Organizations of all types today face an evolving threatscape and growing pressure to rethink security strategies for long-term sustainability. Critical infrastructure industries, and the communities and economies they serve, face not only particularly damaging outcomes from successful cybersecurity attacks, but also need to deal with significant complexity due to the scale of their operations.
Fortinet’s Daniel Cole discusses the issues and trends affecting the critical infrastructure organizations today.
Over the past several years, security has become a primary focus for utility companies, transportation groups, natural resource producers, and more. Research indicates that these organizations are under a state of constant cyberattack, with incidents increasing in sophistication. Operators are concerned about resolving security gaps that are growing wider over time.
The machines and technology used to manage and run hydropower dams, oil and gas companies, and other infrastructures were never designed to be connected to remote or public networks. Security was a given because these systems were isolated, and physical access was often restricted. They used proprietary equipment that was often custom built and limited in terms of communications protocols, which meant that even if a cyberattacker could somehow gain access, none of his or her tools would be of any use. But with Industry 4.0 – or the fourth industrial revolution – these environments now have interconnected machines and open standards, and use off-the-shelf hardware and software. As with any other IT network, the benefits of cost savings and efficiency that these changes provide also come with increased vulnerability. This means industrial control systems (ICS) now have a wider footprint for attack.
Also, many people used to think that creating an “air gap” between ICS and all other networks could ensure security. But as more and more of today’s ICS operational technology (OT) components rely on software updates and periodic patching from IT, it’s now virtually impossible to avoid at least occasional data transfer into the ICS. Even in environments without permanent network connections (or those employing only unidirectional devices, such as optical data diodes), there are vulnerabilities. Employees may introduce infected PCs or storage devices, such as USB drives, into that environment, which then ultimately affects the network.
Before an organization can accurately assess what threats are out there, it first needs to consider why someone would want to attack them. Most cyber criminals or malicious organizations are seeking financial gain. But in ICS environments, attacks can also be motivated by political or terrorist agendas, including a desire to destroy equipment, threaten national security, and endanger human life. Critical infrastructure organizations have become attractive targets for cyberterrorist attacks. And the types of attacks have become more sophisticated.
While organizations can’t predict every threat, they need to focus on what they can control. Here are questions to help assess operational technology (OT) vulnerabilities:
While the threats from cyber criminals and terrorist organizations are real and concerning, unintentional internal issues account for 80 percent of industrial security incidents [RISI]. In critical infrastructure organizations, software misconfigurations from human error, malfunctioning network protocols, and device behavior are issues to keep an eye on.
A holistic security approach can protect against intentional targeted attacks as well as human error from internal sources. Solving ICS security issues requires a solution that unifies the best of current OT network security capabilities with an extensive understanding of ICS processes and protocols.