As we approach the new year, managing the evolving operational technology (OT) threat landscape has become more important than ever. OT environments are becoming increasingly interconnected and attacks are becoming increasingly intense. Take for example the Colonial Pipeline breach from earlier this year. The lines at the gas stations caught citizens’ attention nationwide in a way that OT never had before, leading to an increased demand for cyber-awareness and defense.
Following this episode, in October, Gartner predicted that OT environments may become weaponized by 2025 with threat actors beginning to set their sights on the physical side of things, in addition to business disruption. Just last month, a drone crash near a Pennsylvania power substation put a magnifying glass on the emerging physical threats in these OT environments. Furthermore, supply chain and software library-based vulnerabilities, such as the one recently disclosed in Java Log4J, are providing threat actors with consistent and easy access to almost everything from industrial-control systems to web applications to a television set.
Knowing that companies and their employees are at stake, here are some strategies for organizations to safeguard their OT networks.
It’s nearly impossible to prepare for potential cyberattacks without obtaining complete visibility into your network. After all, how can you secure what you don’t know exists? A recent study reported that 79% of security/business executives understand the significance and benefits of incorporating improved visibility into their organizations’ software vendors, however, only 46% of these executives have complete or high visibility into these partners.
In order to change this, organizations must strengthen their knowledge of what’s being used within their systems; this will provide them with the situational awareness needed to combat emerging threats. Once a solid inventory is established, they should run a vulnerability scan to identify other impacted areas.
While asset inventory is key, organizations must remember that network monitoring alone will only provide some of the detail. Therefore, companies must begin tracking any changes across devices in order to control and safeguard their systems.
Organizations need to have visibility of their OT environments, but that is only one component of preparing for potential threats. Another aspect is truly prioritizing cybersecurity in the workplace.
Incidents like Colonial Pipeline and the Pennsylvania drone crash made security tangible for non-security professionals. When a cyberattack causes gas prices to spike or physical security to come into question, it’s no longer just organizations that are affected—now the conversation is shifting toward their customers and key stakeholders. Subsequently, nearly every board of directors is now interested in what the cyber-risk is to their company.
In order to avoid future incidents, security must be prioritized beyond security teams themselves. Organizations and their stakeholders must be equally involved and informed on who would be affected by an attack, to what extent, what the response would be and how they should proactively prepare.
Cybersecurity is ever-evolving, which indicates an increased demand for collective attention to cybersecurity and the effects of an attack. One way to prioritize cybersecurity is to dedicate time to think like a threat actor.
Think like a threat actor
Thinking like a threat actor means initiating the process of identifying potentially vulnerable areas before a real threat actor puts the system at risk. As we enter a new year, rather than targeting and scaling attacks on low-hanging fruit, 2022 will bring new strategies for ransomware operators. We can expect threat actors to get more strategic and selective about who they’re targeting, with the end goal being a balance between making money and avoiding retribution from the government.
In order to stay ahead of these threat actors, organizations must think like them—aim security efforts at the adversaries’ balanced goals to ensure the missions cost too much to conduct. By beefing up security, exploitation will become harder and more expensive, therefore diminishing interest from threat actors.
So what does this mean for OT-security teams around the holidays?
Companies should not wait for the attack to happen. Instead, they must take the first step of gaining an accurate IT/OT asset inventory and understanding how the vulnerabilities on these networks could affect the company at large. From there, they must prioritize security throughout the entire organization and manage risk from a threat actor’s perspective. With these processes in place, organizations can better prepare and mitigate risk as vulnerabilities like Log4Shell inevitably continue to sweep the industry by storm.
Marty Edwards is the vice president of OT security with Tenable