How Connected OT Systems Can Affect Critical Infrastructure
- April 19, 2023
- Canary Trap
In recent years, there has been a growing trend towards connecting operational technology (OT) systems in critical infrastructure to the internet. While it has the potential to improve efficiency, reduce costs, and increase reliability, it also creates a significant cyber threat surface, and that’s why today we will explore how connected OT can increase risks to critical infrastructure and the challenges we usually face when securing these systems.
What Is Operational Technology?
Operational technology refers to the hardware and software systems used to control and automate industrial processes, such as power generation, water treatment, and transportation.
Traditionally, these systems have been isolated from the internet to prevent unauthorized access and cyber attacks, but as industries become more connected, there has been a push to integrate OT systems with IT (information technology) systems and the internet.
A survey conducted by Gartner determined that “organizations are keen to integrate IoT and IT technologies […] into OT systems. However, IoT deployment is still in the early stages, and most organizations don’t yet have the skills, expertise or time to drive the IT/OT alignment requirements.”
This integration has the potential to improve efficiency, reduce costs, and increase reliability by enabling remote monitoring, predictive maintenance, and data analytics. However, it also increases the cyber threat surface of critical infrastructure, because connected systems are more vulnerable to cyber attacks than isolated systems.
What Makes Connected Systems More Vulnerable?
- Legacy
Many critical infrastructure systems were designed decades ago and were not built with security in mind. These legacy systems often lack basic security features such as encryption, authentication, and access controls.
2017’s WannaCry ransomware attack is a prime example, when unknown hackers, believed to be from North Korea, attacked UK’s aging National Health Service System, which made the government lose approximately 12 million dollars.
- Vulnerabilities
Connected OT systems are vulnerable to a range of cyber threats, including malware, ransomware, denial-of-service attacks, and phishing attacks. These threats can compromise the integrity, availability, and confidentiality of critical infrastructure.
2015’s cyber attack on Ukraine’s power grid continues to be the most prominent example. According to a report by the Cybersecurity & Infrastructure Security Agency (CISA), “power outages were caused by remote cyber intrusions at three regional electric power distribution companies, impacting approximately 225,000 customers.” It marked the first time a cyber attack caused a power outage.
- Complexity
Connected OT systems are complex and involve multiple components, including sensors, controllers, actuators, and communication networks. This makes it difficult to identify and remediate security vulnerabilities.
- Human Error
Human error is a common cause of cyber incidents. This is particularly true in the case of critical infrastructure, where operators may be under pressure to maintain high levels of service and respond to emergencies quickly.
How Can We Protect Connected OT Systems?
According to a report by Help Net Security, “most companies with OT security challenges are implementing systems for detecting and proactively derailing threats, while some are also deploying tools that use decoys and deception to throw off attackers.”
That’s why to mitigate the cyber threat surface of connected OT systems, it is essential to adopt a comprehensive security strategy, which should include the following measures:
- Risk Assessment
A comprehensive risk assessment will let you identify the assets, vulnerabilities, and threats associated with critical infrastructure systems. This assessment should involve a cross-functional team of IT and OT experts and consider both technical and non-technical risks.
- Segmentation
Segregate OT systems from IT systems and the internet to reduce the attack surface. This can be achieved through the use of firewalls, virtual private networks (VPNs), and other network security measures.
- Access Controls
Implement access controls, such as: multi-factor authentication, role-based access controls, and privileged access management to limit only authorized personnel to have access to critical infrastructure systems.
- Patching
Regularly patch and update OT systems to address known vulnerabilities. This should be done in a controlled and tested manner to minimize disruption to critical infrastructure systems.
- Monitoring
Implement a continuous monitoring program to detect and respond to cyber threats in real-time. This program should include both technical and non-technical monitoring, such as anomalous behavior, and social engineering attacks.
Additionally, it is essential to ensure that personnel responsible for critical infrastructure systems are trained in cybersecurity best practices. This training should be tailored to the specific needs of each industry and should cover topics such as password management, phishing awareness, and incident response.
Challenges to Secure Connected OT Systems
- Integration
Integrating OT systems with IT systems and the internet can be challenging, particularly when dealing with legacy systems. This integration requires a significant investment in both time and resources to ensure that systems are properly configured and secured.
- Lack of Standards
There is a lack of standardized security protocols for connected OT systems in critical infrastructure. This means that different industries may have different security requirements, making it challenging to develop a one-size-fits-all solution.
- Third-Party Risk
Many critical infrastructure systems rely on third-party vendors for support and maintenance. These vendors may not have the same level of security controls in place as the organization, creating a potential vulnerability.
- Cyber Insurance
Cyber insurance is becoming increasingly important for organizations to mitigate the financial impact of a cyber attack. However, insurance policies for critical infrastructure systems can be costly and difficult to obtain.
In addition, governments and regulatory bodies can play a significant role in improving the security of critical infrastructure systems. These entities can establish security standards and guidelines for connected OT systems, incentivize investment in cybersecurity, and provide resources for training and education.
In fact, in 2021 the CISA drafted a set of Cybersecurity Performance Goals (CPGs) as voluntary measures that organizations within the critical infrastructure sector could implement as a way to upgrade their cyber protection, including: account, device, and data security, vulnerability management, and more.
In Conclusion
The trend towards connecting operational technology systems in critical infrastructure to the internet presents significant security challenges, including legacy systems, vulnerabilities, complexity, human error, and third-party risk. To mitigate cyber threats, organizations must adopt comprehensive security strategies and teach their personnel about the best cybersecurity practices.
Organizations, industry groups, regulatory bodies and third-party vendors must work together to ensure that critical infrastructure systems remain secure and reliable in the face of growing cyber threats.
SOURCES:
- https://www.gartner.com/smarterwithgartner/when-it-and-operational-technology-converge
- https://securityboulevard.com/2022/03/reducing-critical-infrastructure-risk-from-end-of-life-software/
- https://www.cisa.gov/news-events/ics-alerts/ir-alert-h-16-056-01
- https://www.cisa.gov/cross-sector-cybersecurity-performance-goals
