There’s no sugar-coating the fact that our critical infrastructure, operational technology (OT) and industrial control systems (ICS) make highly attractive targets for threat actors. This is the first in a series of articles examining why OT/ICS attacks are escalating and, importantly, what we can do about it.
Just some examples that have made front-page news over the last decade include Stuxnet (disrupted and caused major damage across 14 Iranian nuclear facilities), Triton malware (disabled safety systems within a petrochemical plant in Saudi Arabia) and ransomware attacks (shutdown operations for Belgium-based mechanical equipment manufacturer Asco).
Digitally connected critical infrastructure is vulnerable
Alarmingly, we know these attacks are now increasing in frequency and severity. The question we need to explore is why? There are many reasons, but the main one is the increased interdependence between the digital and physical worlds across OT/ICS environments. These worlds have converged without adequate planning from a people, process and technology perspective.
So now, we need to take stock to learn, understand and quickly act. One of the most important requirements will be for IT and OT teams to work together, so we can all pull in the same direction towards a common goal, protecting the safety of our people first and sustainability of our organisations second.
To help this process and fast-track outcomes, our team here at Peloton Cyber are on a mission to democratise our cyber security knowledge, so we can grow collective learning and empower industries to lock-in control.
OT State of Play
Attacks on the world’s most critical infrastructure that we depend on every day such as water, oil and gas, transport, communications, financial services and power, are escalating.
In 2022 Russia weaponised cyber to knock the Ukraine power grid offline. Adversaries have found the back door of these complex and vastly distributed operations is wide open—in fact cyber attacks on OT systems and critical infrastructure have increased by 67% in the last 5 years.
With these attacks comes massive costs spanning disruption of physical systems and operations, lost sales, hundreds of millions of dollars in compliance penalties and damaged reputations. But most importantly, beyond financial damage is the human cost. Attacks are shifting from process disruption to causing physical harm. Gartner predicts that costs from cyber-physical systems (CPSs) resulting in fatalities will reach US$1 billion this year, and 75% of CEOs will be held liable by 2024.
In Australia, as reported in The Mandarin Home Affairs Minister Clare O’Neil has almost doubled the number of businesses from 87 to 168 that are now included in the ‘Systems of National Significance’ schedule, which is in place to safeguard private businesses against attacks.
If they are compromised and lose control and cannot regain it, the Australian Signals Directorate (ASD), as a last resort, has the power to step in and take over emergency control of private systems. Under new obligations, designated businesses included in this schedule are required to have robust response plans for cyber incidents and ensure that they are adequately prepared to minimise vulnerabilities to prevent attacks. However, if attacks occur, they must have systems and processes in place that enable them to identify, monitor, detect and respond as quickly as possible.
Why is this happening?
There are several reasons why OT attacks are increasing in both frequency and severity.
1. We are plugging new modern digital technologies into aging physical systems
We are connecting old-school silicon OT systems that were built to sweat for 30 years and are hard to patch, with modern IT IoT / IIoT devices (Internet of Things / Industrial Internet of Things).
This means the legacy air gap between IT and OT no longer exists (if it ever existed at all). Widely used SCADA networks that connect OT devices to drive operation functionality and efficiencies, now pose a massive cyber security risk because without stringent processes, security controls and monitoring, they are simple to hack.
A research study by the Ponemon Institute, sponsored by Microsoft, found that 60% of IT leaders believed that devices were the least secured part of their IT infrastructure and 50% said the volumes of attacks against their IoT / IIoT devices had increased. To further emphasise this vulnerability, a report by CyberSignals found that over 1 million connected devices were publicly visible on the internet running Boa, an outdated and unsupported software used in IoT devices and software development kits.
2. We’re past the point of playbooks
Even though OT threats are escalating, they are relatively new, and no playbook can capture the complexity and constantly changing landscape of OT threat scenarios like how operations were accessed, type of threat actor and how the attack should be contained based on the specific context of the incident.
Industry, businesses and cyber professionals have allocated a lot of time, resources and investment into protecting our corporate digital environments across workstations, servers, emails, cloud applications and remote access. However, operational environments spanning line operator and engineering working stations, PLCs and DCSs in the control network and field devices have often become the forgotten cousin—creating an opportunity for adversaries.
These vulnerabilities have become an immediate target. We are seeing new scalable attacks like Pipedream that target ubiquitous components in OT systems and RaaS (ransomware as a service) across OT environments are increasing in sophistication.
3. The great divide between IT and OT
Both the above issues are largely the result of a widening gap between IT and OT. This spans mandates and renumeration, skills and understanding, and language through to the problems and solutions each area is focused on.
Whilst the CIO/CTO holds the purse strings for technology investments, their understanding of OT control systems is limited. On the flip side, OT control system engineers have phenomenal knowledge of the legacy infrastructure and systems, however they generally have low cyber security skills and competency.
