Cybersecurity and Digitalization: A Cautionary Tale

The University of Texas at San Antonio (UTSA) created a new college dedicated to AI, cybersecurity, computing, data science and related disciplines.

A cybersecurity scholarship program is also starting up at the College of Engineering and Computer Science at Florida Atlantic University (FAU) since it received a $2.6 million grant from the National Science Foundation (NSF).

In addition, grants worth approximately $200,000 addressing the nation’s shortage of skilled cybersecurity employees will be awarded to 18 education and community organizations in 15 states. These grants are a part of the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) program that awarded cooperative agreements of nearly $3.6 million to build the workforce needed to safeguard enterprises from cybersecurity risks.

According to the U.S. Department of Homeland Security, cybersecurity threats to critical infrastructure are one of the country’s greatest strategic risks. Grants and awards have increased due to this. The Internet Crime Report, compiled annually by the Federal Bureau of Investigation, charts growth in cybercrime, noting a record number of complaints in 2023 with $12.5 billion in reported financial losses.

Employee training

Continuous training and education for employees also plays a vital role in maintaining a strong cybersecurity posture. “A well-informed staff can recognize and respond to potential threats more effectively, reducing the likelihood of breaches caused by human error,” Chowdhury said. “As technology evolves, ongoing education ensures that employees remain up to date with the latest security practices and tools.”

Part of that ongoing education is evolving from the continuing convergence of information technology (IT) and operational technology (OT) systems and knowledge. “Applying these digital techniques to the OT world, whether to improve productivity, insights, or cybersecurity, will be more difficult than in the IT world,” Carrigan said. “The reason is there are key differences between IT and OT that will not change anytime soon.”

Carrigan indicated that these differences relate to:

• Flexibility. IT assets are generally flexible. A single server or PC may conduct a variety of tasks or host multiple applications. OT assets have a specific mission, highly customized to deliver specific tasks to control or monitor operations.

• Security versus availability. In general, in the IT world, security takes precedence over availability. Often, on short notice, IT can shut down an asset to install critical security updates. In OT, the opposite is true. These assets must be available 24/7 and often do not update with the most recent security capabilities to avoid unnecessary downtime.

• New versus old. In the IT world, assets typically have a relatively short life (three to five years) before an upgrade. In OT it is common to have assets that are more than 20 years old controlling critical infrastructure. The cost to upgrade these assets—in both cash outlays and disruptions to the business—means they have an extended life.

• Homogeneous versus heterogeneous systems. In general, IT assets use a limited number of operating systems (Microsoft, Apple OS, Linux, etc.) and protocols to communicate. OT assets end up dominated by vendor-specific operating systems, protocols, and other designs unique and proprietary to each vendor. Integration in the OT world is typically more complicated and customized compared to IT.

Those differences must be considered when applying machine learning or AI to an OT environment, Carrigan said. “As an example, technologies are available to detect and automatically intervene to stop a cyberattack,” he explained. “These capabilities are becoming common in the IT world and will be further enhanced by leveraging AI techniques. Applying these same technologies in the OT world carries much more risk—any system that automatically interrupts the actions of an OT system could lead to significant loss of production or equipment damage—the same consequences we are trying to avoid via cyberattacks.”

Carrigan added: “The key differences between IT and OT, which will remain for years, means there must be more care when considering machine learning or AI for the OT environment.”

New direction

According to the Cisco inaugural 2024 State of Industrial Networking Report, it does appear manufacturers are beginning to design and deploy their OT environments to improve security, increase efficiency, and provide a platform for innovation. The report mentioned that cybersecurity—the backbone of the digital movement—was the biggest reported challenge in running and maintaining industrial networks. Also adding to the problem are the requirements of Industry 4.0, a backlog of legacy systems and assets, an expanding attack surface and an overstretched workforce.

In the report, 89% of respondents said cybersecurity compliance is very important in their operational network. Also, the number one challenge when running industrial infrastructure is mitigating cyber threats.

With the management of enterprise and industrial networks increasingly overlapping, the report also found IT and OT teams need to become more collaborative. Executive leadership can see the benefits of a unified approach but, currently, the two functions remain siloed, impacting efficiency and threatening the overall security posture.