I realize that the problem I am about to describe is not a critical one, and certainly not life-altering, but it’s one that brought the challenge of increased cyberattacks, especially those made against operational technology (OT), home for me.
As I am sitting here writing my column, I have a freshly toasted everything bagel beside me. Warm steam is flowing out of it, filling my office with the delightful scent of freshly baked bread. It smells delicious and I can’t wait to dig in to its crunchy goodness. The problem is that it happens to be topped with slowly melting butter, when I actually prefer cream cheese.
Like I said, this isn’t an Earth-shattering crisis. I just happen to have a really keen love of cream cheese. Back when one of my all-time favorite television shows was on the air, a cop drama set in the 1950s called Crime Story, the father of one of the main characters was killed because of a lack of cream cheese. I can relate to his dilemma. So in my house, we always comically yell, “You got no cream cheese!” whenever we run out of it, just like The Dancer (his nickname because he used to beat any legal charges brought against him) did on Crime Story in his last scene.
Over the past couple weeks, we have been saying that quite a lot. Cream cheese is also not sitting on any store shelves near our home. I know that the holidays sometimes spikes demand for it, because it’s a critical ingredient in desserts and holiday baking recipes like cheese cakes. But it turns out, that is only part of the problem. The other is that a main factory that produces cream cheese for the East Coast was hit with a ransomware attack. The attack apparently put the factory out of commission for a few days, which doesn’t seem like much, but that is more than enough time to disrupt the already shaky supply chain, especially at this time of year.
Hackers attacking a cream cheese factory would seem almost ludicrous a few years ago, but these days it’s clear that nobody is safe. And in fact, businesses like those which are manufacturing goods, running utilities or processing food products may be especially vulnerable to attacks because of their reliance on OT. Most OT began life as manual devices like valves or sensors, and only recently got ported over and integrated into IT networks. Protection for most of those devices has not yet caught up with the fact that they are now essentially part of IT networks, which are subject to many more attacks.
Hacks against OT were at least partially responsible for the Colonial Pipeline attack that stopped gasoline from flowing to much of the country, and the one against beef supplier JBS, which made certain kinds of meat a little bit scarce for a time. And an OT attack made against Schreiber Foods in Wisconsin is at least partially to blame for the cream cheese shortage too.
The federal government is by no means asleep at the wheel when it comes to cyberattacks this year. CISA and the FBI have both warned agencies and private firms to be wary of ransomware attacks this holiday season, as they are expected to ramp up to an all-time high. They are even keeping on top of individual vulnerabilities, even going so far as to warn the public of a critical one that absolutely must be patched by Christmas Eve. And let’s not forget that the Biden Administration’s Executive Order on cybersecurity calls for improved threat information, sharing of data between the government and industry, and increased efforts to move agencies toward advanced defenses like zero trust.
All of those efforts are good places to start, and all are critical to protecting the computer networks of this country. But so far, most of the emphasis seems to be on IT, with OT becoming a bit of an afterthought. Yes, we have seen CISA warnings about really dangerous OT attacks that could hurt the public, such as those made against a water treatment plant in Florida where attackers tried to poison the drinking water. Those individual warnings are good at raising awareness about the problem, but what is really needed is a concentrated effort to improve OT cybersecurity across the board to bring it up to speed with efforts on the IT side. Perhaps an OT Executive Order is needed?
Security firm Gartner is also warning people about the problem. They predict that if something is not done, that there will be deaths as a direct result of OT attacks by 2025, if not sooner. I hope we won’t wait until that happens to start to get a handle on OT security.
My own personal crisis was solved when I was able to find a huge tub of cream cheese at a store well outside the area where I normally shop. I quickly grabbed it and froze it, just in case the shortage gets any worse. The nationwide OT security problem, sadly, won’t be fixed quite so easily, but it’s something that we need to start working on right now before things get any worse.
John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys