Closing the Gap: Safeguarding Critical Infrastructure’s IT and OT Environments

By Victor Atkins, Director | Cybersecurity, 1898 & Co.

The rise in the age of digitalization has provided numerous benefits for modern society, from the ability to conduct a telehealth doctor’s meeting from the comfort of home to greater access to education for rural, isolated communities. Those who work in the critical infrastructure industry aren’t strangers to the benefits — but also the downsides — of a more digitally connected world.

With an increase in streamlined, automated controls and the capability to work from remote locations, critical infrastructure decision-makers now have a greater ability to provide reliable services for the communities they serve. However, expanded access to critical infrastructure systems has led to information technology (IT) and operational technology (OT) systems becoming more vulnerable and susceptible to cybersecurity threats through a variety of attack vectors. These attack vectors can include any data communication pathways that hackers can exploit to illegally enter a network or system.

With critical infrastructure operations continuing to push toward more digitized solutions, IT and OT systems have become more integrated and dependent on each other. The increased connectivity between these two traditionally separated systems provides the opportunity for adversaries to gain access to either the IT or OT system, which if left unchecked by cybersecurity measures, can result in a major impact to the integrated environment. Quality of life and the stability that comes from knowing the lights can be turned on at the flip of a switch or that the faucet at home never runs dry could be threatened without safeguarding attack vectors to prevent successful cyberattacks.

Feeling the Ripple Effect

While critical infrastructure may often be the target for malicious adversaries attempting to disrupt key services and day-to-day living, the ripple effect that comes from any organization facing a cyberattack can be widely felt. The initial target can often be just the starting point.

The recent conflict in Ukraine has become a case study example for how interdependent organizations that rely upon shared services have become. In a successful bid to render ViaSat’s commercial satellite KA-SAT network inoperable to achieve military objectives, there was a ripple effect that spread into adjacent critical infrastructure domains causing a loss of critical public services in 2022. The same satellite services that supported Ukraine’s military also supported European wind power generation, causing the shutdown of over 5,000 wind turbines in Germany that have total power output of 11 gigawatts.

The ransomware attack on Colonial Pipeline in 2021 was an example within the U.S. of what can happen when critical infrastructure operations are severely impacted. A ransomware attack resulted in the pipeline’s digital systems being shut down for several days, halting a vital U.S. oil pipeline. Consumers and airlines alike were affected by the shutdown and resulted in President Joe Biden declaring a state of emergency. The attack was named the largest publicly disclosed cyberattack against critical infrastructure within the U.S. to date.

The purpose of the Colonial Pipeline attack was to collect a ransom but ultimately it led to a significant disruption to critical services that affected a large portion of the U.S. population. In both the Ukraine and Colonial Pipeline incidents, the effect of the cyberattacks extended well beyond the attacker’s intentions. Given the many cyber interdependencies that exist, owners of critical infrastructure must prepare to be resilient to cyber incidents, even when not the intended target.

Another factor that is expanding the universe of attack vectors is the dramatic increase in remote work. Such work was required during the COVID-19 pandemic and launched a trend in decentralized workforces that is apparently here to stay. Owners and operators of critical infrastructure also had to adapt to these realities, enabling more remote access to operational control networks than ever before. Such an increase in access, especially for critical infrastructure assets, led to greater flexibility but also gaps in cybersecurity. With remote workers accessing crucial data, these individuals may have their own routers and configuration systems installed to complete work, resulting in unknown and unmonitored communications pathways to the OT environment. It’s difficult to secure or monitor data communications pathways in and out of a critical system if the asset owner doesn’t know these attack vectors exist.

In summary, cyber adversaries are leveraging these trends — the expanding number of vectors, including satellite and wireless communication networks, the growing shared dependence on third-party vendors, and the increasing number of network access points needed to accommodate remote workers — which is making critical infrastructure harder to defend from cyber incidents that result in downtime for key services.

Keeping Critical Infrastructure Secure

While it is unlikely to ever secure IT and OT environments 100%, risk reduction strategies can be put into place to prevent cyberattacks from becoming successful. Organizations should understand and prioritize the most critical operational functions that, if disrupted by a direct cyberattack or the loss of a key third-party service, would have a significant impact on the ability to operate. For instance, if a single facility accounts for 90% of a company’s revenue or a single substation services a key national security site in a remote location, these assets are likely top priorities to keep operational and reduce downtime. Once these critical functions are identified, the organization can map the IT and OT network pathways that support these systems and implement security or engineering controls to reduce risks of downtime or failure.

Identifying and mitigating known vulnerabilities are also critical steps in the risk reduction process. Organizations can make significant gains by simply closing gaps that are widely known to exist. Installing cybersecurity sensors for 24/7 monitoring can also lead to faster mitigation action to limit damage from a cyberattack. Cyberattacks can occur at any time and having a dedicated team available on call to identify and respond to an incident can limit downtime and the potential for the event becoming a more widespread issue.

Closing vulnerabilities and implementing network monitoring are effective measures for reducing cyber risks in existing critical infrastructure but to really get ahead of the risks presented by a growing attack surface, cybersecurity and resilience should be addressed at the earliest design and planning phases of new projects. This kind of collaboration, commonly referred to as Cyber-Informed Engineering, consists of discussions among cybersecurity professionals, engineers and project designers to identify and address cyber risks in the control and safety of automated systems. When done at the front end, this approach can make the implementation of cybersecurity controls more effective, efficient and cost-effective rather than trying to add these measures on after the capital project is completed.

Adversaries often look for the path of least resistance when it comes to seeking an attack vector to take down a valuable asset. For critical infrastructure — or any organization — it’s important to proactively safeguard systems to keep communities supplied with crucial services. Having a cybersecurity plan in place to identify potential vulnerabilities and putting a plan in place to respond to an attack are vital for maintaining the reliability and resiliency of critical infrastructure.

About the Author

Victor Atkins is a director of security and risk consulting at 1898 & Co., part of Burns & McDonnell. In his role, he develops and delivers industrial cybersecurity solutions and services to the critical infrastructure industry. He specializes in helping clients reduce risk in the critical infrastructure sectors. He is a nonresident senior fellow at the Atlantic Council, focusing on cybersecurity, hyperintelligence and nuclear security.

Victor can be reached online at [email protected] and at our company website https://1898andco.burnsmcd.com/about-us/our-people/victor-atkins