In the new digital economy, data – and what you do with that data – is the key to success. Consumers and employees alike now demand instant access to critical information that allows them to solve problems, make informed decisions, or conduct transactions. But that’s just the part of the data equation most of us can see.
To effectively compete in today’s digital market, and capitalize on the data being collected and processed, organizations need to be able to respond quickly to market shifts and consumer demands, fine tune production, realign resources, and manage infrastructure. Which is why nearly three-fourths of all organizations have begun to converge their information technology (IT) infrastructure with their traditionally isolated operational technology (OT) networks.
However, the convergence that is enabling new agile business models is also introducing significant new risks, many of which are catching organizations entirely unprepared. For example, nearly 90% of organizations have now experienced a security breach within their Supervisory Control and Data Acquisition and Industrial Control Systems (SCADA/ICS) architectures, with more than half of those breaches occurring in just the last 12 months! And even more alarming, most of those breaches have resulted in a high or critical impact on their business, from compromising their ability to meet compliance requirements, to decreased functionality and financial stability, and even affecting employee safety. For those OT organizations responsible for critical infrastructure, any sort of compromise needs to be taken extremely seriously.
These are just some of the findings of a new study conducted by Forrester Consulting that explores the current state of securing critical infrastructure, including its related challenges, priorities, and strategies. This study, conducted in January of 2018, surveyed 429 global decision-makers responsible for the security of critical infrastructure, IP level protection, IoT, and/or SCADA systems across the US, Europe, and Asia.
While most organizations acknowledge the importance of SCADA/ICS security and have already undertaken numerous measures to secure their SCADA/ICS systems, they also plan to increase SCADA/ICS security spending by 77%, which is more than in any other segment of their OT or IT network. Part of the reason for this increased funding is that nearly all decision makers acknowledge that there are potentially serious security challenges related to converging OT and IT.
The top concerns of CSOs/CISOs include the inability to properly identify, measure, and track risk, IT outages impacting customer-facing systems, and the interruption of business operations due to a catastrophic event. These challenges are being compounded by the lack of security expertise, not only within their own in-house staff (40%), but also with the third party vendors they outsource their security services to (41%). This is not only the result of the growing cybersecurity skills gap facing the entire computing industry, but also with the fact that even of those security professionals who are available, very few have any expertise with OT environments.
This focus on security is being driven by a number of fears, the biggest of which is adding cloud solutions to ICS systems, and the resulting inability to identify or act on the risk resulting from the limited visibility and control that cloud infrastructure and services can introduce. After cloud concerns, the next five SCADA/ICS security attack vectors security leaders are concerned about when it comes to OT environments include viruses (77%), internal (73%) or external (70%) hackers, the leakage of sensitive or confidential information (72%), and the lack of device authentication (67%). And over a third are now concerned with the exploitation of backdoors built into connected IoT devices.
That concern is likely to grow. Every single organization surveyed now has IoT technologies in place, with firms having an average of 4.7 different kinds of IoT tech connected to their network, including passive RFID, real-time location tracking (active RFID, ultra-wide band, ultrasound, etc.), GPS tracking, security sensors, grid sensors, and condition sensors. These devices also use a wide range of communications protocols, including Wi-Fi, cellular systems such as CDMA/GPRS/4G, mesh networks, telematics, and near-field communications (NFC). Each of these technologies not only introduces its own unique security challenges, but they are compounded by many of the security issues inherent in IoT devices that have been built using poor code, that have backdoors and passwords built directly into their firmware, or that operate as headless devices, preventing even basic updating and patching.
The issue is magnified further by the fact that well more than half of organizations now also outsource at least some or part of their SCADA/ICS infrastructure and security, granting outside parties with complete or high level access to those systems. Top SCADA/ICS security functions that organizations typically outsource include wireless, IPS, NAC, and IoT. However, we are beginning to see a shift in this behavior. While most organizations that outsource these functions have traditionally worked with multiple vendors, fear of exposure to risk is changing that trend. The number of organizations that now rely on a single vendor to provide a full range of outsourced solutions has jumped from 38% to 47% between 2016 and 2018.
In addition to identifying expertise, part of the solution begins by simply complying with regulations that can take much of the guesswork out of developing a security strategy. While organizations certainly prioritize the standards that regulate them, the unique exposure of OT systems makes it critical that they focus on those standards that are most important to protecting their SCADA/ICS systems. Which is why things like meeting compliance standards (49%), providing end-to-end solutions (47%), and reliability (46%) are most important criteria used when an enterprise selects a security vendor to partner with.
For many organizations in this same situation, the biggest question they often ask themselves is where to start. Most organizations surveyed feel the best way to avoid the challenges related to converging OT and IT is to perform a full business and operational risk assessment, regardless of how far along they are in their convergence strategy.
Other critical measures organizations may want to consider, based on best practices and feedback from survey participants, include:
· Implementing critical network security controls, such as NGFW, IPS, and Sandboxing at the edge of the OT environment; increasing the centralization of device management and decision making; encrypting data and traffic; and given the highly sensitive nature of the sensors and systems deployed in critical infrastructure environments, establishing passive monitoring and controls within the OT environment.
· Isolating critical infrastructure from production networks, IT devices, and staff using segmentation and microsegmentation strategies.
· Continuous logging and analyzing of all network traffic (Security Analytics)
· Two-factor authentication, including biometrics (e.g., fingerprint, voice, facial recognition, etc.), and establishing role-based access control for all employees (IAM), as well as privileged identity management for administrators (PIM).
· Investing in and building out SCADA/ICS, OT, and IoT-specific security expertise in-house
· Consulting with government bodies such as the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and implementing common standards such as ISA/IEC-62443 or ISA-99
Success in the new digital economy requires developing integrated networks that are able to seamlessly leverage all available resources, whether within the traditional IT network, through endpoint devices and applications, across multi-cloud environments, and even ICS/SCADA systems deep inside your OT network. Accomplishing this, however, introduces new risks, many of which could have devastating consequences if realized. As attacks become more frequent, the potential for a catastrophic event that puts workers or even communities at risk continues to increase, and organizations need to take precautions that enable them to see and respond to threats, and even anticipate them, regardless of where they occur across the expanding network.
Access or download the full “Independent Study Pinpoints Significant SCADA/ICS Cybersecurity Risks”
Read more about the unique challenges of securing operational technology systems and how Fortinet can help.
This byline orginally appeared in CSO.