“DHS escalates cybersecurity mandates for key US pipelines in wake of ransomware attack,” reported CNN earlier this week, after the Transportation Security Administration, a part of DHS, issued its second “security directive” for critical pipelines. This is one of several responses government and industry are pursuing after the Colonial Pipeline cyberattack affected gas pipelines earlier this year. Will it be enough to prevent additional mischief aimed at operational technology?
The short answer is: it’s a vital start. The longer answer might be: the Colonial Pipeline attack is a preview of new risks; as more operational systems come online and are accessible by adversaries, more industries – beyond pipelines – are vulnerable to malicious sabotage or destruction. The rapid, ongoing growth of the smart device, Internet of Things (IoT) ensures this reality.
If It Blinks, It Sinks
This is the headline the nonpartisan Atlantic Council used recently when interviewing five experts about the cybersecurity risks associated with operational technology. First, the council’s definition:
“Operational technology (OT) cybersecurity encompasses the software, hardware, policies, personnel, and services deployed to protect physical systems.”Mission Secure, as quoted by Atlantic Council
The experts were asked five questions:
- What is the most common misconception about solutions for OT security?
- The ransomware attack on the Colonial Pipeline in May 2021 made front-page news. What is your biggest takeaway from this incident with regard to OT security?
- What under-the-radar sector relies on OT, the security of which we may take for granted, that is prime for exploitation?
- What is one policy change that you would like to see in order to better protect core critical infrastructure and the OT that operates it that could realistically be implemented in the next two years?
- What is the low-hanging fruit for better protecting OT? Where can the least resources go the longest way?
The article is worth a read, but I’d like to highlight some themes to these thoughtful responses. The experts’ responses centered around data/devices/system awareness, advanced planning and preparation, and a desire to see more collaboration between vendors, regulators, and lawmakers to enhance reaction speed.
Guidehouse Insights researcher Danielle Jablanski (@CyberSnark) points to the health of an organization before a breach as an especially important consideration:
“Second, and most often overlooked, is the need to consider complex organizational (not technical) priorities in lieu of a breach/incident – legal, strategic communications, compliance, etc. If these priorities are not articulated before a cyber event, they almost certainly hamstring response capabilities and timelines.”
As Bryson Bort (@BrysonBort), CEO of Scythe underscores: “OT underpins modern society: water, electricity, and fuel. Without any of those elements, we go back to the Stone Age pretty quickly. […] You work in an OT environment; you just did not realize it.”
OT and IoT Risks for Organizations, Private Industry
The convergence of OT and IoT amplifies burgeoning cybersecurity risks. For example, OT vulnerabilities increase:
Organizational risk, such as forced downtime or production stoppage;
Insider threat risk, such as targeted attacks or access to other, connected systems;
Reputational risk, in the marketplace and/or as an employer.
Organizations are adding OT to their cybersecurity planning. Often, new frameworks must be built to manage OT assets. Some OT equipment need upgrades; other systems are too old for remediation. All need to be managed alongside digital asset security. The need is urgent, and growing.
The Colonial Pipeline attack should be a wake-up call for all business leaders. It isn’t just one sector whose physical infrastructure is at risk of cyber attack. All businesses and their digital systems connect, at one juncture or another, with the physical world. It’s time to take security protection seriously.
NetCentrics has a long history of building and protecting cyber infrastructure. Contact us to discover how our cybersecurity expertise can protect your valuable assets, both digital and operational.