While ransomware and other threats to IT networks are much in the news these days, when it comes to critical infrastructure such as electricity and water plants we should not forget about operational technologies (OT)—the complex industrial control systems used to manage the generators, pumps, valves and other equipment used to run factories, power and water utilities, trains, oil refineries, ports, chemical plants and other industrial assets.
Historically, the OT remained separated, or “air-gapped,” from the internal IT networks connected to the internet; however, this is now changing dramatically. As organizations seek to leverage AI and big data analytics to drive efficiencies in their operations through “smart networks,” IT and OT networks are converging. In a word, these complex industrial control systems are now connected to the internet, making them vulnerable to hacking. Because many of these industrial control systems were not designed with cybersecurity in mind, it’s not surprising they draw hackers’ attention when these older systems are connected to the internet. Throw in the exponential growth of the internet of things (IoT), and it’s clear the threat vector faced by critical infrastructure operators has grown substantially.
While it’s tempting to bury our heads in the sand and hope for the best, that would be a huge mistake. If you’ve ever felt helpless and frustrated when you lose power for only a few hours, imagine the effects on society if the lights were out months. Luckily, there are steps we can take to combat the threat to our critical infrastructure. For starters, critical infrastructure operators need to look at their IT and OT networks holistically and create a comprehensive map of all assets—hardware and software—connected to the internet, including their industrial control systems. If security teams cyber-map their enterprise’s assets, they can take steps to mitigate risks, particularly if they adopt a “zero-trust” strategy. This means looking at every device in their networks and quantifying the risk of it being breached, as well as the harm a successful attack might cause. Reducing the threat will, at a minimum, require adjusting many employees’ privileges such as administrative authorities or access to data. It may even mean completely disconnecting some industrial control systems from the IT network. I
Also, critical infrastructure operators should act quickly to implement customized cyber solutions for their ICS-OT. It’s important when purchasing an ICS-OT solution that organizations first make a complete inventory of all the industrial control systems they use, then ensure that the solution supports all of the models, protocols and firmware used in their enterprise. Luckily, the top ICS-OT vendors take a protocol rather than a vertical-centric approach in designing their solutions so that security teams can make these comparisons.
Although implementing these steps will reduce risk, cybersecurity should never be viewed as something to “set and forget.” In a rapidly changing cyber environment, new threats can quickly emerge. For this reason, critical infrastructure security teams should continuously seek to identify new risks. Penetration testing, wherein outside consultants act as black-hat hackers, can help security teams identify risks. In addition, several cybersecurity startups now offer easily installed AI-based solutions that continuously probe networks for vulnerabilities, enabling security teams to identify and patch new vulnerabilities in real time. Finally, every organization, whether critical infrastructure or not, should implement comprehensive security awareness and training programs for their employees. The number of attacks that could be thwarted simply by training employees not to click on links or attachments of unknown origins is massive.
To be clear, even implementing all these steps isn’t a panacea, and well-resourced nation states retain the ability to overwhelm even the best defenses. Nevertheless, by hardening our critical infrastructure, we can at least reduce the likelihood of a catastrophic Cyber 9-11. It’s time to do so now.
Here are some leading Israeli cyber firms focused on critical infrastructure protection:
- Claroty – https://claroty.com/
- Scadafence – https://www.scadafence.com/
- Radiflow – https://www.radiflow.com/
- Nanolock – https://www.nanolocksecurity.com/
- IXDen – https://ixden.com/