In my previous column, I talked about the rapidly changing geopolitical landscape and the escalation of cyberattacks on critical infrastructure. Some of you may be wondering: “Why should I care? Russia and other nation-states aren’t focused on me and my networks.”
If you’re a CISO at an insurance company or a medical facility or any organization where these networks aren’t critical components to your business, then you’re probably right. They probably aren’t targeting your organization specifically. But I’m sure you’re familiar with the concept of collateral damage.
The attacks on Ukraine over the last five years are a test case for how a country’s infrastructure can be disrupted and paralyzed, and how companies’ OT networks can be severely impacted. While OT networks were not the primary target, just the accidental spill-over of NotPetya from IT to OT networks, was a wake-up call. Operations came to a standstill at many companies – a powerful indicator of what the outcome could be if those attacks specifically targeted industrial networks, and a clear reason why securing OT environments should be a priority. And since the Western world didn’t have the adequate response to those attacks on Ukraine, we can expect that a more emboldened Russia will reach further, as cyber respects no geographical boundaries.
Every company in the world relies on industrial networks. For nearly half of the Fortune 2000 – in industries including oil and gas, energy, utilities, manufacturing, pharmaceuticals, and food and beverage – these networks are critical components to their business. While the rest rely on OT networks to run their office infrastructure – lights, elevators, and datacenter infrastructure.
Adversaries understand the importance of these networks and how to manipulate them in ways that would not be immediately observable but could erode public trust. For example, disrupting production of the top pharmaceutical companies to create shortages of medications. Or tampering with the industrial machines responsible for logistics at our largest transportation hubs to bring commerce to a standstill. From a technical feasibility perspective, we all know it’s doable. We also know these types of attacks are extremely difficult to detect and attribute since we lack visibility into industrial networks.
Despite their ubiquity, OT networks are often a black box for security teams; they simply don’t have the telemetry to see and monitor these environments. Having been in place for decades, these networks typically lack even basic security defenses. Furthermore, the teams that run these networks prioritize availability over confidentiality. The risk of disruption and downtime to implement a new security control, a patch or a system upgrade is a non-starter for them. Not to mention that making changes to these multimillion-dollar systems usually voids warranties.
If OT networks could remain completely disconnected from IT systems this wouldn’t be a problem. But that is no longer the case. Companies have unlocked tremendous business value connecting these aging networks to IT systems for automation and inputs, and IT-OT convergence has taken off. While the improvements in operations efficiencies, performance and quality of service have been a boon to business, IT-OT convergence can also be detrimental. Since the OT network is a blind spot, adversaries can use them as a pathway into IT environments, and vice versa. Adversaries can enter through the IT side and remain undetected within the OT environment for months or even years, looking for subtle ways to undermine operations and create havoc.
Digital convergence is here to stay and is good for business. It is also creating greater urgency to address the IT-OT security gap. Chances are you’ve worked hard and made strategic investments to build a strong cybersecurity foundation on the IT side to support your company’s digital initiatives. Now you have an opportunity to do the same on the OT side. Consider your next budgeted security dollar within the context of overall risk reduction. Where do you think you’ll get more incremental value: purchasing yet another Endpoint Detection and Response (EDR) solution or bringing visibility and monitoring to your OT network?
So yes, Russia probably doesn’t care about your OT network per se. But you might happen to work in an interesting industry that could be a pawn in a larger geopolitical disruption campaign, or you could be collateral damage when powerful cyber weapons are released. While adversaries’ actions may not be blatant, they could have dire consequences, eroding the trust of the public across aspects of our lives we take for granted.
It’s early days for this form of economic warfare. Fortunately, you have an opportunity to learn from these test cases and take a proactive stance to secure your OT environment.