Nextgov ran an excellent article
last week, pointing out that data centers are very dependent on OT (especially
power and cooling systems), even though the systems running in those data
centers are all IT systems. The lesson I drew from the article (although it
wasn’t stated like this) was that, not only are data centers critical
infrastructure, but their OT side should be regulated as critical
infrastructure. In other words, while I don’t think critical infrastructure
regulations should be applied to the IT systems in the data centers, they
should be applied to the OT systems that keep the IT systems running.
There’s another relevant lesson that
the US learned the hard way this summer: OT systems aren’t limited to a bunch
of strange-looking devices that don’t run an OS you’ve ever heard of (or in
some cases, don’t run any OS at all), and that don’t normally run a networking
protocol you’ve ever heard of. As the Colonial Pipeline attack showed,
and as a 2018 ransomware attack on a large US electric utility also showed,
a serious attack on IT can shut down systems that are critical to operations,
forcing the OT network to be shut down as well.
So any systems that support the
operations of a critical infrastructure provider – whether it be a pipeline, a utility,
a key software supplier like SolarWinds, a cloud services provider, a data
center provider…and other industries, I’m sure – should be in scope for
critical infrastructure regulation. And this applies to systems that aren’t actually
OT systems, like the Intel-type servers running Windows and Linux in the electric
utility’s control centers discussed in the link above. These all had to shut
down in 2018 due to a devastating ransomware attack on the utility’s IT network,
even though they weren’t infected by the ransomware (of course, control centers
in electric utilities are already subject to NERC CIP compliance, and it could certainly
be argued that the CIP requirements are aimed much more directly at IT-type
systems in control centers, than they are at OT-type systems in substations and
generating stations).
I define critical infrastructure
systems as those that are necessary for the smooth and continuous operation of
critical processes – large scale data processing, production and delivery of
electric power, etc. Both IT and OT systems can be critical infrastructure
systems. In my opinion, all critical infrastructure systems should be
regulated.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. Nor
are they shared by the CISA’s Software Component Transparency Initiative, for
which I volunteer as co-leader of the Energy
SBOM Proof of Concept. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
No comments:
Post a Comment