Martin Smith, MD of CcyberPrism, looks at the issues facing industry in securing its OT.
There is a growing perception that Operational Technology is the next big focus area for cyber security. Certainly, the incidence of attacks seems to be increasing, although reporting is still low. Moreover, World events such as the war in Ukraine and its associated energy conflict have concentrated minds on industrial security as the Global situation becomes less stable, and the boundary between state intervention and criminality becomes increasingly blurred.
The huge potential for ransom, extorsion and economic disruption now seems clearer than ever.
The Energy Sector in particular looks like a great target, but it is the indiscriminate nature of many forms of malware which is perhaps most worrying: there is no need to be targeted in order to become a victim and many successful attacks can be seen as a form of collateral damage which was never envisaged by the initiator. These forms of malware can be seen as hybrids of weapons and contagions – analogous to biological warfare in some ways. Add OT security’s implications for safety and the environment, and it is easy to see why it is attracting attention. But what are companies doing about this? What are we seeing as industry, and the Energy
Sector in particular, tries to adapt to a changing threat landscape? Firstly, we need to understand that we are dealing with commercial entities here.
Companies exist to create value and sit within complex ecosystems, with multiple threats and a host of conflicting drivers. Government entities are subject to many of the same pressures. Quantifying the risk and consequences of attack, and the benefits of security investment in terms of value and ROI, is difficult.
Perhaps the most obvious driver is the operational cost inherent in increased ‘downtime’ due to cyber attack; but many industries are still on the road to truly data-driven operations, may be subject to other factors such as weather in offshore operations, and significant downtime is often seen as a fact of life.
Reputation, and the consequences for share price, would be another significant driver, but it is really where this starts to overlap with some form of licence to operate, backed by Government regulation and enforcement, that we are seeing most traction for what can otherwise seem like an intangible issue.
Add in safety and the environment, for instance in the Health and Safety Executive’s enforcement of the Network and Information Systems Regulation in the UK Energy Sector, and we move to a much more tangible imperative.
So, given increasingly effective industry drivers, what are the issues?
We tend to see cybersecurity as a technical activity, but the first issue we encounter in most situations is governance. Put simply, who is responsible for OT security? It may be that the IT Department has ended up with the lead – either explicitly or by association. Alternatively, the integrator or OEM might be assumed to have this role, or perhaps it is Operations or Engineering. Sometimes different elements have responsibility for different OT networks at a single site – a difficult situation for the Duty Holder to manage, especially where the supply chain introduces extra vulnerabilities. Either way, we would suggest that clarity of 2 roles and responsibilities – and associated resourcing – is a necessary precursor to technical intervention.
On the technical level, from what we see, it is fair to say that there is a lot of work to do.
The issues set out above, along with the prevalence of aging equipment connected in ways that weren’t originally intended, and not fully patched or patchable, has left us with a matrix of vulnerabilities: essentially a large and complex attack surface. Key issues would be asset and vulnerability discovery, network visibility and alerting, network segregation and event response – but there are several others, all underpinned by personnel awareness and training, and with an underlying issue to do with insecure network architectures. Having scoped the problem, we seem to have encountered a bow wave of work which runs the risk of pushing OT security from the ‘not understood’ pile to the ‘too difficult’ pile.
How to move forward against this difficult backdrop?
Well, wicked problems must be addressed by teams, not individuals. In this case, the team must include operators, license holders, cyber security companies, integrators and the supply chain – to name but a few. Our military background tells us that the most important element in any team is trust, so that is where we must start. Building trust won’t be easy in an attractive industry with many new entrants at various levels of competence, but it is essential if we are to make progress against increasing threats.
However, even given the right relationships…
Industry doesn’t have enough qualified people and simply increasing the training pipeline won’t generate the right level of experience. This is where technology has to come in. Processes such as asset discovery, segregation, alert response, compliance tracking and training need to be increasingly automated: not taking the humans out of the loop, but putting them in control. Trust will be a factor again here –interventions in OT networks must be safe and there is too much loose talk of AI. Legacy systems will need particular attention, especially those that can no longer be patched effectively.
This is where we come in as a Security as a Service (SECaaS) provider for OT, fusing deep integrating technology and services into existing infrastructure more cost effectively than most clients could achieve on their own, to increase asset availability and regulatory compliance, and to leverage trusted data to support the fine-tuning of operations and improved decision-making.
Industry may be somewhat behind the power curve, but with the right industry drivers, improved governance, trusted teams and the right technology we stand a good chance of turning this around not without some investment, of course. OT security can be made feasible and cost effective, but it will require considerable collective will to regain the initiative.
The good news is that some companies are grasping the nettle in exactly this way: they are the leaders who will show industry the way ahead.
Regulatory compliance may be the key driver for OT security at the moment, but we look to the time when it will be overtaken by a desire for real security and the competitive advantage which process optimisation and protection can bring.