Why Bother? Regulating Operational Technology Beyond Critical National Infrastructure

All right. Um, good uh afternoon everyone. I appreciate it's the um last talk. So, thank you all for coming. Um, so my name is uh Owen and I'm here to talk about something that um sort of in my own opinion doesn't really get enough attention. Um, and that's sort of the operational technology that's not classified as critical national infrastructure. Um, so I'll just warn you there's going to be a few abbreviations like OT, CNI. I'll go through them all to begin with. Um, I'm just going to make sure starting off that everyone, um, including me is familiar with them along with a few basic concepts. So, um, a lot of the stuff I'll go through

to begin with, a lot of operational technology talk will have very similar stuff in. Um but again I just want to make sure the talk's accessible to everyone. Okay. So apologies if you've heard um people describe what is OT what is um uh how it's different from it before. Now the biggest challenge. Where's my cursor gone? Give me my cursor back. There we are. Lovely. Right. So, who am I? So, I am a first year computer science student. Um, I'll be honest, I'm kind of new to cyber, not only operational technology. I'm new to cyber as well. Um, the reason I've decided to talk is just because it sort of interests me and it's just

something I wanted to share amongst people. So obviously so my cyber knowledge is still developing as well as my OT knowledge. So when I ask the questions at the end, you know, be gentle. I'd appreciate it. All right. So why have I decided to do this talk? Well, why not? Um I've attended a lot of Bides conferences now uh quite a few years. I've just thought, well, maybe it's time to give something back. Um, and my main sort of goal is today is that people sort of leave here thinking, well, that wasn't a waste of my time. So, low standards, e. So, on to the main content.

So what actually is operational technology? Um it's a mixture of industrial and uh infra sorry industrial infrastructure uh and it directly monitors controls sort of physical processes going along. So if you think about it that's going to be manufacturing systems, HVAC systems, uh water treatment works, all things like that. and and the chances are you interact with them on a day-to-day basis. Even if you don't work on uh OT just living your day-to-day life, just being around buildings, you're going to have at least um some exposure to some of the things operational technology controls. So, examples of some of the OoT devices we might see. So, we've got control devices, sensors, um pressure gauges, temperature

monitors, um motors, drivers, pumps, valves, basically anything that will interact with the physical world. Um as well as stuff that will monitor the physical world as well. So, examples of some OT systems. Now, these examples are sort of ones I'm going to lead to and talk about in a bit more detail later. Um, these are sort of OT systems I think everyone's going to have experience with. Maybe not dealing with, but at least seeing um on a day-to-day basis. So, that's stuff like fire alarm systems, CCTV, door access control. But I mean, if you've been in a hotel over this uh weekend, I'm sure you've had a key card. That's OT. Um, yeah. So, and all of them either monitor or

control something physical.

So, as with practically any talk you'll get on operational technology, I'm going to compare it with information technology and how it differs. So, they sound similar. I mean, they're both ending t. We've got information technology uh which is stuff like servers workstations routers the stuff that if you work at an organization or you maybe have an office at home, all these sort of equipment uh you'll probably interact with there. Um all of it uh in terms of traffic or in terms of its behavior is nondeterministic. It's really unpredictable. I can't predict what any of you are going to go home tonight. I can't um and uh what website you're going to look at tonight. I can't

predict any of that. it's really really random. Uh whereas operational technology it's um so it's items like programmable logic controllers, sensors, actuators and the behavior in comparison it's uh deterministic and it's predictable. If you turn on a device at a certain time uh every day of the week then it's going to turn on at the same time every day of the week. It's not unpredictable like information technology. Um there's a focus on reliability. Um because a lot of these operational technology systems rely on sorry a lot of things rely on these operational technology systems or cyber physical systems that control really important aspects of our lives. So um we've all probably familiar with the CIA triad. We've all seen the

information security one and the operational uh technology security one is the same but just in reverse. So we're thinking we need to prioritize availability um because some of these um operational technology systems so think of a fire alarm for example you need it to be available you need it to work that's the first priority whilst you would consider security um you mainly want to prioritize availability first over confidentiality.

