Heavy industry, utilities, municipalities, government departments, transport and healthcare are increasingly under attack by cyber criminals, activists and even nation states, writes Doros Hadjizenonos, regional sales director at Fortinet, and these sectors are likely less prepared and more vulnerable than the traditional digital ‘knowledge worker’ segment to deal mitigate the risk.
In sectors that have long been heavily dependent on their IT systems for daily operations, cyber security is typically mature. But sectors using Operational Technology (OT) have tended to depend on the air gap between OT and IT systems to protect their OT from cyber attack.
Supervisory control and data acquisition (SCADA) and other industrial control systems (ICS) have traditionally been managed by engineers, whose priorities are plant safety and production. OT in healthcare, including life support systems and x-ray machines, are traditionally managed by healthcare professionals whose top priority is patient wellbeing.
OT systems run critical key infrastructure; rail, road and air transport environments, where safety and availability are top priorities. Across these diverse OT environments, common cyber security failings can occur, including poor password practices, a failure to patch and update systems, a lack of cyber security awareness among users.
Research finds infrastructure, OT under attack worldwide
Failings such as these are now being compounded by the increasing connectedness of OT systems. While IT and OT have been managed separately since their inception, there has been a growing movement toward the convergence of these two systems over the past 12 – 18 months.
The Fortinet 2019 Operational Technology Security Trends Report, which analysed data from millions of Fortinet devices to discern the state of cybersecurity for SCADA and ICS found a disturbing increase in purpose-built OT attacks designed to target SCADA and ICS systems, with many attacks on OT systems seeming to target older devices running unpatched software. In 2018, exploits increased in volume and prevalence for almost every ICS/SCADA vendor, with around 74% of OT organisations coming under attack in the past year. In addition to recycled IT attacks being thrown at unpatched or non-updated OT devices, 85% of unique threats detected target machines running OPC Classic, BACnet, and Modbus.
We identified malware, phishing, spyware, and mobile security breaches as the most common types of cyber attacks affecting OT, with four key reasons why these attacks persist: a lack of network visibility, a lack of suitable skilled security staff in the OT environment, the rapid pace of digitisation and the complexity of OT networks.
In environments such as municipalities and government departments moving to digitise their operations, OT may not play a direct role in daily operations, but these organisations too deliver crucial services, and they too have traditionally put cyber security low on their list of priorities. Not only could cyber attackers cripple municipal service delivery, they could also use these municipal systems as a gateway to connected infrastructure service providers.
Mitigating the risks
The risks associated with IT/OT convergence are real, and the number of attacks is increasing rapidly. In the OT environment, cyber attacks bring the risk of more than just downtime and financial losses – they could also cause physical damage to infrastructure, present a risk to human health and safety, and even cripple an entire country. Mitigating the risk should start with a ‘back to basics’ approach to cyber security best practice, and bringing the CISO into OT digitisation planning and execution.
The OT network needs real-time visibility, control and security analysis, secure gateways at the edge, and the ability to address known and unknown threats. Access to OT network architecture should be controlled with layered segmentation and multi-factor authentication.
In line with back to basics best practice, all organisations have to be cognizant of the fact that people remain cyber security’s weakest link. As new end users from all walks of life become entrusted with running connected key critical infrastructure and OT, the onus is on their employer organisations to ensure cyber security plays a prominent role in their onboarding, with ongoing cyber security training and awareness efforts throughout the organisation.