconnected from the internet, operating in an ‘air-gapped’ environment.
However, their integration with IT systems necessitates that security and risk management leaders expand their strategies to encompass these OT environments. As Wam Voster, senior research director at Gartner, aptly articulates: “In operational environments, security and risk management leaders should be more concerned about real-world hazards to humans and the environment than information theft.”
With the convergence of IT and OT, attacks on industrial systems are on the rise. Security firm Waterfall Security Solutions in its 2024 Threat Report reported 68 cyberattacks on industrial systems in 2023 that resulted in physical consequences, this is an increase of 19pc compared to 2022.
The ongoing skills demand
This upward trend in attacks on converged systems underscores the need for personnel knowledgeable in OT security. However, traditional OT engineers, often known as process engineers, lack cybersecurity expertise, while traditional IT engineers may not fully grasp OT systems. Moreover, conventional university education programmes focusing on IT cybersecurity typically overlook IT/OT integration and its cybersecurity aspects.
This paradigm is gradually shifting with the aid of Irish Government initiatives such as the Higher Education Authority Human Capital Initiative funding (HEA-HCI), backed by an investment of €300m from the National Training Fund (NTF).
Launched in 2020, the HEA-HCI funding has empowered universities across Ireland to bolster their faculty and technical capacities to address industry skill gaps, including the IT-OT cybersecurity challenge.
Programmes that offer IT-OT integration/convergence upskilling promise to equip OT engineers and IT specialists with knowledge and skills to safeguard their organisations’ industrial control systems and critical infrastructure from cyberthreats. These programmes offer comprehensive training in integrating IT/OT technologies, addressing associated security concerns, understanding pertinent laws and regulations and assessing potential risks to organisational systems and data.
For example, the professional diploma in OT security-operations specialist leverages state-of-the-art cyber ranges, both cloud-based and mobile (Airbus mobile cyber range), to help engineers practice and sharpen their cybersecurity skills in a virtual safe/sandbox environment with real tools, real attacks, and real scenarios relevant to their sectors.
The mobile cyber range from Airbus, which is a unique infrastructure in Ireland, provides an advanced on-site simulation solution to model both IT, OT and IT-OT integrated systems comprising tens or hundreds of devices or machines and facilitates realistic scenario simulations, including genuine cyberattacks.
Effectively safeguarding OT systems against the threat of cyberattacks to physical operations necessitates specialised cybersecurity knowledge and education spanning both IT and OT environments, along with access to specialised equipment, such as cyber ranges.
The university education sector in Ireland is rising to this challenge and is committed to addressing the needs of industry through upskilling and reskilling our engineers in the art of cyber defence, detection and response. Funding schemes offered by the education and research funding bodies in Ireland facilitate this.
Tom Newe a professor in the Department of Electronic and Computer Engineering at the University of Limerick.
Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.