So, we've got OT working in different sectors. Um, so I think I've gone to the wrong slide there. There we go. Um so we've got critical national infrastructure and these are systems that if they were compromised they would probably cause serious impacts to our day-to-day lives or even loss of life. If we had an issue in the information technology space, think what are the consequences of that? Is uh the ICO going to take action, maybe find the company. Okay. What if we have an incident in the operational technology space? What's going to happen? Is there going to be loss of life? Is there going to be gross negligence, manslaughter claims? So, it's something, you know, we've got to

take seriously. um and critical national infrastructure. It's these systems or groups of OT together like power stations, water treatment works, things like that that are really important and just something I didn't mention there. um critical national infrastructure OT um it could also have uh more economic or social consequences but my main focus is preventing injury or sort of loss of life because of it. So we've got non-critical national infrastructure OT as well in my opinion it's overlooked. we think of OT, we immediately jump to power, nuclear, OT, working in those sort of sectors. However, what it is is we're sort of not acknowledging the non CNIOT in our day-to-day lives. So, that includes things like lifts, fire alarms, and you

think, well, okay, maybe they're OT, but how could they have serious impacts on us? And that's something I'm going to get into later. So, just a quick sort of example of non-critical national infrastructure OT uh would be fire alarms. If your fire alarm is corrupt, well, it's not going to alert people and it's not going to evacuate people either. That was a slide I should have put the in the other order. So, just a quick thing and I know it's the last talk of the day, so um hopefully this doesn't drain the last bit of energy in you, but we're just going to go through um is it CNI? So, I'm going to put something on the screen

if you can put I think that's your right hand up if you think it is and then your left hand if you think it isn't. Okay, you ready? Power station. Yep. Water treatment works. Yep. So, we've got a factory, but it's a consumer electronics. Okay. Uh passenger railway. And then finally, we've got a food production line in a factory. Um, I'll be honest, some of those I'm not sure about either. There is a definition for it. Uh, what actually is classified as critical national infrastructure, but it's sort of well, it's not loose. It is quite precise, but there's still a lot of questioning sometimes. Is it CNI, is it not? Or is it nonCI in the critical

national infrastructure sector? So maybe it's not critical but it's maybe in the energy or power sector. So sometimes it can be hard to identify. So first of all I'm going to link OT uh operational technology to health and safety and it seems a bit random. There's uh there's a reason I'm doing it. Okay. So because it's physical processes, it all sort of links back to health and safety, if that makes sense. So we all know health and safety, depending on your job title, you may you may be fond of it, you may not be. Um, but we know all regulations are written in blood. They've written because something has happened in the past and we want to

prevent it from happening again. If a incident happened in your organization health and safety wise um you would look you see okay were all procedures followed and if they were okay what can we do differently next time or what can we put in place to make sure this doesn't happen again. Um so we usually learn from someone else unfortunately sustaining an injury first. Um I'm going to mention some HSSE stuff. Sorry. Um so we so if you look at uh rid of reporting of injuries, diseases, dangerous occurrences, um it sort of links in with that because if you have an operational technology failure that causes an injury, it may probably will need um reporting. So, we know if an OT system does fail

and it is either physical failure or down to human error, um the outcomes of that can be pretty catastrophic, including loss of life. Um what happens when those failures are caused by cyber exploitation? Well, they're the same. So, think about this. A fire alarm that doesn't activate because it's been compromised. Maybe it's a residential building. Maybe people are sleeping. Maybe people don't hear the the alarm because simply it's not gone off. Um an access control system that uh malfunctions well maybe people could access the plant room of that site and cause other issues with their OT. Okay. So next I've lost my cursor again. Okay. So, nonCNIR systems, they may be regulated, but it's purely from the

health and safety point of view. Yeah, there's sort of exceptions to that, but it's mainly this regulation in terms of well, not security cuz security is not explicitly mentioned, but all this idea is making sure your OT systems are secure to prevent these physical outcomes. All of it has simply come from the health and safety uh legislation. Um and that's in the non CNI space. Um we know CNI is um heavily regulated. We've got N there's N 2 that's just coming to the EU. I don't know uh what the UK will do with it or what plans it has got. Um but it does force people um to start thinking about the security of their critical national infrastructure

um a bit more seriously than they would have done before and it makes sure that they follow fairly robust frameworks and it does mean they will suffer penalties um through the various regulators. So thinking critical national infrastructure might have water energy if they fail to secure their systems adequately their OT systems then they may face uh action from their regulators. So whether it be uh off what or whichever regulator is uh overseeing them. Um now this seems really random but I'm doing this as a sort of comparison. Uh what is the internet of things? We're all familiar with it. Um there's some interesting legislation that's come out regarding internet of things or at the very least it will affect internet of

