Organizational Challenges to OT Cybersecurity Success
We have all heard the term “cybersecurity,” but do we recognise the risk potential to our organizations and the public? For many, cybersecurity is recognised as an “Internet” risk which is only one specific area of focus. Did you know that nearly any programmable device is hackable? This includes operational technology systems and internet of things systems where the result of a cyberattack may result in a physical response.
Operational technology is a term that describes automated control systems and IoT which are an integral part of our everyday lives. OT systems enable manufacturing, power production, water treatment, building control systems (HVAC, elevators, etc.) and many others in all market sectors.
Time and time again, our adversaries have successfully infiltrated OT systems:
- 2019, 2000% Increase in Attacks Specific to OT
- 2020, 25% increase in identified known vulnerabilities
- 2021: Oldsmar water treatment plant, Miller-Coors, Ellsworth County Kansas water treatment plant, Colonial Pipeline
Generally, the number of successful attacks is underreported. There is no regulation of private industries which requires reporting, and many organisations will not share information in an attempt to protect shareholder value, attack methods and overall reputation.
With frequent attacks, we ask the question “What challenges are organisations facing to lower their OT Cybersecurity risks?”
Traditionally, OT systems have not been treated similar to other organisational assets. These systems were put in place with an expectation for high availability for an extended service life (15+ years, or longer) and generally were run until failure. OT Cybersecurity events can be traced into the late 1990s, however, the 2010 Stuxnet attack was the epoch which triggered the revolution of OT cybersecurity. In the early 2010s the industry began to release updated security standards (e.g. IEC-62443), and new vendors, services and products were released in response to the newly recognised risk.
For many organisations, the equipment installed today is still within the planned service life, will not support modern security controls and suffers financial limitations to modernise for cybersecurity. Return on investment calculations for modernisation tend to focus on the cost of technology in comparison to returns in efficiencies rather than the consequences of a cybersecurity event. As a child of the 1980s, I’m reminded of many school board budgeting votes for new computers which were denied since the district had computers that worked (or were available as related to the OT systems).
Cybersecurity is risk management, and risk management is not one size fits all. Overcoming organisational challenges related to OT cybersecurity begins with recognising OT cybersecurity risk and its potential consequences. The likelihood of a cybersecurity event is 100%, the conversation has shifted from not “if” but “when” and therefore unlike other risks we cannot quantify the likelihood so we assume the event will occur.
You cannot defend what you do not know and therefore best practices recommend that organisations begin with a risk assessment which includes the development of a comprehensive asset inventory, and creation or updating of network diagrams for all OT assets (both those networked to other systems and isolated systems). The result provides organisational leadership with a comprehensive view of the risk profile, potential consequences and mitigation techniques. OT cybersecurity requires a balance of return on investment (consequence vs. mitigation), operability and maintainability to achieve the organisation’s defined risk tolerance and operational goals.
Management’s support and commitment to cybersecurity is critical to success. Cybersecurity mitigations are based on the concept of defence in depth which provides many abstract layers of defence including people, processes and technologies. There is no one product or solution that will make your organisation secure from OT cyber threats.
We will cover detailed mitigations in future articles but offer the following top 5 for people, processes and technologies for consideration in maturing organisational cybersecurity.
- Manage the human element — establish expectations, hold accountable and train
- Establish a cybersecurity risk management leadership team
- Commit to standards and best practices
- Incorporate staff into decisions on cybersecurity — collaboration is key. Mitigations will impact operations and maintenance.
- Train employees on role specific cybersecurity expectations:
- What should an operator do if the mouse moves without their control?
- What should maintenance do if the program doesn’t match his last backup?
- Who is responsible and how do they respond in an event?
- Train on cybersecurity disaster response
Processes (Get Organised and Establish a Vision)
- Develop policies and procedures for system interaction
- Establish vendor and procurement requirements
- Define risk assessment methodologies and frequency
- Develop disaster response and business continuity plans that include OT systems
- Utilise recognised standards and best practices
- Implement defence in depth techniques
- Secure software and hardware
- Provide tools for staff to monitor and maintain
- Treat control systems as an asset that includes maintenance and replacement plans
- All connected devices must have a business purpose
Remember, you have to be right 100% of the time, the cyber criminals only have to be right once! Have a plan to identify, protect, detect, respond and recover.