Following years of neglect – including multiple warnings of a ‘national cyber emergency’ from the National Cyber Security Centre (NCSC) – the world is finally beginning to take infrastructure-focused cyber security threats seriously.
Last November, the government’s annual National Cyber Security Strategy progress report was updated to reflect that critical infrastructure security is finally being prioritized in hopes of avoiding an imminent, devastating ‘category one’ cyber-attack.
Essential services that make up the country’s critical infrastructure – energy, water, and manufacturing – depend on often outdated and under-protected OT infrastructure for everyday operations. Consequently, threat actors and nation-states now target vulnerabilities in these industries, seeking ransom or shutting them down altogether.
Given the US experience with the water treatment plant attack in February 2021, it’s evident that cyber threats are very real and potentially life-threatening. OT attacks increased by 30 percent in 2020 and continue to be a prime target for cybercriminals. The recent Colonial Pipeline attack that resulted in a five-day shutdown of one of the largest U.S. fuel pipelines and the payment of $4.4 million to the DarkSide ransomware gang illustrates the importance of strengthening cybersecurity defenses for critical infrastructure.
Critical infrastructure operations often leverage internet and external connectivity to control and monitor OT devices. However, hybrid IT/OT environments and client devices rarely employ robust security measures or follow the rigorous standards enforced in the IT environment. This increases risk and enables threats to easily move between the IT and OT networks, undermining a strong security posture.
Industrial IoT (IIoT) technologies further complicate security. These tools have substantially introduced new and diverse technologies, like robotics and sensor-based automation, to the mix, bringing unique security challenges. For instance, devices with hardcoded weak or generic passwords are commonplace.
Adding to these problems, legacy technology risks and an ‘it won’t happen to me’ attitude still plagues the industry. Some OT components are shockingly decades old, with many organizations only recently centralizing and managing their firewalls in earnest. Organizations that continue to downplay the importance of segmentation, patching, and mitigation measures will leave OT networks as sitting ducks for threat actors.
Protecting critical infrastructure will mean tearing up the old security playbook and then switching from legacy ‘detection and response’ models to a more aggressive, proactive strategy. Organizations running critical infrastructure must instead take a proactive approach to reduce risk. To overcome OT security’s most enduring challenges, security leaders can:
- Develop a comprehensive network model that sees across complex hybrid environments.
- Use this model to identify patch alternatives, mitigating risks for legacy equipment that is no longer patchable.
- Utilize path analysis to understand all connectivity and validate network segmentation, including how risks can impact systems.
- Discover vulnerabilities in unscannable OT devices by using purpose-built passive sensors.
- Prioritize remediation by incorporating threat intelligence and asset exposure analysis.
These five steps will give CISOs and risk managers the complete network and security posture awareness required to keep ahead of threat actors. Full visibility is vital to understanding the OT environment and its connections, designing security architectures, identifying attack vectors, and locating blind spots. Without such a holistic understanding, unknown and unchecked security issues will continue to increase, including access policy violations, misconfigurations, inadequate security controls, unpatched vulnerabilities, and unauthorized or unplanned modifications.
Security leaders in OT-dependent industries must abandon the ‘just won’t happen to us’ mindset and step up their security posture management. Recent headlines have demonstrated just how devastating cyberattacks can be. Urgently taking a proactive approach to protecting hybrid, multi-cloud, and IT/OT networks collectively will yield vital, predictive context before disaster strikes – stopping Oldsmar-like attacks from threatening the public and private sectors in the future.
Terry Olaes is technical director at Skybox Security. Over 500 of the largest and most security-conscious enterprises in the world rely on Skybox for the insights and assurance required to stay ahead of dynamically changing attack surfaces. Skybox Security provides the intelligence and context to make informed decisions, taking the guesswork out of securely enabling enterprises at scale and speed.