Oil and gas, manufacturing, energy distribution and critical infrastructure – what do all these industries have in common? Aside from their indispensability, they all rely on operational technology (OT) such as industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.
Collectively, these technologies control the world we live in, and OT-directed attacks can have a devastating impact. In contrast to traditional Information Technology based attacks, these Cyber-Physical attacks affect machinery and processes that have real world impacts to the industries and people they serve.
In 2021, we were reminded of this fact by the Colonial Pipeline attack, which nearly crippled gas supplies across the Eastern U.S. More recently, 9 out of 10 organizations reported that cyberattacks impacted their production or energy supplies within the last 12 months, with 56% seeing disruption lasting 4 days or longer.
Thanks to a combination of factors, OT-directed attacks – and traditional cyberattacks that impact OT systems – are steadily increasing, with government agencies increasingly taking notice. But why is this happening and how can you protect yourself in 2023? In this article, we’ll answer both questions.
OT Security Trends
OT threats have been on the rise for years, and while the factors behind this rise have largely remained consistent, they are being accelerated by larger trends affecting the IT landscape and business world in 2023.
1. OT Talent Gap
With the need for cybersecurity talent growing faster than the supply, ISC2 reported that global organizations were facing 3.4 million unfilled cyber positions in 2022.
This gap continues to impact OT worse than other fields, as OT environments are filled with a combination of specialized and legacy systems. According to one expert, there were fewer than 1,000 ICS cybersecurity experts around the world only five years ago, and improvements have not kept pace with OT threats.
2. Supply Chain Issues Driving IT/OT Convergence
IT and OT have been converging for long enough that SANS Institute recommended dropping the IT/OT nomenclature several years ago: today’s industrial environments are dependent on IT infrastructure, which makes OT systems vulnerable to IT-directed attacks.
With continued supply chain issues and economic downturn projected in 2023, organizations are being pushed to maximize efficiency, meaning an influx of industrial IoT (IIoT), cloud apps and other Internet-facing surfaces that drive OT threats.
3. Geopolitical Conflict
Given the critical role that OT plays in supporting national industry and infrastructure, it is a common target for nation-state actors and politically motivated advanced persistent threat groups (APT) groups.
According to one study, hacking and reconnaissance against government bodies accounted for 48% of Internet traffic monitored across all public-sector organizations in 2022. As geopolitical conflict increases around the world, politically motivated cyberattacks of all types can be expected to rise even higher.
4. OT-Directed Attacks
In the past, OT threats have tracked IT threats closely, with many OT security incidents occurring as a side effect of malware or traditional cyberattacks. Now, threat actors are increasingly optimizing their attacks for ICS and SCADA devices, including systems from specific manufacturers.
Last April, the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory with several federal agencies warning that APT groups had developed a malicious ICS framework known as “PIPEDREAM,” tailored for devices found throughout OT environments.
The Impact of OT Threats
Attacks on control systems can accomplish many things, none of them good. Limiting the scope of risk to those that directly impact an organization, they include:
- Data theft – exposing operationally significant data to intruders and leaking proprietary information like intellectual property.
- Operational disruption – leading infrastructure to function improperly or even shut down. This may cause significant risk to human life and safety within operating facilities.
- Financial loss – with the rise of ICS ransomware, an OT attack can directly rob an organization. Beyond that, the cost to remediate any incident may be high, and extended periods of disruption can cause a loss in revenue.
Beyond an organization’s people and bottom line, it goes without saying that OT systems control a nation’s infrastructure meaning that any security incident can potentially affect millions of lives for the worst.
Protecting Your OT Systems
Faced with the prospect of cyberattacks on critical infrastructure, the government is focusing more attention on OT than ever before. It is only a matter of time before businesses – particularly government contractors – are required to follow regulations to protect their OT systems. But there’s no reason they can’t start now.
1. Adopt ICS Security Frameworks
With IT-directed attacks still accounting for a large number of OT threat incidents, securing your IT and network perimeter is a first step towards protecting OT. Organizations can start by complying with standards like the National Institute of Technology (NIST)’s Cybersecurity Framework (CSF).
They can also implement guidelines developed specifically for industrial environments, such as the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP).
2. Treat OT as a Separate Domain
Despite IT and OT convergence, organizations are increasingly shifting the primary responsibility for OT security from IT managers to OT operators. As a SANS Institute survey reports: “organizations are realizing the enterprise IT and ICS/OT environments are not the same. They not only have different types of systems, but also have technologies that are not directly cross-compatible.”
Ultimately, increased communication between IT and OT professionals can help to bridge knowledge gaps. While 72% of cybersecurity professionals can’t tell whether a disruption originated from IT or OT, a much larger number of professionals with a combination of IT and OT expertise can.
3. Promote More Secure Authentication
Poor identity management and authentication practices – such as weak passwords and lack of two-factor authentication – continue to threaten systems within an OT environment and on the periphery.
Now more than ever, it’s vital for organizations to educate their employees on the importance of secure passwords, and update applications with most-secure configurations, which may include 2FA and support for biometrics.
4. Develop an Incident Response Strategy
In the event of a successful OT attack, organizations can mitigate harm significantly by developing a robust incident response strategy. In summary, the plan should include steps to:
- If possible, isolate the affected systems to prevent further harm, identify the threat source and remove it.
- Record and document an ongoing attack for later analysis and review.
- Reduce harm by resetting affected systems’ passwords and user profiles.
- Inform stakeholders and implement measures to prevent future incidents.
- During an attack, every second counts and knowing what to do ahead of time can make a world of difference. For more detail, check out our blog post on disaster recovery and response. Additionally, consider joining industry organizations such as Incident Command System for Industrial Control Systems (ICS4ICS), which focuses on an OT based emergency management framework.
The Need for Expertise
When it comes to defending against OT attacks, no method of security is more reliable than proactive risk management, threat hunting and vulnerability assessment conducted by experts at the intersection between IT and OT.
Unfortunately, experts are hard to come by, especially for ICS, SCADA, programmable logic controllers (PLCs) and other OT systems. Fortunately, many are employed by Securicon. With years of experience with critical infrastructure – and the ability to implement NERC CIP guidelines – no one is better equipped to find vulnerabilities and promote safety in modern OT systems. To learn more, contact us today.