By Ian Bramson, Global Head of Industrial Cybersecurity at ABS Group
Did you know almost 50% of ICS (Industrial Control Systems) organizations don’t have dedicated 24/7 security to manage Operational Technology (OT) incidents should a cyber event occur? While this fact may not be common knowledge to organizations, hackers have been readily exploiting this gap, as seen in incidents such as the Colonial Pipeline shutdown or the Oldsmar, Florida water treatment plant breach. Adversaries have learned that targeting ICS can result in quicker and higher payouts because of the potential to disrupt operations, prompting threat actors to focus on ICS targets. Ransomware attacks have proven very effective for OT systems just as with IT systems and are now being used as a weapon in international politics. As the conflict between Russia and Ukraine continues, adversaries are looking to gain real-world advantages from these kinds of cyberattacks. The pro-Russia hacking group Conti recently released a statement stating, “We are going to use all of our possible resources to strike back at the critical infrastructure of an enemy.” This should be a warning bell for any organization involved in critical infrastructure to be on high alert and consider themselves a potential target. All of this begs the question: are organizations prepared to detect and respond to a cyber attack on their OT systems?
New SANS report highlights lack of preparedness
Despite known and increasing threats, many organizations have not made OT cybersecurity a priority. A recent report from the SANS Institute titled “Threat-Informed Operational Technology Defense: Securing Data vs. Enabling Physics”, found that only 22% of security technology managers have the visibility needed to defend against modern threats. If an organization is creating a response plan after an attack occurs, then they are already too late. Keeping your response plan ready for implementation at a moment’s notice and your staff current on the procedures for addressing an attack enables a swift and unified response, yet 40% of those surveyed have not run incident response exercises in the last 18 months. On the positive side, although it appears many OT environments are not well positioned to detect or respond to an attack, many companies do have investments planned. The research reveals that 52% of respondents rank increasing visibility into control systems and implementing ICS-specific network security monitoring (NSM) as top priorities in the next 18 months.
Why is OT cybersecurity lagging behind?
Attacks on the OT environment are not entirely new, with notable incidents like the Stuxnet attack in Iran dating back 12 years. But there is still a perception gap between senior decision-makers and those on the front lines about the importance of a robust cybersecurity program in OT. In the SANS report, 35% of participants indicate such a gap between senior management and OT/ICS cybersecurity front line teams. This gap manifests itself as a lack of investment in OT cybersecurity programs which means security teams are resource-challenged and running on threadbare budgets.
The expertise required to manage OT cybersecurity programs is highly specialized. An effective program requires experience in both cybersecurity and the industrial environment within which the systems operate. Too many organizations take a “copy and paste” approach, applying the same principles and techniques from IT environments to OT, which have drastically different concerns, processes, and equipment. Attacks on these OT systems go beyond data and into physical spaces and deal with networks of legacy equipment installed at different times and with varying levels of technological capabilities. As a result, a dedicated team of experienced professionals is needed to better protect the security of the system and the people working inside of it. However, the survey found that currently, 47% of ICS organizations do not have internal, dedicated, 24/7 security response teams.
Taking steps to close the gap
Getting in front of this challenge requires change from the top down. To close the gap between front line teams and senior management organizations, decision-makers can take several different steps:
- Appoint a Chief Information Security Officer (CISO) who can oversee OT/ICS security from a senior executive position, guaranteeing OT security professionals have a voice in the boardroom to help prioritize security initiatives.
- Educate the board of directors on common misconceptions surrounding OT security. This means making sure they understand that OT security can’t be copied from IT, that being compliant does not mean being secure, and that this is a quickly evolving space where solving the last attack won’t prepare you for the next one.
- Run OT-specific tabletop exercises regularly to keep team members from different levels of the company on the same page regarding a response to an attack. ICS incident response teams must understand the control system processes, the engineering, industrial protocols, safety factors, and ICS-specific cyber threats and maintain response plans that fit their organization.
- Employ an active cyber defense cycle (ACDC) whereby they can secure, maintain, monitor for, and respond to threats. This repeatable process is driven by human cyber defenders who have both the necessary engineering knowledge of the OT environment and a background in cybersecurity defense. An active defense keeps security personnel engaged in identifying vulnerabilities and takes a more proactive than reactive approach with the focus on understanding not just the last attack but looking ahead to the next one.
- Bring in a third-party organization to aid in identifying vulnerabilities, setting up a robust security program, and advising on maintaining OT protection moving forward. These experts can provide support for companies as they make key hires and set up an in-house cybersecurity program.
Cybersecurity now or forever hold your peace
OT environments are still playing catch up in terms of cybersecurity as 45% of survey participants estimate threats to their control systems are at high risk. And they’re right. The effect on operations, human safety and the environment could all prove costly when OT systems are exploited.
Many companies are not prepared for the potential onslaught of attacks that could be headed their way. While many are coming around to the necessities of building a more robust cybersecurity program for their OT environments, they are fighting an uphill battle to prepare for these attacks. Threat actors are actively plotting their next OT/ICS attack, looking to disrupt critical infrastructure either for profit or political gain. Without a proper plan for how to identify, respond to and recover from an attack before the attack occurs, organizations could find themselves in costly and dangerous situations.
About the Author
Ian Bramson is Global Head of Industrial Cybersecurity at ABS Group and a recognized leader in the emerging threat landscape of attacks on industrial operations and critical infrastructure. With more than 20 years of experience in cybersecurity and technology, Ian works directly with executives in the energy, industrial and maritime sectors to help minimize their cybersecurity risks. Ian can be reached online through his LinkedIn page at https://www.linkedin.com/in/ianbramson/ and at our company website https://www.abs-group.com/