By nature, organisations are risk averse. Investors and stakeholders like to see regular business cycles, cash flow and monthly recurring revenue. An organisation taking on risk usually leads to scrutiny with a cost-benefit analysis for the business as, although some forms of risk may be manageable, others are not. It is down to organisational leaders to determine what is deemed an acceptable level of risk and eliminate and manage it as necessary, writes Marty Edwards, VP of Operational Technology, at the cyber firm Tenable.
For those organisations that provide critical infrastructure services, efficient risk management is vital in ensuring the company’s operational technology (OT) and the fabric of our national security is always thoroughly protected. Some countries have broken down which vertical industries they consider to be critical within their regions. For example, the CPNI in the UK identifies 13 distinct national infrastructure sectors that are of strategic importance.
In recent years, as critical infrastructure organisations have modernised their operations with a sharp rise in automation and IoT technology, the threat landscape has also heightened. In a world where new attack surfaces keep growing, how can critical infrastructure organisations reduce their cyber risk?
How automation can lead to cyber threats
During the last few months of the pandemic, the world has come to understand the vital role essential workers play and the risks that come with a scaled-down workforce. However, this is only part of the equation as, over the past few years, nearly every industry has implemented some form of automation to increase efficiency in producing or delivering a product or service — none more so than industries providing essential utilities underpinning national survival. If our generators, turbines, actuators, robots, and the greater OT environment did not run smoothly, we would soon find ourselves without electricity, clean water and other essential products or services that are part of our day-to-day lives.
Indeed, how to ensure the security of OT infrastructure is increasingly attracting boardroom attention. Executive discussions used to focus on the security of IT operations alone, the agenda has now shifted towards OT operations. This is due to new attack surfaces and vectors enabled by the automation of more and more processes and services.
Industrial cyber risk
Although there is an increased focus on securing OT environments, critical infrastructure organisations are always searching for improved industrial cybersecurity strategies. According to a commissioned study conducted by Forrester Consulting , on behalf of Tenable, an incredible 96pc of UK organisations have experienced one or more business-impacting cyberattack in the last 12 months, and the majority (65pc) of security leaders say some of these attacks involved OT. This highlights the vital need for organisations to significantly reduce their risk across critical infrastructure. There are four steps that every organisation should take to achieve this goal:
– Identify those central to industrial operations. PLC devices are essential to the operation of OT environments, so it is crucial that new programming errors or malware are not introduced when regular programming changes take place. To avoid any unauthorised changes being introduced, organisations should keep an audit trail of all changes that are made by employing an automatic “snapshotting” of configuration changes that can offer the “last known good state” when needed.
– Obtain complete visibility across OT infrastructure. The same Forrester study found that, while around 70pc or more of security leaders say they have complete visibility into their organisation’s applications, data, IT and cloud platforms, only six out of 10 have a similar level of visibility into OT, IoT, and mobile devices. Multiple silos across IT and OT security creates critical blind spots. With attacks now designed to infect and spread across the converged IT/OT infrastructure, it is essential organisations have full visibility of their IT footprint and a complete inventory of OT assets in the environment.
Through the deployment of industrial-grade security to gain visibility across the entire organisation’s infrastructure, alongside an asset inventory that goes down to ladder logic and backplane information, organisations can ensure they are always aware of the full range of assets that need protecting.
– Leverage multiple detection methodologies to identify threats early. For organisations to protect themselves against common infiltration points and cyberattacks, they need to have a deep situational awareness of each asset in the environment. Remaining vigilant to what is navigating across the network is also key as any sudden changes in network traffic and behaviour can act as an early warning sign.
To reduce the risk of attack, organisations will need to adopt processes with capabilities of multiple detection methodologies such as policy, anomaly, and signature-based detection. By leveraging multiple detection methods, both known and zero-day attacks can be prevented. This empowers security teams to find more threats and further secure the environment from more attacks, earlier.
– Concentrate remediation efforts on critical assets and actual exploits. Regardless of the OT vendors within an organisation’s infrastructure, the likelihood is that many vulnerabilities will be announced during their product lifespan. It is not uncommon for critical infrastructure organisations to operate with hundreds of thousands of vulnerabilities at any time. This is clearly chaotic and impractical as security teams must monitor and resolve existing vulnerability while new ones continue to present themselves every day.
Once an organisation has a detailed understanding of the vendors, model numbers, patch levels and firmware versions within their OT environment, functionality can be used to identify the vulnerabilities and exploits that are most relevant to the environment. By prioritising vulnerabilities based on their asset criticality and type of exploit, organisations can focus their response to reduce the highest-risk elements first to ensure the environment is secure.
As the world both physically and digitally continues to evolve, our critical infrastructure will also continue to expand in scope. Further demands may be distributed to these organisations to produce specific requirements, so it is imperative that security teams continuously re-evaluate their risk to establish areas for improvement. Being able to deploy the right security tools that are specifically designed for OT environments, but which can be easily integrated with existing IT security, will help to ensure a robust reliance on organisations that encompass our critical infrastructure.
