Nothing in industrial cybersecurity is as simple as ABC. Protecting complex, yet aging industrial networks against direct and indirect attacks, planned by increasingly sophisticated adversaries, is as big a challenge as you’ll find in operational technology. And, for decades, the exposure of industrial control systems was overlooked and fell far behind IT in terms of risk management.
Ok, that’s the bad news; now for the good news. The last 12-18 months has been a period of unprecedented shifts in awareness and action for OT cybersecurity. From the boardroom, to the C-suite, to the shop floor, more industrial organizations are awakening to how exposed their OT networks are, and are taking action to catch up.
So, what is driving this awakening? Why are some organizations quicker to act while others lag behind? Based on the conversations I have every day with executives at these organizations, I’ve outlined a few “ABCs” of trends that are making a real difference.
A is for Awareness
The first step toward action in cybersecurity always begins with an awareness that there is significant risk exposure. For industrial organizations, this awareness has been threefold.
First, after years of believing cyberthreats were an IT problem, more organizations recognize that because OT networks are critical, threat actors have identified value in disrupting operational processes. Whether it is some geopolitical advantage or simply profit, that value raises the organization’s risk profile. Second, they have learned they do not have to be the primary target to suffer losses. Collateral damage can be just as destructive as a direct attack. And third, businesses are recognizing just how exposed these ICS environments are and how little visibility security teams have into the OT environment.
Much of this awareness has undoubtedly come from the cautionary tales appearing with increasing frequency in the media and government advisories:
● Malware has forced work stoppage in production plants – Automakers Honda and Renault were both forced to stop production lines because of the WannaCry attacks last year. As we know, the threat did not target industrial control systems, but the malicious code was nonetheless able to pass from IT to OT networks.
● Safety systems have been targeted to create disruption or damage to the plant – Disclosed in December 2017, the Triton attack targeted the Schneider Electric Triconex Safety Instrumented System controller, and through it, attackers could either trigger a “safe state” to halt an industrial process and cause downtime, or could reprogram the controller to allow the process to reach a dangerous state (unsafe temperature, velocity, etc.) to potentially destroy equipment and harm workers.
● The potential losses are real and they are significant – Global industrial giants such as FedEx, Maersk, Merck, Mondelez, Reckitt Benckiser, and Saint-Gobain all experienced significant disruptions and financial losses totaling nearly $900 million as a result of last year’s NotPetya attacks.
● Government advisories are acknowledging the scope and severity of cyber risk – Earlier this year, The White House issued a statement referencing the NotPetya attacks: “In June 2017, the Russian military launched the most destructive and costly cyberattack in history.”
● The U.S. Cyber Command has acknowledged the new realities of cyberspace – In a recent, sweeping update to the nation’s military strategy for cyberspace, the U.S. Cyber Command references that the new normal is being dictated by adversaries. The strategy document very openly acknowledges that adversaries have gained a lot of ground in cyberspace as they operate just below the threshold of armed conflict to cause damage or disruption to military capabilities and critical infrastructure, without having to pay the price of open warfare. What’s encouraging in the document, however, is a strategic imperative for expansion of partnerships with the private sector, academia, other agencies, etc.; a position I have advocated for years.
● Nation-state attackers in Russia have been seen targeting industrial – In March 2018, the U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued Alert TA18-074A showing a continuing campaign by nation-state actors within Russia’s government targeting government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors to gather information about their ICS process controls and automation.
B is for Budget
Based on increased awareness of the real (not just theoretical) risk of direct or indirect attacks, and an increasing realization about just how exposed industrial systems are, budgets for OT cybersecurity are increasing. Boards are questioning executive teams with greater urgency about exposure to operational threats, and CISOs are beginning to extend their IT budget allocation to include industrial control systems as well.
I have seen evidence of this over the last couple of years. Sales cycles for ICS security technology have typically been much longer than that of traditional IT security technologies because buyers often had to request incremental budget for these purchases. We are now seeing shorter sales cycles as buyers are proactively building these investments into their annual planning.
Thinking Bigger to Reduce Risk
Historically, industrial systems were left virtually unprotected, while layer after layer of security technology was applied to the IT environment. But forward-looking companies are beginning to think differently. Those that are looking at IT and OT security budgets holistically are recognizing that dollars invested in ICS security may have a greater impact on overall risk reduction than adding yet another tool to the traditional IT security arsenal.
C is for Collaboration of IT and OT
Integration of IT and OT budget planning for security is encouraging as I said, but where the rubber really meets the road is IT and OT security teams working collaboratively to reduce risk, detect threats, and respond to incidents holistically across the enterprise. This might sound obvious in concept, but it is quite difficult in practice.
The two disciplines view their domains in very different ways. IT professionals operate in a very dynamic environment where frequent upgrades and patches are the norm. Change is embraced for the benefit of “newer, faster, better.” OT, by contrast is focused on stability, uptime, and maintaining productivity in an environment of legacy assets and archaic protocols. Taking assets offline can halt productivity and introduce risk of upsetting the operational balance. In short, “if it’s not broken, don’t fix it.”
However difficult, more organizations are realizing the tremendous benefits to collaborating, or even combining these teams from a security perspective.
From a risk management perspective, collaborative monitoring and analysis of IT and ICS networks provides better visibility of anomalies and IOCs, as well as faster response to incidents before they spread from one environment to the other (as very few OT networks are truly air-gapped). In terms of operational efficiency, collaboration provides opportunities to eliminate redundancy in both staffing and analytics tools.
While geopolitical pressures, spillover ransomware attacks and the like have changed the industrial threat landscape, I am encouraged by the action I’m seeing in the public and private sectors. Obviously, it isn’t “as easy as ABC”; solutions to big problems never are. But with broader awareness driving reprioritization of Budgets, and Budgets driving greater Collaboration to attack the problem of OT cyber risk, there is more action occurring in OT cybersecurity than ever before. Perhaps industrial and critical infrastructure organizations are emerging from the “lost decade.” Time will tell.