Standardise for better safety

South Africa is not being spared the scourge of cyberattacks on operational technology (OT) networks. As recently as 22 June, the National Health Laboratory Service was hit by a ransomware attack that blocked communications between its information systems, resulting in serious delays in lab testing.

Where traditional IT systems are more focused on managing data and supporting business operations, OT systems ensure continuous operation and safety of physical processes in industry – manufacturing, energy production, water treatment, and mining – as well as in public services.

Muhammad Ali, managing director of South African ISO specialist World Wide Industrial and Systems Engineers (WWISE), says vulnerabilities in an OT system usually relate to it being outdated or no longer supported.

“Some applications are still running on Windows XP and present huge security vulnerabilities. The problem is that vendors who develop the applications have not kept up to date with adapting to more secure operating systems,” Ali says. “The other vulnerability is that most OT system user access is role-based, as opposed to user-based. It means that passwords are generic and devoid of strong configurations.” 

He cautions that no organisation should underestimate the potential impact of an OT system attack. An elevator shaft carrying 50 employees underground could be stopped midway, or a power grid, train route, or hospital badly compromised.

“These systems are not always carefully monitored or budgeted for and are easy targets for cybercriminals. There is not enough investment in cybersecurity in South Africa’s public sector, in particular. Recovering from the consequences of a hospital or power grid shutdown can take more than two weeks,” asserts Ali. 

Rising incidents of OT cyberattacks have compelled the International Organization for Standardization (ISO), the world’s leading international standard development body, to act swiftly by creating standards such as ISO/IEC 27001:2022 and IEC 62443.

These standards help to improve the process of managing changes in IT. “In the OT systems space, emergency changes can be a matter of life and death. The changes need to be deployed immediately and then documented,” Ali elaborates. “These are governed by ISO best practice standards which assist organisations to be flexible in responses that are relevant to their industries and processes. They also take into account the complex environment of electronic engineering coupled with operational technology.”

He adds that it is essential for top management to commit to this process and highlight its benefits. This will help organisations to onboard engineers. “Businesses should also continuously assess and improve their OT systems’ cybersecurity defences. This can occur through gap assessments of ISO/IEC 27001:2022 or IEC 62443, reviews of the network infrastructure, and a cyber maturity assessment to understand vulnerabilities and threats,” he notes.