- Cyber attacks to operational technology are becoming increasingly sophisticated, with the potential to cripple critical infrastructure.
- Many organisations lack visibility over their vast and complex networks, leaving potentially thousands of entry points for would-be criminals.
- A holistic, non-siloed approach to cyber security, with a focus on a secure workplace culture, will help mitigate the growing risks and create a more resilient organisation.
As the Fourth Industrial Revolution advances the connectivity of the physical world to the digital, cyber security threats to operational technology (OT) are rapidly maturing with it, with potentially devastating effects.
Cybercriminals have been launching attacks on operational technology— a term that describes the technology responsible for the monitoring and movement of the physical elements of a piece of infrastructure — since before the turn of the century. The methodology of early attacks were experimental, determining what techniques were successful, and soon became more militarised as cyber weapons designed for major destruction. The current wave of OT attacks involve increasingly sophisticated and malicious ransomware, with a new generation of cyber-hackers beginning to master the ‘trade’.
A ransomware attack in 2019 on Norsk Hydro, a Norwegian aluminium producer, was a significant harbinger of the kinds of threats that businesses and governments alike are now facing.1 The stakes in this era are higher than ever, moving beyond simple attacks such as demands for small payments in return for decrypted files to the millions of dollars demanded to avoid incapacitating critical infrastructure such as oil refineries, as seen in the 2019 incident with Mexican oil giant Pemex.2
It’s not for lack of awareness of the rising threat — often, government and public sector organisations don’t have full visibility of their OT systems, let alone the security vulnerabilities within them. The legacy notion that cyber security is an IT problem rather than a whole-of-business concern can also foster a lack of accountability in keeping organisations safe, while heightening the likelihood that malicious third parties may gain access to critical systems and networks.
Then there’s the matter of network segregation, which is critical to protecting these systems from less-trusted networks, such as email and internet access in corporate environments, where threats can propagate with relative ease. IT/OT network segregation, which uses technologies such as firewalls to partition networks into various network segments, is a relatively simple concept. But it can be extremely challenging to implement in a digital society where traditional network barriers are continuously being broken down for ease and speed of use.
With these complexities in mind, organisations managing critical infrastructure can take three steps to help place operational technology at the heart of their cyber security strategy and ensure the risks are mitigated – while creating an organisation that is more resilient to future attacks in the process.
1. Put the appropriate risk management frameworks in place
The convergence of IT and critical infrastructure has made cities smarter and more connected, and in the process, once-isolated industrial environments – factories, railway lines, power grids – are now operated more seamlessly and effectively. But the proliferation of digital sensors that collect data within these environments have created an environment where the sheer number of assets make them increasingly difficult to secure. In July 2017, the Washington Post reported on hackers using an IoT-enabled fish tank to steal data from a United States casino.3 Although the tank’s sensors were used to regulate its temperature, this seemingly innocuous IoT device was compromised to access critical data about the casino’s high rollers. It’s a sensational example, and a good reminder of how unsecured operational technology can invite serious damage.
The explosion of customer touchpoints – smartphones, laptops, tablets – and the move towards cloud-based platforms are creating ‘attack surfaces’ that are constantly changing shape. It’s more important than ever that organisations understand their critical assets, know how to manage them and put the appropriate risk management frameworks, such as the United States’ NIST framework, in place.4 These frameworks accommodate the relevant risks associated with operational environments, where health and safety and environmental impacts are often more prominent than traditional security issues such as privacy and confidentiality.
Organisations should work to identify the blind spots, segment their IT and OT networks and avoid the tendency to simply set and forget. A good cyber security strategy should also include the ability to anticipate changes in the technology landscape.
2. Focus on people and culture
There’s no denying that awareness and accountability are major obstacles to a robust cyber security strategy. According to PwC’s 2019 Digital Trust Insights study, 71 percent of high performing organisations (dubbed ‘cyber security trailblazers’) strongly agreed that their cyber security team communicates effectively with their board and senior executives about cyber risk, whereas only 33 percent of ‘regular’ respondents to the survey strongly agreed. This figure is influenced by the common belief that cyber security is the domain of IT rather than the remit of an entire organisation.
Too often, dissonance and a lack of understanding between IT and OT departments, plus insufficient buy-in at an executive or board level, can leave businesses open to security breaches, placing critical infrastructure and services under threat. Investing in cyber security talent, championing cyber security awareness at every level of an organisation and tearing down the barriers that hinder collaboration between different parts of a business can set the stage for a more holistic and effective approach to mitigating cyber risks in operational technology before they arise.
Organisations that rely heavily on OT systems tend to have strong cultures of safety embedded in everything they do due to the risks associated with operating and maintaining their infrastructure assets and the potentially hazardous environments in which they operate. This presents a golden opportunity to classify cyber security as another form of safety, and leverage the protocols and procedures already embedded. Key to this is learning to communicate cyber security risks in a language that is more naturally understood by the OT side of the organisations. For example, engineers tend to care more about stability, uptime, safety and resilience — all of which have strong ties or dependencies on security. Helping translate these terms and ‘making it real’ for the people in the field are the hallmarks of a successful OT cyber awareness strategy.
3. Eliminate the barriers to visibility
Lack of a clear cybersecurity agenda can increase an organisation’s risk of cyber attack. But in the operational technology arena, many organisations are also plagued by barriers that affect their ability to detect and respond to threats.
For instance, many organisations who rely on OT don’t have a single view of their security risk landscape, thanks to limitations introduced by legacy systems, multiple technology vendors, and an organisational structure that clouds accountability of critical assets. Others fail to adequately segment their operation and information technology environments, leading to a flat network structure that is easier to manage, yet similarly easier to compromise from a cyber perspective. This means that a breach of one device – whether internally, via an employee or from an external party – can compromise an entire IT network, and subsequently spread to critical OT systems.
Separating critical and non-critical systems helps organisations better grasp the assets worth protecting and put the right controls in place. Ultimately, gaining a clearer view of the relationship between OT and IT – as well as the differences between them – is the route to preventing future threat.
Although technology has made the infrastructure we depend on more seamless, convenient and customer-centric, it’s crucial that the constantly emerging risks are prepared for, and future threats anticipated. It starts by putting cyber security at the heart of your business imperatives, investing in and fostering a culture of cyber safety, and identifying the ways in which your systems are vulnerable.
Scenario planning is one way that organisations can help identify vulnerabilities within their own strategies. PwC’s Cyber Security Experience Centre (CSEC), in Be’er Sheva, Israel, operates as an experiential cyber-kinetic environment, showcasing risks and their mitigation. Its lab also simulates and tests OT cyber threat scenarios, helping develop advanced defence strategies.