For years, Operational Technology (OT) systems have been working to control everything from factories to transportation networks to utilities. The reality is most citizens don’t think about these systems until there’s a problem. That’s why the the attack against Colonial Pipeline in May 2021 was so startling. The attack on a segment of the enterprise transcended IT and resulted in a temporary but severe disruption of the OT based fuel supplies and led the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) to issue an advisory urging critical infrastructure (CI) asset owners and operators to take on a heightened state of awareness.
Unfortunately, the attack against Colonial Pipeline isn’t the first or last time an adversarial cyberattack on an OT target will make headlines. Malicious cyberattacks are likely to increase given the opportunities for mission impact, social anxiety and profit that disrupting systems and stealing intellectual property from OT and IT systems represent. If there’s any silver lining to this high-profile attack it’s that it has put a renewed focus on securing critical OT assets.
OT cyber events also have demonstrated the consequence of failing to invest and commit proportionally to a cybersecurity strategy. For years OT system owners relied on the “air gap” that separated OT systems from IT to protect them. But as more and more OT organisations digitally connect OT infrastructure such as supervisory control and data acquisition (SCADA) systems with IT networks, the resulting evaporation of the air gap has dramatically increased the level of risk. Given this situation, it’s not a surprise that in the “2021 State of Operational Technology and Cybersecurity Report” nine out of ten OT organisations experienced at least one intrusion in the past year and 63% had three or more intrusions.
To protect cyber physical assets, OT organisations need to commit to a proactive cybersecurity strategy, paying particular attention to visibility, control and behaviour analysis. It’s critical to protect every point of connection to the outside world to proactively safeguard OT.
In the past, exploits against SCADA or industrial control systems (ICS) were viewed as an infrequent subset of highly structured and often nation-state sponsored targeted attacks. But the OT market is expected to continue to grow through 2027 at a CAGR of 6.40%. Relying on obscurity as a defence strategy doesn’t work anymore; it’s practically an invitation to cybercriminals to penetrate and ultimately compromise OT systems. Although IT-related exploits are still more prevalent, according to the Global Threat Landscape Report from FortiGuard Labs, a growing number of exploits are targeting OT. The long-held perception that ICS exploits are an obscure niche of the cyber threat landscape is simply no longer the case.
In the past, OT attacks were the domain of specialised threat actors who knew how to exploit ICS and SCADA systems. But now, many of those tools are now being packaged as attack kits on the dark web, so they are available to a much broader set of less technical attackers. The motivations behind the attacks range from gaining a profit through extortion, stealing intellectual property, to simply testing infrastructure resilience. The attacks offer a side benefit in that they create a climate of uncertainty and can force actions by executives in the government and commercial sector. The headlines generated from a successful attack on OT infrastructure only serve to amplify these effects. Attacks on large enterprise businesses in energy and manufacturing and even smaller more discrete intrusions at the municipal utilities level are all newsworthy. The alarming cybersecurity news in 2021 reinforces the fact that OT infrastructures require attention to reduce the attack vectors, tactics and techniques that focus on industrial environments.
The rapid expansion in the threat landscape and the increase in attacks demonstrate the increased need for integration between enterprise solutions and operational infrastructure. In most cases, security considerations need to extend to on-premise systems and extend to the Internet of Things (IoT) and Industrial Internet of Things (IIoT) devices. It’s also important to have an infrastructure control strategy that restricts and contains suspicious activity and behaviour. At a minimum, organisations should implement zero-trust network access (ZTNA), which limits user or device access to only those resources required to perform a specific role or function. ZTNA also strictly limits the range and level of engagement, which serves to restrict activity if a system is compromised.
OT organisations that put comprehensive security policies in place give themselves an advantage over threat actors and can limit the impact of a breach. OT infrastructure is no longer benefiting from obscurity and the adoption of near-universal convergence of IT and OT networks implies traditionally isolated environments are no longer safe. Organisations must take proactive steps to harden OT environments, including integrating tools and practices designed to protect, detect and respond to threats in real-time. Although attacks are inevitable, they don’t have to be successful.
By Rick Peters, CISO Operational Technology, Fortinet