When it comes to cybersecurity, are you aware of the cyber threats around Operational Technology (OT)? Or that network connectivity to an organisation’s OT may provide an opportunity for a skilled threat actor to gain entry?
If you said no, it’s probably because when it comes to mitigating cyber threats, most people talk about it in the context of protecting IT assets such as the systems, data, applications, and networks that organisations depend on every day to keep the business operating.
Whilst IT assets are important, OT is a whole other realm of digital infrastructure that also needs protecting and its growing, importance, and potential vulnerability all the time. That’s why understanding and testing an organisation’s Operational Technology security is so important.
Keeping the lights on
We take it for granted that we can just flip a switch to get a light and turn on a tap to get water. But the infrastructure that makes these things possible is extremely complex and it requires significant digital capability.
For example, to meet the cycles of consumer demand for electricity, a power grid must create exactly the amount of electricity that is being used at any given moment. This means the grid’s power generation and transmission lines must constantly adjust to meet demand wherever and whenever it is needed.
Managing this electrical cycle of demand is made possible because of the electrical utilities’ OT systems. The real-time control and influence these systems have on our day-to-day lives only amplify the need for strong OT security.
Many Asia Pacific countries have legislation to protect their critical infrastructure from cyber threats, including in Australia, where the recent revisions to the Security Legislation Amendment (Critical Infrastructure) Act 2021 represents the Australian Government’s response to the growing cyber threats faced by critical infrastructure organisations.
In Singapore, the Cybersecurity Act was introduced in August 2018 however last year the Cyber Security Agency of Singapore (CSAS) announced it was reviewing the Act to improve Singapore’s cybersecurity posture and support its digital economy.
The Agency also announced it was updating the Cybersecurity Code of Practice (CCoP) for the 11 Critical Information Infrastructure (CII) sectors to better deal with new and emerging threats. The Cyber Security Act had initially focused on the CIIs, which support the delivery of essential services such as water and power.
OT systems — often referred to as Industrial Control Systems, or ICS — are also increasingly prevalent in industrial and manufacturing environments, as we’ve put robots on our assembly lines and stuck chips in virtually every piece of equipment we deploy.
So, while we might at first think of the so-called “Internet of Things” (IoT) in terms of our smart homes and our cars, a large percentage of the world’s estimated 11.5 billion chip-enabled devices are in OT infrastructure.
Operational technology-related risk
The risks associated with critical OT infrastructure are obvious. We’ve seen them in the movies (e.g., Die Hard 4) and in real life (e.g., Ukraine in 2015) but as we implement more OT, our threat surface keeps growing. And as we add more features and functionality to our OT control systems, system complexity adds to our cybersecurity challenge.
Global tensions also increase our OT-related risk, since critical infrastructure is an attractive target for state actors seeking to do harm. However, OT infrastructure is also an attractive target for ransomware attacks—since it could potentially allow cybercriminals to hold vital services hostage.
Utility companies and other operators of critical infrastructure are aware of this risk, so they tightly control access to their OT systems. OT networks are also typically kept separate from IT networks and are not connected to the public internet.
This air gapping obviously poses a significant obstacle to any would-be attacker. However, there are growing caveats to this idea of air gapping. As operators of OT infrastructure get more aggressive about leveraging the intelligence of their OT networks, they increasingly need to tap into those networks via wired or wireless connections using fixed or mobile computing devices. That connectivity — as secure as operators may hope it is — often creates potential points of exposure to an extremely skilled and dedicated hacker.
Security testing is key to OT integrity
The importance of testing cannot be more underscored than in OT. If your organisation has OT infrastructure, it is important to engage the services of a qualified penetration testing (pentesting) team to independently validate your cybersecurity posture on a regular basis.
Before working with a pentesting partner, it is important to ask questions about the team’s previous OT experience, any OT certifications they hold, and the types of industries they have OT experience (e.g., water infrastructure is different from energy infrastructure).
Pentesting and adversarial testing will help you gain both confidence and a deeper understanding of the integrity of your IT and OT infrastructure. In the worst-case scenario, when security vulnerabilities in your IT or OT infrastructure are found, you will have the time to mitigate and take the necessary steps to prevent a threat actor from leveraging those vulnerabilities.
A proactive approach to security allows you to take an important step in protecting your organisation — as well as the customers you serve – from the serious consequences that would come from a breach of your OT infrastructure.
Just as our businesses and our personal lives have become increasingly digital, so has the infrastructure on which we all depend every day. It is only when our access to these services becomes disrupted that we realise how much we rely on them. Like our health, maintaining it should not be put off or ignored until it is too late.