Ryan Moody, President and CEO, ABS Group of Companies, Inc.
The word “ransomware” strikes fear into the hearts of business leaders across all sectors and industries. And it should. The number of cyber-attacks for ransom increased by 105% in 2021—and 60% of companies affected by these attacks chose to pay the ransom. In short, business is booming for cybercriminals. This is especially true for attackers who have shifted their focus from information technology (IT) to operational technology (OT) environments.
In the wake of attacks like Colonial pipeline the DTEK Group, bad actors have understood the additional leverage that attacks on critical OT systems bring. Connected OT environments have provided operators with many benefits, but they also open doors for bad actors. The ability to gain control of physical equipment has given attackers the ability to threaten companies with more than just data breaches. When these groups infiltrate OT environments, they have the power to interfere with the distribution of critical resources such as power, gas or water.
Critical infrastructure organizations often fail to adequately protect their operations from attack because they do not fully understand the nuances of defending OT environments or the broader implications of an attack on their operations. Even more are completely unaware that they are failing to protect their assets. If you’re unsure about your approach to OT security, here are some signs that you may have significant work to do:
1. There is no leader responsible for OT security
OT programs are too often handled in an ad hoc manner. In today’s risk landscape, it is imperative that critical infrastructure managers and original equipment manufacturers (OEMs) have CISOs equipped to lead the charge and provide uniform direction across the organization. This position should be responsible for designing internal controls and protocols, presenting these protocols to the board of directors to gain buy-in, and educating the company’s workforce on appropriate cyber OT practices.
Without this position leading the charge and elevating the conversation related to cyber OT, it is difficult to secure the right funding and support to properly address the problem.
2. You have no inventory of assets
Consider your industrial environment. Do you know what actually exists? Does anyone have? Good cyber programs should account for every piece of equipment and every device connected to a network, but most companies don’t even know what their ecosystem looks like.
Network mapping is a common practice in IT, but it can be difficult to translate this practice to OT environments that have not been evaluated for years. OT inventories should map out not only what you have but also how these elements are connected to each other. Gaining visibility through careful mapping can mitigate the risks of both system-level and product-level vulnerabilities, each of which comes with its own set of potential problems.
3. You rely on “Air-Gapping” to keep your components safe
Like it or not, air-gapping does not exist. Many OT teams believe that pieces of equipment are safe from attack because they are not regularly connected to the internet or other devices. These teams need to rethink that. Anything in an OT environment that has been upgraded has, at some point, been linked to an external source, which means there was an opportunity for someone to hack it.
Updates from human technicians or vendor-verified USB drives are just as dangerous as those downloaded directly to equipment via a connected system. After all, if a company does not conduct cyber acceptance testing or maintaining supply chain visibilitythere is no way to know that you can really trust your supplier.
On the other hand, those who think their equipment is safe because it is rarely updated are also at risk. Industrial equipment that is 20 years out of date is likely to have significant vulnerabilities that hackers can exploit. Worse, these vulnerabilities are likely well known to bad actors who will be able to exploit them quickly and quietly.
4. You think he’ll take care of it
Although there is some overlap, IT and OT environments are completely different in practice. As OT security is a rapidly emerging field, IT professionals are often inexperienced in protecting OT assets from attacks. Even worse, some IT teams have been trained to avoid OT assets altogether. In these cases, no one handles OT in cyberspace – and leadership is completely unaware.
Therefore, it is imperative that CISOs explore the responsibilities of IT teams and look for OT specialists to complement these teams. Many modern enterprises are going even further, shifting their focus entirely to OT and allowing OT programs to absorb IT responsibilities.
5. Your approach is driven by compliance
Compliance does not always equal safety. Consider a truck with 30-inch wheels and a full-size (so, smaller) spare in the back. Sure, the driver complies with the mandate to have a spare, but that spare cannot support the truck and keep it moving if it loses a tire. The same is true of cyber security. Compliance with regulations is not enough to keep your operations safe.
Rather than ticking boxes on a checklist, businesses should let their risk profile guide their cyber OT policies to ensure their assets are protected. The risks for a small parts manufacturer are different from those that a large energy supplier will face. If the major energy supplier follows the same guidelines as the parts manufacturer, it is setting itself up for significant exposure.
6. Making Improvements
If anything on this list resonates with you, you’re not alone. Thousands of businesses in the industrial sector fail in one or more categories, and unfortunately, neglecting just one area puts them at significant cyber security risk. Fortunately, improving OT security protocols is possible, and you’ve already taken the first step. You acknowledge that you should take OT security more seriously. Once you accept this, you can critique your practices, assess the real risk in your environment, and rest easier knowing that your company and its customers are better protected against delays, disruptions, and more devastating cyber-physical attacks.