IT/OT Convergence and the Utilities Sector
The building of bridges between OT and IT continues to accelerate. Over the last few months, we’ve seen a significant push to make OT more accessible within the enterprise (IT environments) and to the vendors that support them. Without the proper guardrails, these bridges, despite their promised benefits, may inadvertently introduce significantly more risk to the Utility providers and the customers they serve.
Prequel: Healthcare’s Warning
In 2009 the American Recovery and Reinvestment Act (ARRA) was signed into law. Through the included Health Information Technology (HIT) provisions, it authorized incentive payments to eligible hospitals and physicians that are "meaningful users" of electronic health records (EHRs). One of its primary goals was the “standardization of the electronic capture of information such as patient demographics or clinical orders and results”. In other words, the digitization of electronic health records (paper to 1’s and 0’s, accessible over a network) to create an infrastructure that will improve healthcare quality, efficiency, and patient safety. It made sense, and as someone who has had more than their fair share of trips to the E.R. over the years, I’m a big fan of quality, efficiency, and patient safety when it comes to my personal healthcare :)
Right about now I’m sure anyone reading this is wondering what Meaningful Users of EHR, the ARRA of 2009, or even healthcare has to do with the Utilities Sector. Well, it’s about the growing push for change, and for the utilities, this is the convergence of IT and OT for cost savings, increased productivity, increased visibility, and, among other benefits, efficiency. And with that, I’ll try and make the connection.
Prior to Meaningful Use, when paper records and an inefficient infrastructure were still widely relied upon, this is what the HIPAA Wall of Shame, which tracks breaches in healthcare affecting 500 or more individuals, looked like (2009):
Theft represented the majority of the breaches (Paper/Films, Desktops, Laptops, etc.).
Five years after Meaningful Use kicked off, theft was still the leading type of breach (claiming ~41% of the breaches), but Hacking, not represented in 2009, now accounted for a little over 12% of the reported breaches (third most prevalent).
By 2019, Hacking accounted for over sixty percent (60%) of the breaches, where it has hovered ever since. Theft, conversely, had decreased significantly to represent only 7% of the breaches in 2019, and less than half that today.
The digitization of our health records and development of the new healthcare infrastructure over the last 10+ years, albeit a positive in net, created new opportunities for cyber criminals.
Within that first decade post ARRA adoption, the total number of breaches has increased ~2800%, and the total number of affected individuals has increased ~33000%. These numbers reflect the consequences of change.
So, bringing this back to the Utilities sector, how will the convergence of IT and OT play out (a similar in change in magnitude)? Will it be similar to the Healthcare Industry? What will the consequences be, and what are the stakes? As our utility sector friends contemplate convergence, I think it’s important to note that all of the sixteen critical infrastructure sectors depend on water and electricity, including and especially those responsible for saving lives (Emergency Services, Healthcare and Public Health). How is your organization evaluating the risks with convergence and what guardrails are you putting in place to reduce them.
Do you have a trusted partner to assist you during this transformation?
At Contextual Security Solutions our goal has been and continues to be to make the organizations we serve more secure. Through our comprehensive assessments we help organizations get a solid understanding of their security, compliance, & risk postures so that they can make data-driven remediation decisions. If you’d like to know more about our security, risk management & compliance suite of services, click the Schedule a Discovery Call button on our website and one of our security consultants will contact you today!