OT/ICS Likely Next Critical Cyber Battleground; And Different Skills Are Required

In an era where healthcare systems are prime targets for cyberattacks, experts are broadening their focus to encompass not just IT systems, but also operational technology (OT) security. Christopher Lau, Director of Cyber Security, Proactive Security, and IoT Risk at Advocate Health, shared his expertise in a recent interview. Among other points, Lau emphasizes the unique and critical challenges posed by OT. His insights reveal the vulnerabilities in medical and industrial control systems, offering a new perspective for healthcare IT professionals striving to fortify their organizations against evolving threats.

A Unique Focus on OT Security in Healthcare

With healthcare’s heavy reliance on operational technology—from HVAC systems to medical devices—the need for robust OT security has become increasingly urgent. Lau underscored that Advocate Health faces an unprecedented cybersecurity challenge following its recent merger with Atrium Health. Together the system now encompasses over 50 hospitals and 150,000 employees. “There is a lot of opportunity for growth and to serve the communities and patients in our areas,” Lau explained, “but also a lot of opportunity for attackers.”​

Historically, healthcare cybersecurity efforts have focused primarily on IT. However, with OT systems that control physical elements like building automation and medical devices now vulnerable, attackers have an additional avenue to disrupt healthcare operations. “If an IT system goes down, it’s kind of an inconvenience,” Lau observed. “With OT, you’ll really notice it.” In healthcare, where environmental controls are essential to patient care, the impact of OT breaches could shutter the facility.

Understanding the Critical Risks of OT in Healthcare

Operational technology differs fundamentally from traditional IT, operating in the physical world rather than the digital one. Lau highlighted that OT systems in healthcare facilities require nearly constant availability to maintain safe, regulated environments. This difference also extends to the types of threats they face. “If attackers can shut down critical OT systems, like HVAC or elevators, it could force a hospital to evacuate,” painting a vivid picture of the risks posed by OT-focused ransomware attacks​.

He drew attention to the risks associated with aging OT infrastructure, much of which lacks modern cybersecurity defenses. “A lot of industrial control systems from the Clinton administration are not going to have the same security features that current systems have.” He emphasizes the need to address outdated technology that is still crucial to healthcare operations​.

The Overlooked Threat of Unsegmented Networks

Many healthcare systems lack dedicated OT security teams. OT is often managed by traditional IT teams ill-prepared to handle its unique demands. This lack of specialization can lead to network segmentation issues, as IT and OT networks may share resources without proper isolation. According to Lau, “Usually, you don’t see dedicated incident response or network monitoring for OT. They try, more often than not, to jam it into the IT funnel, and it just doesn’t work.”​

To address these risks, Lau recommended separating OT networks from IT networks wherever possible. Steps include creating dedicated incident response and disaster recovery plans for OT, and providing targeted security training for teams managing OT systems.

Building an Effective OT Security Team

Establishing a specialized OT security team is essential, but the unique expertise required makes hiring a challenge. In response, Lau adopted a creative approach at Advocate Health. “If you’re trying to find just people with an engineering background or an ICS background, that is a chocolate-covered unicorn with sprinkles,” he joked, highlighting the scarcity and high cost of such talent. Instead, Lau assembled a diverse team from various professional backgrounds,...