Today, we’re seeing an increasing convergence between the digital and the physical worlds. This is sometimes referred to as the convergence of IT (information technology) and OT (operational technology)—devices that monitor physical effects, control them, or both. More and more devices are becoming interconnected to create the ‘internet of things’ (IoT).
While this brings many benefits, it also brings new types of risks to be managed—a cyberattack on OT systems can have consequences in the physical world and, in the context of a critical national infrastructure provider, those physical consequences can have a potentially major impact on society. Insecure OT systems can also be a back door to allow attackers to penetrate IT systems that were otherwise thought to be well secured.
Among Australian critical national infrastructure providers, the level of maturity and understanding of the specific risks of OT systems lags behind that of IT systems. There’s a shortage of people with OT security skills, commercial solutions are less readily available, and boards lack specialist knowledge and experience. Mandating or recommending standards could help boards understand what’s expected of them, but it isn’t clear which standards are appropriate for managing these risks.