7 things K-12 IT teams can do now to manage OT risks

The education sector continues to get slammed by cyberattacks. Microsoft’s Global Threat Activity Map by Industry shows that, as of June 16, education institutions had been victims of 5.9 million malware attacks within the last 30 days.

The rapid shift to distance learning accelerated an already growing trend. Relentless cyber activity, ransomware, and more sophisticated attacks expose education IT professionals to increased pressure to maintain operational continuity. Education IT leaders and chief information security officers must continually worry about protecting key information systems and data.

At the same time, we’ve also seen an increase in attacks on operational technology (OT) components of companies’ IT infrastructure. In the spring of 2021, the National Security Agency released a cybersecurity advisory that, while focused on the Defense Industrial Base, is applicable to many organizations. While there have been many such attacks, the 2021 Colonial Pipeline ransomware attack launched by the DarkSide hacking group and recent confirmed attacks on Ukraine’s energy facilities by the Russian Sandworm group stand out as extreme examples.

Defining and identifying the vulnerable OT in education

Before we can identify vulnerabilities in OT, we need to ask the tough question: Who owns OT in our K-12 school districts? IT teams provide networking and, in some cases, security oversight for OT that is connected to the campus networks and the internet.

K-12 schools and districts tend to focus on physical risk, which is understandable. Systems that manage door and window alarms and the systems that facilitate emergency communications are often prioritized for security that ensures availability. However, security cameras, HVAC systems, fire or other emergency annunciators are also connected to the network, opening them up to cybersecurity risk.

The call to action

The NSA’s advisory noted the need to devote resources to address the OT and control systems cybersecurity situation. The agency has created a pragmatic approach to evaluate and address basic improvements at the federal level.

While IT and OT share common problems with security and operating profiles, there is a strong need for education-focused IT, OT, and cybersecurity leaders to find the resources to evaluate and plan for improving OT security. Knowing what is on their networks and the vulnerabilities associated with those technologies is a foundational aspect of good cybersecurity.

The Infrastructure Investment and Jobs Act (IIJA) allocates more than $1 trillion to improve and strengthen our nation’s infrastructure, with approximately $2 billion allocated to improve cyber defenses at the state and local level. The three iterations of the Elementary and Secondary School Emergency Relief Fund (ESSER) program includes close to $200 billion for improving schools, with ear marks for IT, OT, and security included. School districts should get access to those funds and get a running start to improving OT security.

What education IT teams and security leaders should do now

The low-hanging fruit is to act on the standard CISO warnings to change those default passwords and, where possible, use multi-factor authentication to inhibit malicious access attempts. There are other technical and operational options for OT security that can also be implemented now. Fortinet recently published the 20A recently-published report State of Operational Technology and Cybersecurity Report, recommends that teams take the following actions:

1. Make your OT 100 percent visible to your security operations team.
2. Establish an OT security response time metric, then measure and manage your security operations to reduce the mean time to detect and mean time to remediate vulnerabilities.
3. Limit access to OT systems based on job function and title using role-based network access controls. Use network isolation “air gaps” where practical.
4. Report OT system compromises as they occur. Present leadership with metrics and options so they can evaluate OT risk, value, and expenses/resources. 
5. Empower your IT security teams to monitor OT systems as part of your security operations monitoring routine.
6. Track and report OT intrusions detected and remediated to appropriate authorities.
7. Use multiple vendors for OT systems.

That said, there’s always the issue of whether there will be sufficient funding for maintaining these cybersecurity defense mechanisms in place when the IIJA and ESSER funding streams end in 2024. School districts should be working with school boards, local government leaders, and legislatures to plan and prepare budget actions now that fill the gap.

About the Author:

Bob Turner has years of experience as a higher education executive, board member, and thought leader with a focus on cybersecurity strategy and leadership, information assurance and business continuity planning, and information technology management. At Fortinet, he is the CISO for K-12 and higher education acting as a senior level strategic business and technical advisor for the cybersecurity community and business executives. Previously, Turner was a cybersecurity executive and Director of the Office of Cybersecurity reporting to the Chief Information Officer/Vice Provost for Information Technology at the University of Wisconsin at Madison. There, he built a cybersecurity team of 60+ cybersecurity experts delivering all cybersecurity services as well as improved university IT policy development by working with distributed IT and faculty governance groups to ensure cohesive approach to IT policy, governance, audit, and cybersecurity operations.