OT cyber security: a growing priority for critical national infrastructure

By Glenn Warwick, Head of Operational Technology Cyber Security at Bridewell.

  • 1 year ago Posted in

Digital and physical worlds are increasingly overlapping. As cyber-physical systems become more interconnected, and links to company IT systems and third-party networks are established, previously air-gapped infrastructure has given way to new, interdependent working models.

For critical national infrastructure (CNI), this convergence is transforming industrial operations across the UK’s most essential services – from water, energy, oil and gas to transportation and defence. Increased OT connectivity is bringing greater operational efficiency along with a host of business benefits - but it also introduces new cyber security risks and holes where previously walls existed.

 

With recent Bridewell research finding that over half (58%) of CNI organisations have seen their OT attack surface expand in the last year alone, securing critical systems and services from the tactics of sophisticated adversaries is more challenging than ever. At the same time, turning back the clock on convergence is inconceivable, given the significant performance, productivity, and decision-making capabilities already being unlocked.

So, how can CNI organisations not only implement these crucial connections in a secure way, but also use them as an opportunity to strengthen their overall security posture?  

 

Evolving OT challenges

 

Historically, there has been an industry assumption that OT security lags behind its more agile IT counterpart. However, the true situation is much more nuanced. Durable OT systems are designed to run uninterrupted, often for decades, making maintaining up-to-date security controls a significantly greater challenge than for IT. Replacements and upgrades generally require extensive re-engineering, which is both costly and time-consuming. Such changes also bring inherent risks by introducing new hardware and software. These deployments may not initially match the level of service reliability achieved by existing systems.

Furthermore, adopting commonly used IT cyber security practices – from individually assigned user credentials and multi-factor authentication (MFA) to signature-based anti-virus and frequent security patching - may not be feasible in many OT environments across CNI. Part of the challenge is the lack of remote connectivity. Operating security controls in distributed environments, which are prevalent in CNI, poses significant challenges when there is a lack of centralized management capabilities. Just imagine the complexity of resetting a user’s password across multiple isolated sites.

 

The changing face of cyber risk

 

To support digital transformation initiatives, CNI organisations require even greater connectivity of their OT systems with IT and beyond. SCADA-based systems are also integrating into ever-more complex ecosystems with hardened operating systems, hosted on virtualised platforms and interconnected across segregated OT networks. Whilst this can bring benefits for resilience and security, it poses significant risks if not properly managed.

 

Where social engineering threats such as phishing were once predominantly IT concerns, Bridewell’s research has found that a quarter (25%) of CNI decision makers now consider it their biggest OT cyber risk. This not only creates potential entry points into the IT network, but also places interconnected OT systems at greater threat. Where once the main concern was malware infected USB drives and portable laptop computers, phishing attacks and browsing malicious websites now present additional “people risks” to OT systems.

 

Successful OT attacks can also carry direct physical consequences. High-profile CNI intrusions, including the 2021 attack on a Florida water treatment facility, demonstrate the risks to human lives, with remote access to an operator workstation being used to temporarily gain control over the chemical dosing levels in the water supply. Possibly more concerning, however, is why the control system allowed such dangerous levels of chemical dosing in the first place. More recently, Russian groups launched an attack on Ukraine’s energy grid, deploying malware to disrupt the industrial control systems (ICS) and cause a power outage. While both attacks were prevented before significant harm was caused, they provide further evidence of the attractiveness of industrial systems to cyber threats.

 

Achieving a more layered defence

 

As convergence blends previously separate teams, technologies, and processes, organisations must establish improved security controls and architectures. Using a range of layered approaches that do not directly alter OT systems enables easier adoption of modern defensive measures, reducing the need for wholesale system replacements. Since new network connections pose the highest risk, the focus of threat protection should primarily be directed towards these areas. As a minimum, network borders should restrict communications to only those explicitly necessary, particularly at points where less trusted networks intersect or converge.

 

Crucially, organisations should ensure that connections to OT are only from authorised trusted individuals or devices – and only when they have a specific requirement. Once the intended task has been completed, connectivity should be immediately disabled to remove the threat vector. Implementing MFA for remote access, while not foolproof, will add an extra layer of security and help safeguard unauthorised access to OT environments.

Equally, there might be a need to establish longer periods of connectivity. In such cases, it becomes crucial to validate and screen the data flowing in and out of the OT network. Both data import and export paths must be secured to prevent malware infiltration or unauthorised data transmission.

 

Currently, many OT leaders are focusing their efforts on blocking connections into the network while overlooking more sophisticated attack vectors. For example, outbound channels that allow exfiltration of OT configuration data can provide cyber criminals with crucial insights into system operations, potentially leading to a stage 2 attack. To ensure the integrity of sensitive information within the OT environment, organisations must maintain a high level of confidence in their import and export data pathways.

 

Within the OT environment, network segmentation is also crucial, with each network segment ideally hosting only the devices necessary for critical communications between them. When it comes to OT servers and workstations, it’s beneficial to have controls that do not require frequent updates. For example, replacing traditional antivirus software, which relies on regular signature updates, with technologies like host-based firewalls or Microsoft’s AppLocker, can be advantageous.

Secure architectures and tooling alone cannot be relied upon to protect critical networks. Active defence practices are required, conducted by skilled security experts who can operate effectively across industrial networks, identifying the hallmarks of a potential attack and taking proactive measures to thwart progress before significant harm can be caused.

It’s also crucial not to apply a broad-brush approach to security within OT environments. Instead, organisations should adopt solutions and technologies that are specifically tailored to the unique characteristics and evolving security requirements of industrial control systems.

 

With IT/OT interconnectivity becoming a permanent reality, it is vital to proactively ensure its secure implementation. Neglecting crucial security measures will lead to insecure practices becoming commonplace. Therefore, prioritising cybersecurity is essential to safeguarding interconnected systems and building a safe, robust operational environment.

By Manuel Sanchez, Information Security and Compliance Specialist, iManage.
Anita Mavridis, VP of Product at Zivver, and Sue Musumeci, Director of Quality & Clinical...
By Danny Lopez, CEO of Glasswall.
Nadir Izrael, Co-Founder and CTO at Armis discusses the importance of critical infrastructure...
By Darren Thomson, Field CTO EMEAI at Commvault.
By Asher Benbenisty, Director of Product Marketing at AlgoSec.
By Steve Purser, former Head of Core Operations at the EU Agency for Cybersecurity, and Zivver’s...
By Graham Jarvis, Freelance Business and Technology Journalist, Lead Journalist, Business and...