Dick Bussiere outlines three steps organisations can take to converge people, processes and technology to mitigate growing cyber threats.
Critical infrastructure companies have been a bullseye for bad actors in 2021, and the vulnerability of these systems has been under heightened scrutiny on the heels of large-scale cyberattacks targeting water facilities, gas pipelines and meat processing plants. However, when it comes to mitigating threats, one of the current barriers lies in the concept of risk being perceived differently between the information technology (IT) and operational technology (OT) worlds.
In IT, data is what must be protected at all costs. The primary objective of IT security is to ensure the confidentiality, integrity and availability of data is preserved. The world of IT is concerned with addressing these risks by ensuring that information is only available to those who need it, that it’s not maliciously modified, and is available as required.
For OT, the most critical aspect is to protect the operations of the business, for example, the flow of fluid through a pipeline, the welding of automobile bodies, or the production of electricity. The primary focus of OT is the safety of life, limb and property, the availability of the process, and the quality of the output of the process. Data flowing through an OT network is key to accomplishing these operations, and if data is disrupted, altered or maliciously injected into the infrastructure it can negatively impact the primary focus.
Collaboration is key to bring the IT and OT worlds closer
The risks across these two worlds are growing as IT increasingly intersects with OT and to mitigate this, the only option is for both to work together. Traditionally, OT networks were ‘air-gapped’ meaning they were isolated from external connectivity. This is no longer the case as we begin to see an influx of smart buildings, smart cities and, most significantly, ‘Industry 4.0’ being rolled out widely.
IT is frequently held accountable for the security of the OT environment, yet the IT team may have little understanding of how OT works. They may also have little control of the OT environment, which is typically under the purview of plant managers and plant operations. Concurrently, many security practices (or lack thereof) within the OT world are things that would be unheard of in the IT world. This lack of mutual understanding causes OT security projects to be deployed very slowly.
The most significant thing that would help IT and OT teams work together effectively is education and mutual understanding. IT personnel must understand some basic fundamentals of operational technology and similarly, OT personnel need to learn IT security essentials. These enablement exercises, in conjunction with cohesive and comprehensive business-driven security policies, will go a long way towards facilitating the necessary level of protection for business-critical production-oriented assets.
Securing all ends of the network
There are three steps organisations can take to converge people, processes and technology to ensure all ends of the network are covered. First is the realisation by senior management that an interruption of OT operations could have a serious business impact in many dimensions, including financial cost and loss, supply chain disruption, reputation damage, or interruption to critical infrastructure.
These potential impacts, and many more, must be understood by the highest levels of an organisation, and the appetite for these risks analysed. Budget should be allocated to risk mitigation, in proportion to the level of risk deemed acceptable by the business.
Second, a security framework must be selected to embody the risk mitigation. In some cases, it’s up to the business to decide what framework should be used, while in others, government or industry regulation will force a particular framework on the organisation.
The third, and perhaps most important, part is ensuring organisational level infrastructure security comes back to education. Educating OT personnel about IT security, IT personnel about OT security, and ensuring that each group understands security from the perspective of the other is paramount. In addition to this, education of all stakeholders as to their roles and responsibilities and proactive enforcement of security policies in both IT and OT is also key.
There’s no denying that while OT attacks may have once been viewed as complex, vulnerable internet-facing OT endpoints are now offering a wider attack surface making entry far easier. Ultimately, it’s only through this education and collaboration, that risks across the whole network will be adequately identified and addressed.
Dick Bussiere is technical director for APAC at Tenable.