5 basics to ensure cyber resilience in Operational Technology (OT)
If an organisation is serious about protecting the data of its customers and safeguarding its own critical information and connected assets, cyber security in both Information Technology (IT) and Operational Technology (OT) requires cyber resilience.
Resilience is the ability to withstand adversity and bounce back from difficult events. Being resilient does not mean that people don't experience stress, whether it be emotional or physical. Society generally expects that every action must be correct, accurate, and perfect. We are quick to judge and take aim at perceived failings, and a little less enthusiastic about getting all the facts first.
Cyber resilience is not about being perfect, it is about being aware, adaptable, prepared, and responsive to challenging situations as they arise. While cyber capabilities in IT are entrenched in most organisations, cyber resilience in OT is being left behind and all too often neglected, when it equally requires a focus on structure for prevention and reaction.
In this blog, we’ll explore five basics to ensure cyber resilience in OT, illustrating that cyber resilience is as much about people as it is about technology.
1. Know the threat actors
A threat actor is defined by the Australian Government as an entity that is partially or wholly responsible for an incident that impacts – or has the potential to impact – an organisation's security.
Threat actors can be categorised into one of the following four major groups, according to The Cyber Threat Handbook by Thales and Verint:
Nation States: Foreign entities may try to elicit strategic or intellectual property information on capabilities, activities, and intentions for corporate or political advantage. Attacks are often well-resourced and sophisticated and are known to target OT environments.
Hacktivists: A collection of activists with a common ideology who engage in political or issue-motivated activities. While recognising that Australians have a legal and legitimate right to protest, usually cyber teams are concerned about protests that are likely to be violent, disruptive or impact customers.
Cybercriminals: These actors usually engage in illegal activities such as cyber-attacks, illicit drug use, and theft of property, sensitive information, or customer data for financial gain.
Cyberterrorism: Individuals or groups who may use violence or threats of violence to intimidate organisations, governments, or the public to advance their political, religious, or ideological cause.
Every threat actor has different motivating factors and modus operandi. Let’s dive deeper into the risks they collectively present to an organisation.
2. Risk comprehension
So many organisations still don't go through a thorough risk profile to understand their risk, apportion each risk to cyber, and then ask – where can it impact? Understanding and apportioning risk is the number one factor in resilience.
Understand your threat actors and your risk; prevent the cyber-attack.
In an ever-advancing digital work environment, IT becomes the focus of most organisations’ cyber security framework. It's said ad nauseam, but OT risk is even more critical because people aren’t considering the mechanical elements of an evolving digital environment. The more we automate, the more we digitise, and the more those mechanical elements become a risk to cyber-attacks.
To keep pace with global trends, we need to continue the automation of systems, but do so with strong confidence in our underlying cyber security subsystems that protect the automation infrastructure.
Response preparedness is key.
We need to ask ourselves the hard questions. What are you going to do when something happens? How are you going to communicate if systems are compromised? What information are you going to put out? How are you going to talk about it? What are your disaster recovery and business continuity plans from a cyber perspective?
In the world of cyber, everything is constantly changing. Ensuring that you have ongoing conversations about not just being prepared for the now, but for what’s next is essential.
Remember to consider both IT and OT in your risk profiles. From an engineering OT perspective, cyber resilience can be primarily addressed by understanding risk comprehension from a SCADA PLC perspective, and consequently building security inside it.
A quick example of this –
Scenario: There is a PLC cabinet in a car park with public access. It has no significant key lock, just a standard key attainable at an electrical store. How easy would it be for one of our threat actors to gain access to the PLC cabinet and plug in a malicious USB?
3. Threat intelligence over threat information
Right now, there is a tendency to favour threat information over threat intelligence, and there is a big difference between the two.
Threat information: any information gathered from a range of sources about current or potential cyber-attacks against an organisation.
Threat intelligence: threat information that has been analysed, refined, and organised, and then used to minimise and mitigate cyber security risks.
Threat intelligence provides in-depth information and context to your OT-specific site or infrastructure about who is attacking, their capabilities and motivation, and the indicators of compromise (IOCs).
We need to move to threat intelligence. Collecting information on potential threats is just the beginning. Threat intelligence enables organisations to make educated decisions around cyber security response and how best to defend against the most damaging attacks.
IT and OT must work together
Effective cyber security relies on transformed operational designs and operations when applying IT-OT convergence across systems. True IT-OT convergence removes the divide between operational processes and information systems and combines them in a unified network architecture. Operationally, however, mission or safety-critical systems need to apply adjusted operational practices over those of enterprise IT systems.
In cyber, this can be achieved by taking IT-grade threat information, the physical environment and all the different environments that you have and including any OT assets in that environment. You can’t have threat intelligence without complete IT-OT visibility.
4. Implementation and action – changing culture
I often talk to people about what risks they are facing right now. Upon presenting a solution to resolve a challenge, so many times, I hear the comments like: "That looks great, I'll implement it in a couple of years, I’m just planning right now".
Cyber security is not next year. Cyber security is now.
Next year there will be a different risk and a different challenge. Ignoring the risk today leaves you at risk of a breach today. It’s the harsh truth and there is no silver bullet.
Cultural change in OT, especially at the engineering level, is still a significant challenge. Regardless of the very capable people in the engineering industry, building in culture change without first being exposed to the real-world cyber risks out there is challenging.
The focus right now should be on getting people to understand their environment has risks, what those risks look like, how those risks can manifest through a cyber-attack and how best to react – to implement culture change. We quickly see environments embrace cyber security when there is that understanding.
Education is critical. Start to train people to better understand the basics of cyber security at an engineering level. The resilient capability. It’s not just training people on a globally recognised cyber security course (of which there are many and they are very beneficial), it’s about getting them specifically trained in OT environments – real, on-the-ground training. The key is to find change champions, one or more people who absolutely have a clear understanding of the culture required and allow them to educate others, creating new champions and renewing the cycle.
Gaining a deeper understanding of your OT assets and the vulnerabilities surrounding them, together with having ongoing conversations and supporting education to transform your cyber security culture is as close as you’ll get to a silver bullet.
5. As a cyber community, we must simplify the gold standard
To build and embed resilience into critical infrastructure as a global community, we must get down to a simple set of mandates. At present, there are too many. Organisations don’t know which mandate is the primary one – nobody can answer it.
There are multiple governance structures for different elements of risk, safety, and more – but from a cyber perspective, it must become simple. There is no singular, gold standard mandate to unite cyber security across the globe at present. The Australian Government’s Security of Critical Infrastructure (SOCI) Act is a recognised mandate and potentially the answer to this question, at least in Australia.
Stay tuned for an upcoming blog exploring the SOCI Act in more detail. See all our blogs.
Conclusion – Pre-empt the threat
Be sure to identify and diagnose weaknesses before it’s too late. It’s critical to gain a deeper understanding of where you are going vs where you are right now.
Ask yourself two key questions: what is your goal and what is your reality? Be brutally honest when it comes to your reality and be clear about what actions you’re going to take to achieve your goals – and ensure you follow through. Most importantly – start today.