While cybersecurity teams have focused on protecting IT for years, operational technology (OT) security has been neglected for long enough to become a significant concern. Hackers now see critical infrastructure attacks as low-hanging fruit for infiltrating both public and private sectors. The rise of Industrial Internet of Things (IIoT) within the OT space and legacy systems that were never intended to communicate with other systems, much less thwart cybercriminals, makes critical infrastructure more vulnerable.
Recent high-profile hacks have targeted critical infrastructure, even compromising a water treatment plant in Oldsmar, FlThis isn’t just a mild uptick in attacks. Research reveals that OT attacks jumped by 30% in 2020 alone. For example, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published a whopping 224 advisories, a 30% increase from the previous year.
What’s creating these openings for hackers to exploit? The rise of IloT devices within our critical infrastructure, like those found in manufacturing firms or oil and gas plants. The share of vulnerabilities within IIoT devices increased by more than 300%.
Hackers now recognize the power of OT attacks. The critical infrastructure sector is riddled with vulnerabilities. Industries such as energy and manufacturing rely on legacy technologies to operate and can’t afford to shut down operations to completely overhaul their systems. From refineries to factories, pausing operations means millions of lost dollars, leaving CIOs and CISOs with a Catch 22 scenario. Armed with this understanding, threat actors are seizing crucial services, knowing full well that organizations, enterprises and municipalities will pay hefty ransoms to limit disruptions.
For example, an energy company using networked sensors to monitor oil rigs might lose online sensor access, forcing drills to shut down. Without proper protocols in place, security leaders may have no idea how this happened or how to prevent future attacks.
Recent hacks targeting energy and electrical grids demonstrate that cybercriminals are becoming callous, willing to harm large populations. Authorities thwarted the Florida water treatment attack, but this incident reflects the magnitude of threats facing critical infrastructure.
Overcoming the apathetic mindset in OT security management
Managing critical infrastructure cybersecurity is undoubtedly challenging. Teams must secure massive environments that cannot experience downtime, and safety is often the priority over security. For example, OT device vulnerability scans and remediation might only happen once or twice each year, creating substantial blind spots for security teams. Since new threats are evolving all the time, that means critical infrastructure back doors remain wide open for months, rather than being patched as quickly as new vulnerabilities emerge.
These factors, compounded with years of computer and network neglect, paint a bleak picture. OT security is 10 years behind IT security. Leaders in the OT space are just now considering centralizing and managing firewalls. Path analysis has been underutilized in OT, leaving security teams with little understanding of their attack surface and vulnerabilities.
Leaders from local governments, utilities and the private sector must consider a new approach to security posture management – a paradigm shift, not just bandaging a broken system. To protect OT environments and critical infrastructure, organizations should quickly expand beyond standard detection and response models with more proactive, preventative security measures. Modern best practices to safeguard our critical infrastructure include:
· Operate with a single view of compliance. Operational security processes should align across the entire estate, including on-premise, OT, third-party and hybrid cloud networks. This gives security teams a holistic understanding, including each asset’s exposure to attacks.
· Place greater emphasis on understanding the attack surface. Context augments device data scans, enabling organizations to identify and remediate risk exposures that pose the most significant threats. The only way to achieve this is by developing a complete life-cycle unified vulnerability management approach.
· Leverage vulnerability discovery to inform aggregate exposure to threats. A critical component of risk-based vulnerability prioritization, exposure analysis helps establish a real-world view of discovered issues, revealing which vulnerabilities are most likely to be leveraged in an attack and not protected by security controls.
When tasked with protecting OT, it may be challenging to overcome the lack of momentum and decades of neglect. Moreover, an organization may not appreciate the value of its data – even today, a logistics CEO might not think warehousing data is appealing to a hacker. But, if the logistics company does business with a utility, energy or targeted private sector organization, threat actors may find high value in even seemingly basic data.
The current approach to cybersecurity taken by enterprises and government entities managing OT is short-sighted, costly and inefficient. Businesses across the industry need to solidify their firewall management strategies and gain full visibility of their hybrid IT/OT networks to improve operational capabilities and limit the opportunity for criminals to exact severe financial and reputational damage.
Leveraging a security platform that unifies and optimizes security posture management with passive vulnerability scanning enables targeted remediation, freeing human personnel to focus on more pressing initiatives, such as preparing for the next round of cybersecurity challenges.
Apathy is the biggest risk to critical infrastructure security. Security leaders in OT-dependent industries must leave behind the mindset that they won’t end up in the crosshairs of a hacker. Taking a proactive approach to visualize and analyze hybrid, multi-cloud collectively, and IT/OT networks will provide critical intelligence on the attack surface and help prevent future Oldsmars from happening.