Operational Technology (OT) security has been thrown into the spotlight in the wake of several recent high-profile supply chain attacks targeting critical infrastructure. Security incidents such as the Colonial Pipeline attack have re-established the critical significance of Operational Technology Security, especially for the global power and energy sector.
According to the Hiscox cyber readiness report, the global power and energy sector experienced a 595% increase in cyber attacks last year, with 67% of applications in the utility sector experiencing at least one severe breach throughout the year. With this massive influx in sophisticated threats targeting these critical industries, it is time for business leaders to re-think their OT security strategy.
Although the Colonial Pipeline attack took place more than a year ago, the broader implications of the incident are still very concerning for businesses and world leaders. A key aspect of the attack was that its impact was felt on a truly physical level, not just at the digital level. The attack left 60% of all gas stations in the Southeastern U.S. without any fuel, causing a massive gas price hike and affected the U.S. government's ability to export fuel.
With energy sectors worldwide currently facing significant supply shortages and high prices due to global political conflicts, another attack like Colonial Pipeline could have crippling consequences. This concern is noticeable in the energy and power industry; leaders are calling for more proactive strategies to safeguard OT systems from potential cyberattacks. In fact, Trustwave has seen a doubling in demand for OT security services since the Colonial Pipeline attack.
To combat these security issues, we believe there needs to be an urgent shift in mindset. Organizations must understand why enhancing their OT security is critical and the crippling consequences they might face if the security of such systems is not prioritized. Consequently, organizations must also increase their investments in OT security and start moving away from legacy defenses designed for a pre-digital environment. OT systems today are constantly being integrated with IT systems and digital applications, leading to increased risk exposure. But despite the threat, in most cases, OT security investments are a relatively small fraction of overall cybersecurity spending.
OT systems were generally developed to run in a separate and siloed environment, away from the digital space. As a result, most systems were naturally 'air-gapped' from IT networks and the Internet. However, in a bid to introduce remote capabilities, drive efficiency and decrease cost, 'air gapping' is no longer effective. Moreover, the introduction of the Industrial Internet of things (IIoT) has accelerated the process even more. What's more, crucial control systems such as Industrial Control Systems (ICS), Distributed Control Systems (DCS), and Supervisory Control and Data Acquisition (SCADA) are now highly connected to traditional IT networks to facilitate automation and remote access.
Modern power grid systems are becoming more interconnected with integrations across microgrids, other national infrastructures, and smart home utilities. The consequence of this increased dependency on interconnectivity and IIoT devices is that OT systems are becoming more exposed to critical vulnerabilities. Remote access devices or applications are often less secure, with remote connections commonly being made through unsecured public or private networks.
A lack of visibility across the entire environment means vulnerabilities can arrive from potentially thousands of access points. For instance, the Colonial Pipeline attack originated from a compromised VPN password. As OT security strategies do not typically include IT applications, vulnerabilities arriving from such elements can slip through undetected.
Another concern is that the employees managing remote connectivity aren't always trained in cybersecurity. Rather than considering the critical security aspects, these people focus more on operations running smoothly.
For example, OT admins might disregard the significance of multi-factor authentication and use one single default username or password. While this poses a minimal risk in an air-gapped environment, once these systems are connected to the wider IT network, attackers can discover and exploit them as an easy entry point.
Defending OT systems requires a combined approach to security encompassing hardware and software to monitor and detect changes in any physical devices, processes, and events within the networks. As such, effective OT security emphasizes the continuous monitoring and assessment of critical systems across the entire infrastructure, thus increasing an organization's detection and response capabilities for advanced threats like ransomware.
OT security is important because it emphasizes the security of physical elements within industrial environments. In powerplants, fuel pipelines or other critical infrastructure facilities, cyber risk is not only about having data stolen, but rather the potential capability of threat actors taking over the physical controls of operations and distribution systems. Any potential breach in the network can allow threat actors to access and modify the functions of physical equipment, leading to unprecedented disruptions of critical services and even pose a direct threat to human life. An effective OT security strategy provides complete visibility over the organization's digital and physical infrastructure. Ideally, however, capabilities should go beyond visibility, and implement the ability to terminate remote access to physical controls, so that threat actors cannot impact physical processes and operations if a breach occurs.
However, many OT systems remain secured with legacy methods that don't account for modern connectivity and lack resilience in the context of wider IT environments.
Security teams can address the gaps in conventional OT security with a more careful approach to IT-OT convergence that keeps security in mind. Integration between IT and OT must be coupled with process management solutions that ensure accurate information is delivered to people, machines, sensors, switches, and all devices across the organization in real-time.
The priority is to map out how the IT and OT environments intersect and understand where threat actors might be able to exploit these connections. This access runs both ways, from using IT network access to disrupt critical OT infrastructure to exploiting vulnerable control systems as an attack path to the wider network. Next, organizations should start implementing effective security controls, beginning with the most critical and vulnerable systems.
Solutions like Identity and Access Management (IAM) and Managed Detection and Response (MDR) should be implemented with a broadened scope that can bring together OT and IT networks. In addition, this visibility needs to account for any connectivity between both environments that is facilitating remote access and IIoT.
Furthermore, combining OT and IT networks at an operational level is not enough. Organizations must also aim to build stronger cyber resilience through large-scale and continual collaboration across wider stakeholders and partners. This means forming partnerships with businesses and security teams across the entire ecosystem to provide real-time insight into potential threats and identified vulnerabilities.
To avoid OT security becoming an afterthought, organizations should consider assigning OT security responsibility to a specific individual who reports to the CISO. IT and OT cyber resilience should be regarded as a single interconnected issue.
Incidents such as the Colonial Pipeline attack are an important lesson for leaders, highlighting that focusing on cybersecurity at an organizational level is not enough, specifically for critical infrastructure industries like the energy and power sectors. Security leaders must extend their security strategy to provide an overview of the entire IIoT environment if they are to have a chance at spotting attacks exploiting or targeting their OT systems. Until this capability is widespread in the energy sector, massively disruptive attacks will continue to be a critical threat to the industry.