things and I thought it would be interesting to talk about. So basically think of your smart home devices when it comes to IoT. So we've got the product security and the telecommunications information telecommunications infrastructure act. That's what I meant. Um, so what that looks to do is put some regulations in terms of consumer devices that are IoT and it looks at banning default passwords or easily guessable passwords and also ensures that there are update uh in terms of updates um there's guidance on that as well and also how in terms of if there is a vulnerability with one of these consumer end devices. Um how is that um going to be dealt with? So the reason I mentioned that is

great. So critical national infrastructure is regulated. We've got IoT consumer devices that are regulated. What about this non critical national infrastructure stuff? What's to stop us using, you know, really guessable passwords on that? What's to stop us from putting or not changing the default password on a fire alarm panel or the logic um or the logic system uh of a lift? Well, it links back to the health and safety stuff, but none of it explicitly mentions security.

So, non CNI, again, it links back to the health and safety stuff. We've got a few really specific ones. I'm going to go into more detail about the um third one. Um reality is non critical national infrastructure still gets attacked. It doesn't matter. We're not um it doesn't matter if it's not in a power station. It still it still could face attack. So we're going to go into a bit more detail about lifts. Lift's operational technology. When you think about the devices uh that are running in them, whether it be the barcode scanner you've got in the lift shaft, so the lift doesn't forget where it is, um or other items such as the logic controller,

which is in the logic cabinet, uh which controls the operations of the lift. People have been exploiting them for a while, and it's not necessarily people acting in bad faith. There's recently, well I say recently, it's about five or six years ago on the social media. There's a trend called lift surfing. It's where people use generic keys, get into lift shafts, ride on top of the lifts, and then they'll use this to gain access to secret floors in uh shopping centers. They'll put it on YouTube and get quite a few views on it. Concerningly, some of them were like 12, 13 years old. Some of them were getting themselves stuck in lift lift shafts. Lift tra lift shafts. Um and of course

if it's on YouTube more and more people copy it. Um there's other ways people have interfered with lifts as well. Uh mainly people trying to be funny. They may have changed it. So the indicators, so rather than saying the actual floor number, it might say something absolutely outrageous uh and inappropriate. Um there's even been instances and you can find this on YouTube. I'm not going to name the channels where you can find it, but um or maybe talk to me after and I will. Uh but there's actually people that have sort of gone into abandoned buildings that are still sort of operational. The lifts aren't shut off. They've gone into the lift shaft, gone on top of the lift, put it back into the

normal mode whilst they're still on it, and they've actually ended up trapping the security guard for the site in the lift because they've been on top of it and they've had control of it. Um, how are they getting access? Well, it's just a generic physical key. And it's that same generic physical key that will get them into the logic cabinet. It will let you change the door speed. It will let you send it into freef fall if you want to. Yeah, the logic once you're into the logic cabinet, it might ask for a password. Yeah, it we rely on the people servicing the lift to have actually changed it from the default. Um, and there's certainly no legislation

um mandating us to change the default passwords. Um, so yeah, we could cause abnormal movement um or freef fall uh people riding them for fun. Um, one of the ways, um, people might mitigate some of those, in particular, lift surfing, uh, they might put an alarm on top, but there's not really an obligation to until it happens, uh, because the way the health and safety legislation is, if someone did gain access on top of an organization's lift, um, it would have to be reviewed after and look, do do we need to do anything differently? Um so it would have to take for something to happen um before something was put in place. Um there was

guidance issued by one of the uh forgive me I can't remember who uh it was one of the organizations that have a lot to do with uh lifts and escalators in the UK. Their guidance was if you ever had that on your own site simply isolate the lift. Um however I can't find that guidance anymore. It seems to have disappeared and probably with good reason. If you've got someone on top of your lift, maybe they've actually decided to climb on the counterwe. Uh that's happened as well. Uh if you isolate the lift, potentially even though you're letting you're putting a stop to the unauthorized access and the safety implications, potentially you're making the safety implications even

