Oct 19 2020

How to Protect Operational Technology in Smart Cities

Operational technology security puts a greater focus on data integrity and overall system availability in a smart city environment.

Smart cities depend on hardware and software to deliver services and control systems to boost the efficiency and effectiveness of the city itself.

Securing and protecting that technology from cybersecurity risks is a critical part of building a smart city.

Cities have been embedding IT into city systems for years. Basic city services such as traffic lights were on the forefront of communications networks nearly 30 years ago.

However, as the digital transformation of cities into smart cities has accelerated, a new term has emerged for the industrial control systems that link all this new hardware and software together: operational technology, or OT. If traditional IT has focused on end-user computing, servers and applications, then OT is the software and systems that link everything else together.

What Is Operational Technology in Smart Cities?

Operational technology is what puts the “smart” in smart cities. If streetlights react to ambient light to adjust their brightness rather than simply coming on 15 minutes before sunset, the software and sensors that make it happen are operational technology. If speed limit signs adjust maximum speed to create a safer stretch of road based on weather and visibility, that’s OT at work.

Obviously, some aspects of operational technology are not that different from traditional IT applications and systems. They both take inputs, make decisions and generate results. The main difference is that OT immediately affects the physical world.

SCADA, or supervisory control and data acquisition, is an example of OT. SCADA systems run oil and natural gas pipelines, they manage the electrical power grid, and they control water and wastewater flowing through a city. When people talk about the technology that drives utilities, they use the term “SCADA” to indicate it is not the same as a corporate web server with a database back end, even if there may be common components.

The important thing is not to focus on what to call all of this real-time, always-on software and hardware but instead to acknowledge that smart cities are adding more and more components to their OT portfolios.

In the long run, all of this OT adds up to complex and critical infrastructure. And the OT requirements for privacy, reliable data and sensors, and 24/7 uptime all bring us to one conclusion: Security is a critical part of operational technology in smart cities.

The Cybersecurity Risks Operational Technology Faces in Smart Cities

Security experts traditionally use the “CIA” pyramid — confidentiality, integrity and availability — to help break down and describe information security risks. The immediate focus is most often on confidentiality, because data breaches and loss of privacy are generally the biggest issues that enterprise IT has to worry about. By contrast, operational technology in smart cities faces all three risks in a balanced way; in fact, confidentiality is often the least important security risk (unless security cameras are involved).

When traditional IT managers working in this area begin to focus on security, the shift in emphasis from confidentiality toward data integrity and overall system availability can be jarring. The relative lack of traditional tools and techniques presents a second challenge.

For example, one of the first security rules every IT manager learns is “keep your systems patched and up to date.” In the world of OT, patching is not so simple.

Some of the components in an operational technology system may not be easy to patch. The vendors tend to be smaller and often don’t have the resources to generate new software for older devices, so there may not be patches. The devices may require physical disassembly to update firmware or software, costing real dollars and system downtime. Testing patches and updates is hard when virtualization and test labs are not available. And sometimes compatibility issues between vendors and products will completely block patches.

This change in perspective means that securing OT systems is not the same as simply repurposing IT security tools into the OT environment. Instead, it is critically important to start from scratch and consider each of the “CIA” risks when building a threat mitigation plan.

Potential threats to data integrity and data availability are especially significant when smart city systems may be making real-time decisions on everything from traffic control and lighting to building security. Maliciously or accidentally corrupted sensor data, for example, has very real consequences if it affects the city’s water or sewage systems. Operational technology security practitioners sometimes emphasize the need for special focus by renaming “CIA” to “AIC” and by adding their own security terms, including resiliency, reliability and safety.

An additional risk to keep in mind is that many smart city systems are the grandchildren of devices that were never meant to be connected to an outside network. Although they may use networking internally, they were designed to be run in isolation: the oft-mentioned air gap security. When IT and OT teams try to leverage existing city networks, close the air gap and bridge these types of devices to less secure city or internet networks, the security issues can be immense.

EXPLORE: How can smart grid technology be protected?

Operational Technology Security Standards

OT security standards come from two points of view: SCADA and the Internet of Things.

The SCADA side is represented by groups such as the International Society of Automation, with its ISA 62443 standards, and the ISACA SCADA framework. SCADA’s process control and industrial automation orientation means these standards are very specific about threats and even more specific with required remediations.

IT and OT teams can review these documents to see excellent examples of what might be needed when deploying OT in smart cities — but they also need to keep in mind that these are much more restricted in scope than modern OT requires.

The other point of view for OT security comes from a growing group of organizations active in the area of IoT standardization, sometimes subdividing themselves into Industrial IoT, or IIoT. In the U.S., the National Institute of Standards and Technology has a Cybersecurity for IoT program that ranges from consumer and household applications up to industrial IoT with several standards in process, and the private sector Industrial Internet Consortium focuses more tightly on areas of interest to smart city OT managers.

The intrusion of IoT into OT security comes from the realization that the days of single-vendor systems are coming to an end. Smart cities bring a huge mix of devices and products (and vendors) to the table to meet requirements. The term IoT has come to represent all those devices attached to common wires and wireless networks, everything that doesn’t look like a smartphone, PC or server. The sensors and control devices built into smart city technology projects fit the definition of IoT pretty well.

Although the traditional strictly controlled viewpoint that comes from the world of SCADA has its uses, the real challenges for OT teams come when a smart city project includes poorly controlled components, such as internet-sourced data feeds, consumer-grade devices and sensors and graphical user interfaces designed for untrained end users. These add up to a lot of potential security problems, and this makes the more encompassing viewpoint of IoT standards a better way for teams to start thinking about OT security.

LEARN MORE: What are the main security vulnerabilities in a smart city?

Building an Operational Technology Security Framework in Smart Cities

The differing emphasis in OT security on reliability, trust and safety over traditional IT concerns such as privacy and confidentiality requires IT professionals to take a deep breath and begin with a clear risk assessment. The earlier that security is considered in any smart city project, the better for everyone.

As the risks and threats become clearer, it is important to keep cycling through the layers of an OT project to ask whether risks are being mitigated at each layer. As with traditional IT programs, it’s helpful to start with broad layers: physical, network and application, and then dive deeper from there. For example, many smart city projects may include some public cloud components — weather information, maps, cloud-based authentication services — creating additional risks of availability, integrity and confidentiality as third parties and their infrastructures become part of the project.

The broad and uncontrolled user base in many smart city projects also calls for a special emphasis on endpoint protection of every device within the network. When a project involves traditional end-user computing devices such as tablets, smartphones and laptops built into kiosks, then equally traditional endpoint protection technology such as anti-malware tools, mobile device management systems, encrypted hard drives, certificate-based authentication and locked-down configurations can be brought into play.

However, if custom devices are part of the project, some of these risks may need to be dealt with by assuming the devices are compromised (even if they are not) and protecting every other part of the system based on that assumption.

To the greatest extent possible, teams working on OT projects should try to recycle existing IT technology where it can provide protection. For example, microsegmentation and fine-grained access controls on firewalls, routers and switches should be used to break up the OT network into a different security zone for every device type, and possibly for every device. All traffic should be end-to-end encrypted at the application layer, but encrypted/authenticated network-layer VPNs also should run under the application, giving an extra level of security. Network access control should be used for any wired or wireless connection, both to authenticate devices and to provide individual access controls.

Some IT technology may not help in the world of OT. For example, intrusion prevention systems, web application firewalls and vulnerability scanners are of limited use within any smart city project — although all are helpful in adding security when OT meets the internet.

MORE FROM STATETECH: Find out how to protect your utility from a cyberattack.

metamorworks/Getty Images