by Michael Litherland, Cyber Security, Thales Australia
As information technology (IT) and operational technology (OT) continue to converge in critical national infrastructure, the gaps between IT and OT technologies are creating vulnerabilities and leaving industries open to cyberattacks. In order to manage risk well, these gaps must be closed.
A recent report by the World Economic Forum identified cyberattacks on critical infrastructure and strategic industrial assets as now being one of the top five global risks. In order to combat this, companies have traditionally taken the stance that IT and OT each pose their own set of unique challenges and therefore handle them separately. However, as IT and OT convergence grows, urgent action on a range of fronts is needed to address risks that are being introduced.
Attackers understand that those responsible for organisational cyber defence can have different priorities and practices. Specifically, within the business, there can be differing functional requirements, different working cultures and risk management. It’s no surprise then that these environments can also be dissimilar and divergent when it comes to their own security requirements.
New challenges have now arisen from the complexities formed out of elaborate IT and OT infrastructures, which typically include thousands of devices, all being connected via the IIoT (Industrial Internet of Things). These complexities have changed the game yet again, making it even more difficult to detect, investigate and remediate cyber security threats and incidents.
Critical national infrastructure providers typically use OT to automate the services that they provide and they use it in a significant way. They’re under pressure to deliver services more efficiently and at lower cost due to market competition, technological change, reduced government funding and price regulation.
For this reason, many organisations have sought to automate and integrate more and more of their IT and OT systems. While most organisations don’t report much change in their degree of IT–OT convergence over the past two years, in the next two years, a rapid increase in convergence is expected.
Another convergence driver is the uptake of interconnected devices, often referred to as the ‘industrial internet of things’ (IIoT). This is helped by the development of open standards, low-powered sensors and electronic controllers, and short-range communication networks.
In the past, an organisation might have had a ‘stovepiped’ system provided by a single vendor communicating using proprietary protocols, with a single gateway into the back-office IT system.
Today, it’s more likely that there will be a range of different vendor systems communicating with each other in a complex network, and the concept of a clear boundary between IT and OT domains is less relevant. A Kaspersky study of 320 worldwide professional OT security decision-makers showed that 53 per cent saw implementing these types of IIoT solutions as one of their top priorities.
With an increase of connected sensors, the volume of data continues to increase as well. This data can be used to monitor operational performance, scheduling and utilisation, fault and anomalies, compliance and more. It can also be used to identify actions to improve effectiveness in real time. However, to implement effective machine learning and artificial intelligence algorithms, it is often easiest to connect to today’s public cloud services, which can provide flexible and easy-to-use processing power. This results in a more porous border between corporate IT systems and public networks, and effectively interconnects OT networks with public networks.
Although cloud services can be useful in bringing about new security opportunities, if these are not properly managed then they can also create new vulnerabilities by making formerly separate corporate systems accessible through the wider internet.
The convergence of IT and OT systems poses a significant potential threat to society and national security, so it’s important that the issue is prioritised and carefully managed.
Three of the most important ways to improve operations to manage risk include:
- Boards of critical infrastructure providers need to explicitly set their OT cyber risk tolerance and monitor their organisations’ performance against it. This requires a combination of regulatory mandate and enforcement (building on existing regulatory models, learning from the experience in implementing the telecommunications sector security regulations, and enabling boards to manage risk); for example, through recommended standards and approaches tailored to each sector. Considering ‘worst-case’ outcomes may lead to a list of critical assets that by default should not be connected to external systems unless there are a compelling benefit and robust measures to manage the security risks arising from the connection. The Critical Infrastructure Centre would appear to be best placed to coordinate and drive this across Australia to ensure a common best- practice approach.
- Better education and information are needed at all levels to improve the understanding and management of risks, from both a business and a technical point of view. Key areas for action are:
- General awareness and training. Specialised skills will be in short supply, but boards can be enabled to be curious to ask the right questions to understand and measure the risks and build the right culture, and all users should be educated in threat awareness and basic ‘hygiene’ to remove some of the easy targets for attackers.
- Specialist courses. The creation and delivery of specific OT security courses should be included in plans for university, TAFE and other institutional programs.
- Better threat information sharing. Clarity should be provided on the current range of government agencies that can help with threat intelligence sharing, providing clear leadership and ownership of this responsibility for the critical infrastructure sector.
- Technical information sharing. There appears to be a perception that there’s a lack of appropriate commercial solutions for protecting OT systems, but globally the market can appear crowded. The maturity of commercial solutions specifically to address OT security requirements should be reviewed. This information could be shared with providers and also used to identify whether there’s a gap that may merit government investment to help accelerate the development of the capabilities needed. The Australian Cyber Security Centre could lead this activity, aligned with its existing programs of work.
- Resources need to be prioritised to ensure that the appropriate organisations are able to implement all of the required actions at the required pace. The longer that action is delayed, the more of a head start malicious actors will have, the more convergence will have taken place without security being at the core, and the greater will be the threat.
Interested in learning more about how your organisation can guard itself against cyber security threats? Click here to download the Report on Cyber Threats to Operational Technologies in the Energy Sector.