Digital transformation is a well-established part of the business IT space, but it’s a different story for industrial process control. Because industries like oil, water management and transportation are so critical to keep running 24/7, they can often be slower to adopt the latest and greatest technology. Unfortunately, threat actors seeking to disrupt these systems see only opportunity in this caution and hesitancy.
As we look to the future, the costs of ransomware are growing. One prediction is that ransomware will cost $265 billion in global damage by 2031 at its current rate. With the market for finding vulnerabilities becoming more lucrative than ever, it's clear that the convergence of IT and OT is crucial to securing critical infrastructure. But how can companies and organizations do so in a way that guarantees security and promotes digital transformation?
Recently, several industry leaders and experts participated in an eBook sponsored by Hexagon PPM on balancing digital transformation with OT security. It explores how organizations can continue critical operations while simultaneously adopting new security practices. Below are some of their thoughts and philosophies.
Tammy Klotz, CISO at Covanta
The first step in adequately preparing for a targeted cyberattack is getting senior-level buy-in to the idea that the threat exists in the first place. Too often, employees (at every level) think they’re invincible and go with the “well, that won’t happen here” mindset. This state of mind disregards the fact that attacks are no longer a question of if but when. Once you have that buy-in, evaluate your risk to determine how much you need to invest in security and how much risk your company is willing to accept.
Those investments can span several areas. Segmentation is especially important for making sure something doesn’t propagate from your corporate network into your OT network or vice versa. And then we get into basics: access and back-ups. Making sure you frequently review employee access to systems and ensuring you have the correct back-ups can go a long way when the worst-case scenario hits and you’re faced with fighting off threats like ransomware.
Another important step is determining how long can you work without the system being available. In an OT environment, the turnaround is likely to be extremely short, so figuring out what the timeline looks like and determining how much data you can afford to lose is critical if you’re going to form a more in-depth plan of action.
Finally, (although there are several more steps you can and should take to secure your OT environments) practice makes perfect. Having a backup and restoration plan is great, but does nothing if you haven’t run through the process before an attack hits. Setting up a separate environment with equipment that’s identical to the production environment and practicing recovery is a great way to run through your crisis scenario without halting operations.
The bottom line is: plan, prepare and practice. Cybersecurity in OT environments is complex to say the least, but knowing what you’re up against and how you’re going to respond can make it a lot less intimidating.
Spencer Wilcox, executive director of technology and CSO at PNM Resources
As a mid-sized utility, I don’t have an infinite supply of money and talent to defend against everything a major-state actor might theoretically do. What I do have are partners. Cybersecurity, especially for OT, is a team sport. You can’t combat a nation state that has a nearly limitless supply of attackers that they can deploy on a single problem for years and years. You need a force multiplier, and that force multiplier is partnerships.
A good place to start is with your vendors because they are often your weakest points from an attacker’s perspective. You need to develop mutual trust with your vendors and relationships with people you can talk to about what is really going on if something happens in your industry. You should also develop relationships with an OT information-sharing and analysis center (ISAC). Make friends within your industry, and with government partners like law enforcement, your regulators and your CERT, and keep the lines of communication open. You will need those relationships during a crisis.
In the event of an attack, you need to be able to restore systems quickly. If you don’t have backups of your systems and your device configurations, you won’t be able to quickly recover a process. Instead, you will spend time redeveloping your process controls. You need to back up all that information and monitor for changes. This also means looking closely at all your IT-OT integration points.
To make all this work, there must be good, regular communication between IT and OT people. If your IT and OT staff are not talking, you have a much bigger problem than just cybersecurity, because these technologies are converging. They’re running on networks controlled by a commodity switch. You have to recognize that those interconnections are weak points in your defenses. Anything that happens to your enterprise network will, over time, infiltrate your OT network.
Nick Cappi, vice president portfolio strategy and enablement for cybersecurity Hexagon PPM Division
Critical infrastructure owners/operators must assume they are going to be hit by a cyber-attack, and the ability to fully recover quickly is critical to the safety of operations and the financial stability of the business.
The basic risk equation is this: risk equals likelihood multiplied by consequence.
To decrease the risk associated with vulnerabilities in industrial control systems and endpoints, the emphasis of the past few years has focused on reducing the likelihood of a cyber-incident. That’s perfectly fine, and this area of the risk equation should be evaluated; protections should be put in place. However, to ultimately reduce risk in financial terms, focus must be given to the consequence of an incident. This is an area that is not getting the attention it deserves.
With cyber/physical systems, the three primary questions asset owners/operators must ask themselves is:
- Can I produce and deliver my product if the IT or OT network is compromised?
- If we shut down operations, what is our recovery time objective (RTO)?
- What is our confidence level in achieving our RTO?
The more efficient method to reduce risk, in terms of time and cost, is focusing on consequence-reduction. Prevention techniques have a place, but critical infrastructure must look at the consequence of an incident and invest in technology that can get their operations back up and running in a matter of hours, rather than days and weeks. Considering the cost of a multi-day production outage, it’s evident that investment in being able to bounce back quickly has a high ROI.
As companies begin to measure and ultimately improve control-system resiliency, below are a few important steps to guide you through the process:
● Gain a complete asset inventory of OT and IT endpoints, particularly at Level 0 to 3 of the Purdue Model
● Baseline the “known good” configuration of critical assets and understand the data movement through the network
● Identify and assess vulnerabilities in assets and endpoints
● Utilize forensic analysis of configuration changes to enable incident responders to fully understand the composition of an incident to reduce mean time to recover (MTTR)
● Ensure business continuity by having a complete (and trusted) backup and restore point
In 2021, there have been several attacks on critical infrastructure that have resulted in production shutdowns that have had major impacts on the way of life for citizens and the global economy. To improve resiliency, specifically the time to recover following an incident, the industry must focus on reducing the consequence in managing their risk.
We have an opportunity to make ransomware an unprofitable business endeavor because asset owners/operators can recover on their own with little business impact.
By Mark Carrigan, cyber vice president, process safety and OT cybersecurity at Hexagon PPM
