Thinking holistically

RE-THINKING OT SECURITY STRATEGY AMIDST THE INCREASED DIGITAL RISKS TO CRITICAL INFRASTRUCTURE. BY DARREN VAN BOOVEN


Operational Technology (OT) security wasn’t always a compelling focal point in cybersecurity discussions, but a recent succession of high-impact supply chain attacks has changed this perception. Major security incidents like the Colonial Pipeline attack have served as a wake-up call and re-established the dire need for resilient OT security.

Sitting at the heart of most industrial operations, OT systems are both a critical target for attackers and a serious point of vulnerability. This has become more pressing as threat actors increasingly target critical infrastructure organizations as a means of causing large-scale disruptions and reaping high rewards. According to the latest S&P Global Platts report, there were 31 verified cyber-attacks targeting global oil assets in 2021 – more than the previous three years combined. Also, Hiscox reported a 595 percent increase in cyber-attacks targeting the global power and energy sector in 2021.

This unprecedented influx is a major concern for industries such as the energy, oil and gas sector, where any downtime or disruptions have crippling economic and social consequences. Consequently, OT security needs to be a primary concern and organizations must urgently re-evaluate their security strategy.

Learning from the Colonial Pipeline attack
It’s been over a year since the Colonial Pipeline attack, the impact of which was felt on a truly physical level. The attack disrupted the supply of 2.5 million barrels per day of gasoline, diesel, and jet fuel, with 60 percent of gas stations in Southeastern US States left without any fuel for nearly five days. The situation created not just transportation issues, but also caused gas prices to significantly soar, as well as affected the government’s ability to export fuel – thus affecting the entire US GDP.

The global energy sector can’t afford another incident like the Colonial Pipeline attack, especially at a time when oil and gas supplies are suffering from record shortages and price hikes due to geopolitical conflicts.

Consequently, business leaders are calling for more proactive security strategies to safeguard OT systems. In the World Economic Forum’s latest annual meeting, 18 major oil and gas companies took a cyber resilience pledge to strengthen their OT infrastructure. Furthermore, Trustwave has seen a 2x demand for OT security services since the Colonial Pipeline attack.

What does this mean in reality? Ultimately there needs to be a greater level of understanding and investment into securing the OT environment so, for those systems that cannot be moved to a digital-only model, we aren’t leaving open the doors to hackers seeking to cause havoc.

The critical gaps in legacy OT Security
As organizations are getting to grips with the significance of OT security, there needs to be an urgency in moving away from legacy security systems that were designed for a pre-digital environment. Traditionally, OT systems were isolated from the internet but today most organizations have introduced remote capabilities for efficient control and lower operations costs. Critical control systems such as Distributed Control Systems (DCS), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) are now connected to IT networks and cloud applications for remote accessibility and automation.

As these legacy systems are being integrated with IT systems, there is often no proactive defense or security policy to protect the network gateways. Combine this with an overarching lack of visibility, and threat actors often exploit the vulnerabilities in the network endpoint or abuse access privileges through leaked credentials to gain remote access to the critical OT systems. In fact, the root cause of the Colonial Pipeline attacks was an employee’s compromised VPN password.

Given how such attacks can disrupt physical infrastructure and even threaten human life, there is a more tangible threat than the average breach. The introduction of the Industrial Internet of things (IIoT) has further expanded this threat landscape. OT systems are often interconnected for better data sharing and accessibility; however, it widens the potential attack surface for threat actors.

How to reshape OT security in the age of IT-OT convergence
Organizations must take a proactive approach to IT-OT convergence. Firstly, when IT and OT systems are being integrated, security teams must ensure accurate information is distributed across the entire ecosystem. Security teams should be able to monitor and detect any changes in any physical devices, processes and events within the network. Organizations should also map out how and through which applications the IT, IIoT and OT environments intersect and identify the potential areas that could be exploited, for example, which systems provide remote access, and who can access them.

Once a conceptual visualization has been achieved, organizations must implement effective security controls. Identity and Access Management (IAM) should be implemented to validate and authenticate the true identity of each user. The access privileges of each user have to be specifically defined by the security policy in place. Furthermore, implementing Managed Detection and Response (MDR) solutions can detect threats in real-time before they breach the network.

Just as importantly, organizations should be able to terminate any access immediately should a breach occur. Organizations can also implement proactive strategies such as Zero Trust to authenticate users at each network layer. This can help to contain the risk or minimize an attack path should a breach take place.

Lastly, IT and OT convergence should go beyond an operational level. Organizations should seek wider collaboration with stakeholders, partners and advisors to provide real-time insights into the potential threats and vulnerabilities of the industry.

As cyber-attacks on critical infrastructure continue to soar, it is imperative that OT security is no longer an afterthought for business leaders. When thinking about cyber risk, it is not enough to be worried about having data stolen. Instead, organizations need to be asking whether their network and infrastructure are robust enough to keep threat actors from taking physical control of critical operations and distribution systems. Any disruptions are not just damaging for a business, they can be disastrous for the entire economy and society. That’s why organizations must consider IT and OT cyber resilience as a single strategic concern and approach it holistically.

For a list of the sources used in this article, please contact the editor.

DARREN VAN BOOVEN
Darren Van Booven is Cyber Advisory Practice Lead at Trustwave and former CISO of the House of Representatives. As a recognized global cyber defender that stops cyber threats all day, every day – Trustwave enables its clients to conduct their business securely. Trustwave detects threats that others can’t see, enabling it to respond quickly and protect clients from the devastating impact of cyberattacks. It leverages a world-class team of security consultants, threat hunters and researchers, and its market-leading security operations platforms, to relentlessly identify and isolate threats with the right telemetry at the right time for the right response. Trustwave is a leader in managed detection and response (MDR), managed security services (MSS), consulting and professional services, database security and email security. Its elite Trustwave SpiderLabs team provides award-winning threat research and intelligence, which is infused into Trustwave services and products to fortify cyber resilience in the age of advanced threats.
For further information please visit: www.trustwave.com/en-us