How to Address the Biggest Risk to Critical Infrastructure: Apathy

Editor’s Note: Terry Olaes is Technical Director, North America, Skybox Security

After decades of neglect, operational technology (OT) security is finally receiving attention thanks to the Biden administration’s recent efforts to shore up cybersecurity with critical infrastructure providers and their partners.

Since essential services ranging from water and power to communications and manufacturing rely on OT for daily operations, bad actors and adversarial nation-states have come to recognize vulnerabilities within the sector and are actively looking to ransom or disrupt vital services.

The Colonial Pipeline attack puts a finer point on the urgent need for OT organizations to mature their vulnerability management practices. Research suggests these types of threats will continue to trend upward: OT attacks jumped by 30% in 2020 alone.

Utilities often leverage IT networks to control and monitor OT devices. But all too frequently, neither the combined IT/OT environments nor the devices within them were set up with solid security measures. This elevates risk and allows threats to pass freely between the IT and OT networks, weakening their security.

Industrial IoT proliferation has added new, large, and varied technologies to the IT/OT mix, including sensors and robotics with their own sets of security problems, such as devices often arriving with hardcoded weak or generic passwords. To compound this, legacy technology is rife in OT networks; some of the older process control systems and networking components are incapable of taking on modern cybersecurity practices.

Lack of visibility due to scale and complexity leaves many OT networks in the dark. OT firewall management, if present at all, has traditionally been decentralized, and path analysis has been underutilized in OT, leaving security teams with little understanding of their attack surfaces and vulnerabilities.

Complete visibility is essential in security to understand the environment and its connections, design security architectures, identify attack vectors and locate blind spots. Without full visibility, unknown and unchecked security issues flourish. A sample of these issues includes access policy violations, undiscovered vulnerabilities, misconfigurations, risky design in the form of weak security controls, and unplanned or unauthorized changes.

CISOs and their teams are increasingly at a stalemate when trying to understand their attack surfaces. Municipalities and utilities can’t afford significant disruptions in operations to replace legacy technology. Moreover, OT device vulnerability scans and remediation might only happen once or twice per year to limit downtime. If a security team cannot communicate or convince other stakeholders how important it is to install a patch — or implement a mitigation measure — the technology will continue to remain vulnerable.

Some areas of OT security are years behind IT security in either technology or process, often both! Understandably, this a daunting gap to close. However, it is not insurmountable. Often, we find the biggest risk to OT organizations is apathy, with denial that it could ‘happen to me’ a close second.

Municipalities and utilities should take a proactive approach to avoid landing in bad actors’ crosshairs. Going forward, protecting OT environments and critical infrastructure will require organizations to throw out their old, siloed playbooks and come together to explore and expand beyond traditional “detection and response” models.

No matter the challenge, the OT and IT security teams must come together to holistically manage risk throughout the entire organization.

To achieve this, entities with OT networks must:

• Passively collect data from the networking and security technology within the OT environment.
• Build a network model encompassing both IT and OT.
• Employ path analysis to understand all IT and OT connectivity, including how risks can impact either environment or traverse one to reach the other.
• Leverage a network model to prioritize which OT vulnerabilities to remediate based on cyber exposure and identify patch avoidance options for unpatchable legacy equipment.

Security leaders who implement these best practices will gain full context and understanding of their attack surface. This will allow them to better identify and proactively remediate critical attack vectors ahead of the incident. They will also be able to leverage and expand existing security policy management programs from IT and hybrid environments to OT environments, simplifying audit and compliance attestations. Further, they will be able to facilitate and verify proper segmentation across hybrid infrastructure.

Historically, the management of OT cybersecurity has been short-sighted, costly, and inefficient. Security policy management and network modeling strategies should be at the top of any business’s list of priorities. Control over external network access is paramount to limit opportunities for criminals to exact severe financial and reputational damage.

Organizations must not delay any further. By adopting a security platform that gives teams the ability to collectively visualize and analyze hybrid, multi-cloud, and IT/OT networks, they will gain an adaptive and continuous understanding of the growing attack surface. Safety is paramount in OT environments; don’t neglect the impact a bad cyber actor can have on operations. OT and IT organizations can learn from each other and develop practices that holistically drive down risk while minimizing downtime with passive discovery and patch avoidance options.

Apathy has become a significant risk to critical infrastructure security. Yet, recent hacks have made crystal clear that cybersecurity threats are both real and potentially devastating – no longer the province of spy movies or science fiction. Security leaders in OT-dependent industries must move past the mindset that their organizations will not be the ones in hackers’ crosshairs. Taking a proactive approach today to mature cybersecurity in the OT environment and following industry guidance is necessary to keep threats from gaining a foothold and causing future disruptions at the scale of the Colonial Pipeline.

SC
MR