On top of these reasons, some may argue there’s not enough time, people and skills, and that operations are too complex and dispersed to have a full set of cyber security processes that govern everything.
But fundamentally, it’s possible to address all the above challenges by bridging the divide between IT and OT, starting with empathy and a shared language.
Let’s shed more light on this divide
Scott McKean, Peloton Cyber Security CEO shares that ‘the most resilient cybersecurity programs that we’ve seen in industrial control and OT are the ones that have great information flow.’
Let’s first look at organisational structures today from the bottom up, starting with people; the employees within OT / ICS environments who come to work to perform their day-to-day roles and have the utmost faith in management that they are safe—their health and safety is not at risk of harm in any way. If they had any questions about this, they wouldn’t come to work.
From there we have very separate IT and OT teams. There may be a cyber security team that oversees both areas, but it’s likely they are busy investigating all the alerts that go ‘ping’ all day every day, with limited time left over for restructuring cyber resilience across the two disparate areas or sharing ideas to build understanding.
The IT security engineer deeply understands their own protocols and network architecture but has limited knowledge of their OT counterpart. Whilst the OT controls system engineer has rich knowledge of the decades-old silicon-based critical infrastructure. They have extensive experience in industrial control and SCADA but limited cyber security skills and competency. They sit on a treasure trove of knowledge, but faced with industry-wide talent shortages they have no one to pass their knowledge onto. In most instances they would value the opportunity to better understand cyber security and cross-skill.
The executive leadership team includes the CSO (if they have one, or whoever owns this responsibility) this person takes control of everything and has a set of targets to achieve, predominantly focused on the corporate digital environment. The CIO holds the purse strings for technology initiatives and investments across the business but has an entirely different set of KPIs than the COO. This is one of the most critical issues that’s responsible for creating and maintaining the IT / OT divide, which is directly leaving organisations vulnerable to attacks. On top of this, we have compliance and functional safety teams focused on their own outcomes, and as a result are working in silos.
Then we have the Board which needs to make critical decisions around cyber risk and therefore needs it to be presented in language they understand—that is, managing risk that directly impacts the balance sheet, and the quantifiable return of investing in processes and solutions that protect their people, and digital and physical assets.
There’s a lot of opportunity for us to work better but there’s no doubt that it will require a shift from how we do things today. IT security and OT security can no longer be mutually exclusive and siloed from a threat intelligence perspective.
First comes understanding
This conversation is new. Approaching it will inevitably present challenges. It will require everyone involved to listen and learn with empathy. We will need to gather and understand different perspectives on key priorities across the business, technology solutions and investments. We’ll need to understand current scorecards to define new targets and to build a common roadmap that unites IT and OT, and other areas of the business. From there, we can start building momentum to go faster.
We’ll also need to be mindful that everyone learns differently, and that we’ll need to work as a community to make different experiences available, from industry-run theory to practical experiences where people can immerse themselves in watching things break and working to put them back together again.
On this, Peta Richards, Peloton Chief of Staff shares:
‘I believe there is a common misconception that to be competent in a role, a person must do a lot of external training; yes, it is important to have the foundational knowledge required but most learning comes from on-the-job experience. This can be in the form of things such as completion of tasks, making mistakes and solving problems. There’s a learning and development model called the 70/20/10 model which states that 70% of learning comes from on-the-job experiences and challenges, and only 10% from formal courses; I would expect that most people would think those stats are switched so they undervalue the development they can receive as part of their role.’
There’s also a lot to be said for creating an environment where IT and OT security engineers can spend a day in the life of the other, so they can learn from each other’s practical knowledge and share common experiences. Afterall they are two different worlds’; IT security, OT security and all the networks and architecture and assets that go with it. Each is nuanced, but this shared learning is needed otherwise we’ll never close the gap. It’s also important that we get People and Culture involved so that learning and development is measured by collaboration.
Scott McKean says, ‘competency increases competency and confidence as the OT engineers start to learn more about the IT security tooling and the IT engineers start to learn more about the OT protocols and design systems and the offensive techniques and how we detect these types of threats. It actually becomes kind of interesting and exciting. And now we’re gaining confidence, and we’re starting to bridge that divide.’
Once this understanding sets in, we can create safe ways to think and explore and craft solutions together. This may take the form of automated attack simulations, building digital twin environments and identifying new offensive tools and frameworks. More specific examples are IT people participating in functional safety drills or running a HAZOP assessment, and on the flip side control systems engineers attending threat intel briefings.
This is the first article in our ICS / OT learning series, which shares the foundational knowledge around why these attacks are escalating and importantly what we could do from a people and process perspective, before we look to technology.
In the near future we’ll share best practice frameworks and tools for your toolbox, including an opportunity to create your own DIY OT Lab to fast-track hands-on experiences. We’ll also be running training and educational sessions for both IT and OT engineers and executive leaders.
Follow us on LinkedIn to stay up to date on topical news and events including OT lab training and lunch and learn sessions.