The convergence of IT and operational technology (OT) environments and an uncertain geopolitical landscape have heightened risks for critical infrastructure organizations worldwide.
Authorities globally are urging network defenders, especially in critical infrastructure, to prepare for a new wave of cyberattacks as threat actors seek to become more effective against a backdrop of geopolitical uncertainty.
The recent joint advisories coming from cybersecurity agencies in the West highlight the increasing threat of criminal cyber activity and the potential impact on critical infrastructure. With power grids, water treatment plants and financial institutions now facing a higher likelihood of attack, businesses and societies that rely on them are also at risk.
The types of attacks network defenders should be looking out for vary. In Q1 2022, Kroll observed a 54 percent increase in phishing attacks being used for initial access in comparison with Q4 2021. This is a known and classified attack vector for ICS and OT systems in the MITRE framework. Once past the initial stage of attack, email compromise and ransomware have continued to be the two most common threat incident types in Kroll’s Quarterly Threat Landscape report. Ransomware attacks can lead to systemic disruption in critical environments.
Given the number of vulnerabilities and volume of potential cyberattacks, having comprehensive threat monitoring technology and building a developed plan for resilience throughout a business and across supply chains is a must. Now really is the time to bolster defences.
Specific challenges of securing critical infrastructure
When defending critical infrastructure, one of the biggest challenges is being able to assess and manage the entire attack surface. Organizations need to identify the components of the network and where there are weaknesses, while adding a layer of monitoring for suspicious activity that could indicate a cybersecurity event which needs further investigation. This is a recurring challenge because of three competing factors:
- A converging IT-OT environment:
Making connections across these environments and having overarching data analytics, while also being able to segment the network to limit the potential intrusion of attackers, is difficult.
- A vast and heterogenous asset inventory:
Organizations often do not have a clear view of the existing assets in their environment, let alone the ability to manage them securely by applying security updates.
- A lack of security monitoring:
While operational monitoring may be robust, this is not the same from a security perspective. Organizations often have little knowledge of anomalous events which could indicate a security incident.
A pragmatic approach to OT security
To future-proof their defences, there are six key steps that can be taken on the journey towards improved OT security. Firms should:
- Identify the components, roles and responsibilities required to gain control over OT environments and gain a clear understanding of what is needed for defence.
- Manage risks and assess, classify and gain control over them in a fit-for-purpose OT management framework. Businesses should adhere to relevant regulations and utilise approaches such as “break glass” and third-party support.
- Secure their assets, networks and operations from cyber security threats with access control, patch management and secure configuration.
- Isolate parts of the network. Validate network insulation and proper controls and segregate operations, data flows, data storage, control planes and remote access.
- Mitigate risk by implementing controls and measuring maturity and effectiveness according to risk management frameworks and compliance requirements.
- Future proof the organization by “baking in” security throughout the change management process. This includes embedding security into OT architecture to scale up for future requirements.
Quick wins in the face of new warnings
Reaping the rewards of a pragmatic approach will take time, but there are also areas businesses can focus on for quick wins.
Incident preparation, for instance, can be approached in three ways. Network segmentation will keep critical systems furthest from potential attacker access points. Compromise assessments can help a business be “eyes open” to where it’s most vulnerable. The deployment of sensors to monitor for suspicious activity coming from devices in the OT environment can give early warning and extend preparedness and response.
If an incident does occur, a response playbook should help the business traverse potential challenges and bring in the appropriate stakeholders and experts. Importantly, with OT incident response methodology, the plan and the technical playbooks should be distinctly separate from the broader IT playbook. This avoids conflicting priorities where the haste to get back to “business as normal” can undermine the security steps that need to take place. The reality is often cyber security related aspects are neglected in OT incident response plans.
Preparing for an uncertain future
Cyber risk has never been completely independent of world politics and international affairs, but recently there has been a significant shift in alignment. The domain of physical conflict has closer ties to the digital sphere than ever before, and now the uncertainty surrounding geopolitical developments is bringing critical infrastructures into the focus of cyber criminals. This will continue to present a pressing challenge for OT systems and organizations who will need to be on alert to mitigate immediate dangers, while expanding their defences to bolster the security of their OT infrastructure and environment for the longer term.