worse if they're in an unsafe situation at that moment. Um so the next thing I'm going to talk about in detail is fire alarms. So these could be your standalone systems. So the smoke detectors in your home, you may link them up with other smoke detectors. Um so you get an alarm going off um everywhere. Um or sometimes in more commercial systems or systems in wider buildings, you get what's called loops. Loops sort of have a set of devices on and they'll feed back through to the main fire panel. Um, thankfully because by nature of it being a loop, if you was to take out a device or if you was to sort of take out a

section of wire, the panel would probably know about it and you would probably get a fault. But that doesn't mean we still can't or bad actors still can't mess um with these systems. Um, if we go to next slide. So the way to access most fire panels and to actually use the reset functionality, you need a generic key. And the reason it is that way is so the fire brigade can easily access it. That comes under the availability argument if we was to try to regulate um non CNI. If we said, okay, maybe we need a um non-generic key or a custom key on fire panels. Uh well, how would the fire brigade then access it?

Uh, we could potentially trigger false activations. I mean, that's easy enough to do. Just put a, you know, a vape underneath a detector. Um, that would set a fire alarm off, get everyone out, leave your doors disengaged. Meanwhile, someone could go into another entrance and start going through items, maybe in an office, for example. Um, you could get a situation where people trigger multiple false alarms. I'm sure everyone's sort of at least heard of the act of kids running about hitting every single fire alarm call point could cause alert fatigue and then it could actually be a real fire or you could actually use that to distract uh away from their so sorry cause a distraction. Um so people

actually have a hard time figuring out if there is a real fire and if so where it is or at least a delay. There was a recent CV with a fire alarm system. It's probably not one uh well this particular system it's probably not one you would find in a normal building thankfully. Um but still it showed they could put the system entirely out of action and it made well it could potentially mean people are failing to evacuate and then potentially there's physical injuries maybe even fatalities associated with that. Um if you think about fire alarms in the context of residential buildings um if you think well what impact will the de delayed evacuation have there think about big

tower blocks um situations like that and even if it didn't activate and the fire brigade come anyway because they were phoned how do they know the alarm's not sounding we trust these things so we found in uh critical national infrastructure OT covered by this non CNI OT relies on health and safety laws but they don't really mention security and then we've got IoT for consumer end devices which have got regulations. Um I'm not saying it wouldn't be challenging to put additional regulations into non CNI. Um but maybe it's something worth thinking about. I believe I skipped a slide there. So, how would you regulate the security of a non non-critical national infrastructure advice? I don't know. Um,

and it goes back to what I was saying earlier about the fire alarms. If you start having to put non-generic keys on systems like that, how would they be available uh in the event they was needed to be used by the fire brigade? Interestingly, in America, there's a requirement to keep fire panels sort of in a non-public location. and maybe a back office because uh if you think about it when the fire brigade ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar ar arrives after a confirmed fire one of the first

things you do anyway is hand over all the master keys you can find. So maybe we could take a similar approach to that but again that's just one particular OT system in non-critical national infrastructure. So regulating further would be probably a huge challenge. Um, and again, we know public safety is at risk. Fire alarm fails to sound, injuries fatalities uh abnormal movement induced in lift. Um, so that could be freef fall. You're looking at injuries or fatalities again. Um, and that unfortunately is reality when you deal with OT. Just because it's not critical national infrastructure doesn't mean there can be fatalities. Um, so key takeaways and I've left it at one because well that is really the one

message I'm trying to put across and that's OTBond's critical national infrastructure. It mainly relies on health and safety laws. Um, and the thing is these safety laws as I've said numerous times they don't mention security and there's a culture of health and safety of something has to happen first before we put a stop to it. So, that's the end of my talk. Thank you for putting up with me. Uh, my LinkedIn's on there. Um, if you've got any questions, happy to take a few. Thank you.

>> Hello. >> Hi, Owen. Congratulations. I think we all enjoyed your talk. >> I've got two pointers for you. Got a leaflet you can take away in the moment. But the first one is have you considered the built environment

and there's a pause that might start you on the path called 1195 and it was written jointly with the IET and what was CPNI. So the author happy to put you in contact is my lead for that space and obviously we're now going to be much more NIST 2 EU focused as we go forwards. So I think for you and your research that will in itself be something that services volumes of use. But otherwise thank you and I hope that your work in the built environment continues to grow. >> Thank you very much. Thank you. It doesn't look like there's any other questions. Um, thank you Owen. Much appreciated. Thanks. Thank you.