It's only mid-year and already 2021 has proven to be a watershed year of attacks on critical infrastructure (CI). The successful cyber attacks on Colonial Pipeline, JBS USA Holdings Inc. and the Oldsmar water treatment plant have caused global CI organizations to be on higher alert than they already have been to protect their running operations. Furthermore, CI organizations are also anticipating a tighter regulatory landscape as evidenced by the Transportation Security Administration's cybersecurity mandate for owners and operators of pipelines.
Securing today's CI and operational technology (OT) is paramount. Leaders in these organizations need to pay attention to the security risk associated with the next wave of infrastructure that is being planned, or which may already be online. Although the pace of digital transformation (DX) in CI/OT is not as fast as the IT domain, the change is determined by compelling business drivers, such as improving service uptime and safety, as well as reducing operational costs. Operations, IT and security teams may not have collaborated in past OT projects, but it is imperative that they work together closely now to ensure that security is addressed in the planning process of the digitally transformed CI/OT versus trying to retrofit it after the fact. In this blog, we take a look at why successful digital transformation of CI/OT requires that senior leadership work together to ensure that security transformation happens in unison with the OT modernization. We also introduce the concepts of Zero Trust and the platform approach for CI/OT security and why they are key tenets of ensuring successful business outcomes.
The increasing frequency of attacks to CI/OT should not be a surprise considering the potentially crippling impact that these cyberattacks could have to utility, energy pipeline operators, shipping companies or manufacturers. Threat actors have picked up on the leverage they could have with these organizations. For example, cybercriminals are seeing that they can extract substantial ransoms from their victims, and nation states can more effectively bully rival countries with demonstrations of their cyberwarfare capabilities. The Colonial and JBS attacks together resulted in $15M in paid ransom. Not only are attackers increasingly going after CI/OT, but also investing more in improving their capabilities to compromise these organizations. We've seen cases where CI/OT specific attacks, like Crash Override and Triton, have been developed.
On the other side of the attacks is the vulnerability of our critical infrastructure. This is an important consideration when calculating risk. There are many sources of vulnerabilities within our critical infrastructure, including the typically unsegmented networks, open policies and the software vulnerabilities within the often unpatched/unpatchable legacy systems themselves (e.g. HMI, PLC, ICS, SCADA, DCS, MES). There is often also a lack of collaboration between IT and OT personnel, which leads to weak, uncoordinated security programs, as well as poor funding and low risk awareness. Considering many attacks to CI originate from IT, then pivot to OT, a lack of awareness cannot be ignored. In summary, the increased rate of attacks and the historically poor security posture of CI makes things increasingly challenging for those responsible for protecting today's critical infrastructure.
To be fair, a lot has happened over the last couple of decades to address the gaps of CI security. This primarily has been a retrofitting exercise where better security is being put in places where there was only minimal security capabilities or none at all. CI-specific regulations and standards (such as NERC CIP, NIST Cybersecurity Framework, the NIS Directive and ISA 62443) have also been stood up for the very purpose of critical infrastructure protection, and there will likely be more as events continue to occur. Furthermore, IT and OT teams are learning to work better together while increasing awareness at the top leads to better governance.
These efforts to address the shortcomings of past OT are admirable, but we are starting to see disconnects when it comes to addressing the security requirements of the emerging and future OT infrastructure. Many CI organizations have started to deploy the next extension of their CI as part of their digital transformation initiatives go by names such as Industry 4.0, Smart Grids and Digital Oilfields. These smart infrastructures are envisioned to take full advantage of next-generation industrial automation technologies like IoT sensors and Robotics, Cloud, Digital Twins, 5G and SD-WAN while further integrating supply chains.
The operations oftentimes have moved very quickly to stand up pilots and even production deployments without involving security teams. Certainly, the business benefits of these technologies are compelling enough to warrant fast-tracking the time to ROI. However, the introduction of these new technologies and increased connectivity to the cloud and third-party organizations could introduce many vulnerabilities if not managed properly. Ironically, there is a very real risk that the mistakes of the past — when OT was built without security in mind — could be repeated.
It is imperative that owner-operators do not let the CI transformation efforts proceed uncoupled from cybersecurity. The risk that comes with letting these new attack-surfaces go unchecked is too high. A key area of security transformation is organizational where the change required is around the framework for how IT, OT and security teams can come together to discuss and collaborate on a joint plan. Increasingly, I hear about conflicts between these teams due to "shadow OT," when the business deploys infrastructure that has not had any input from other stakeholders, like IT and security. On the flip side, the business may feel that IT/security is threatening the core operations and not being supportive of the core mission, which provides services and/or growing revenue. The motives of the business leaders may be well-intended, but the risks of deploying these advanced technologies unchecked are too high. Hence, part of the transformation required is in how organizations collaborate to ensure that the activity of modernizing CI/OT also includes the RACI stakeholders, especially security and IT.
Another key aspect of the required CI/OT security transformation is in the mindset. Many organizations consider OT to be a walled garden from IT, and anything behind that wall is trusted. Perhaps they may also consider any user who has successfully authenticated themselves for access into OT to be trusted at that point. This trust model has proven to be flawed and we can go back as far as the Stuxnet attack of 2010 when a truly air-gapped system was breached through a compromised vendor. Instead, organizations need to start adopting a Zero Trust mindset and architecture that doesn't assume anything about trust levels, but entails gathering additional context within the network traffic and then making decisions of what to allow or deny based on this information. Zero trust, while having its roots in IT, can be adapted for CI/OT and provide tremendous benefits in increasing visibility and reducing cyber risk within infrastructure, such as plants and control centers.
In addition, security transformation of CI/OT entails improving the effectiveness and efficiency of security operations through a platform approach. New capabilities are required to secure modernized plants, which may have IoT, robotics and connections with 5G and SD-WANs to cloud applications, like historians and predictive maintenance. A new security stack is required to address the functionality for securing this new infrastructure. Rather than addressing this by adding point solutions to the security stack, organizations need to consider a security platform approach where the security functions are provided as services in a firewall platform that can secure the network across the extended CI infrastructure. Organizations should look towards platforms that can take this network security intelligence and correlate it with cloud and endpoint data, so machine learning can be applied to automate the process of detection and remediation. Ideally, the platform is ubiquitous across IT and OT. There is consistency in security approaches, shared security intelligence and enterprise-wide operational efficiency. The flip side is to use disjoint point solutions, which have silos of information and manual processes. These are not enough to keep up with the sophisticated attacks that are only expected to get more sophisticated as attackers start to leverage the cloud, AI and automation.
The topics of Zero Trust and Security Platform for CI/OT are areas we want to discuss further. Part 2 of this blog series will look deeper into the Zero Trust approach and how it can help to increase the protection across the existing and extended CI/OT infrastructure. In part 3, we will take a look at the role of cloud security, machine learning and automation as part of a cohesive platform approach for CI/OT. In the meanwhile, you can gain additional insight on the proper actions CI/OT operations should start with to ensure a secure digital transformation journey by reading this report on Securing OT to Enable Manufacturing Digital Transformation.