Opinion

Cybersecurity: Some History and a New Approach

People often ask me who are the most interesting or most influential people I have met. It is easy to say Margaret Thatcher or Bill Clinton, but sometimes the real history makers are never known outside of their specialty. One such was Richard Morley. 

A mutual friend took me to meet Morley at his home in New Hampshire about 23 years ago. We spent a delightful afternoon there. He let me move a pile of earth from one spot to another with a backhoe operated by a personal computer. 

I didn鈥檛 realize that I was in the presence of a great inventor, a member of industrial royalty, who had moved technology a giant step forward and sped up the automation revolution. 

Morley did that in 1968 when he and colleagues at General Motors perfected the programmable logic controller. With the PLC, automation had arrived for the car industry and much else. 

If it is moved, stored, welded, shaped, collated and shoved out the door, a series of programmed controllers ordered all that. In fact, for everything manufactured, PLCs are at work translating the blueprints into products. 

They are everywhere, from the factory floor to advanced farms, to city water plants, to oil and gas drilling. They occupy a part of the modern world known as operational technology, or OT. 

Vital though OT is, it gets less attention than its big sibling, information technology, or IT. 

Matt Morris, managing director of security and risk consulting at 1898 & Co., the consulting arm of Burns & McDonnell, the big architecture, engineering and construction firm, told me, 鈥淚T is the 鈥榗arpeted space,鈥 and OT is the 鈥榰ncarpeted space鈥 鈥 

In other words, much of industry鈥檚 heavy lifting is done by OT, while IT has taken over all of the other more obvious functions of society, from accounting to airline reservations, from doctors鈥 offices to designing aircraft. 

IT is king, but that is only part of the story. 

Regarding cybersecurity, OT and IT differ, but both have their vulnerabilities. When we say cybersecurity, we mostly mean IT. OT is different, and the threats emanating from attacks on it are usually more strategic and harder to identify. 

Attacks on OT aren鈥檛 necessarily as immediately detectable as those on IT. They can be very subtle but also highly destructive and expensive. 

The classic example of what can be done to OT was provided not in an attack on the United States but by the United States in 2007 (and revealed in 2010) when the nation鈥檚 cyber-warriors were able to slow down or speed up uranium enrichment centrifuges in Iran. The Iranians didn鈥檛 know that their operating systems had been fooled surreptitiously. Their engineers were at a loss. 

Now, 1898 & Co. is taking a bold step into the world of critical infrastructure resiliency with the creation of a new service aimed at offering full-time, proactive cybersecurity at critical infrastructure sites, like utilities, embracing IT and OT. 

The company and its parent have enormous experience in utilities and other critical infrastructure, including oil rigs, refineries and water systems. Through a program they call 鈥淢anaged Threat Protection and Response,鈥 their aim is to take critical infrastructure defense and response to new levels. The capability is an addition to its existing Managed Security Services solution. 

To implement this, the company has set up its program in Houston, far from its home base in Kansas City, Missouri, to be near the customers 鈥 much critical infrastructure has links to Houston 鈥 but also, as Mark Mattei, 1898 & Co. director of cybersecurity, told me, to avail itself of the talent in the area. 

The company is opening up a new horizon in cybersecurity, focusing on OT. 

With IT, you would want to throw a switch, avert or stop the attack as fast as possible. But with OT, a more measured response might be called for. You wouldn鈥檛 want to shut down a whole plant because one pump had had its controller attacked or bring down part of the electricity grid because a single substation had evidence that it was malfunctioning because of an attack in one component. 

The more one learns about cybersecurity, the more one appreciates the unsung heroes who take on unknown enemies 24 hours a day, every day of the year. 

We are on the threshold of something big in defending critical infrastructure. I am sure that Richard Morley would have approved of this new approach. He died in 2017. 

On Twitter: @llewellynking2 

Llewellyn King is executive producer and host of "White House Chronicle" on PBS.