Securing critical infrastructure in an increasingly interconnected world

Jimmy Yam, Vice President at Eaton

Jimmy Yam, Vice President at Eaton

As the world speeds towards digitalization, organizations are increasingly exposed to cybersecurity vulnerabilities and risks. Cyberattacks against commercial, industrial, utility and government networks are increasing in frequency over the years -- a recent industry report found that the number of cyberattacks rose by 17% in the first quarter of 2021 compared to the same period last year.

To combat such attacks, the cybersecurity industry has largely focused on developing solutions to protect information technology (IT) networks, leaving Industrial Control Systems (ICS) or Operational Technology (OT) systems exposed.

However, businesses can no longer afford to deprioritize ICS security with the rise of Internet of Things (IoT) and the convergence of IT and OT environments.

Amidst expanding adoption of sensors, machine learning and analytics in industrial environments, malicious cyber actors have turned their attention towards ICS and OT systems that run critical infrastructure. In fact, data collected by IBM indicates that malicious activity targeting OT assets increased 2,000% between 2018 and 2019, while ICS-related vulnerabilities discovered in 2020 saw an year-on-year increase of 49%.

Shining the spotlight on operational technology

Attacks on control processes and industrial systems may have risen over the years, but OT security remains less understood amongst technology and business leaders.

OT uses hardware and software to oversee and control physical devices, and infrastructure. This can be found across a wide range of industries such as manufacturing, power generation, transmission and distribution, oil and gas, transportation and water utilities. In short, OT controls equipment and physical processes while IT or information technology is more focused on data.

OT has in fact been part of our lives much longer than IT -- it started with the use of electricity-powered machinery and often includes critical infrastructure such as power grids, water treatment plants or healthcare. Thus, OT cybersecurity attacks have the potential to affect not only a single organization but an entire population.

Historically, OT networks have largely been isolated from IT systems and the internet. But with the rise of digital innovation and IoT, OT systems are increasingly interconnected not only with each other but IT networks as well.

IDC predicts that by 2025, there will be 55.7 billion connected devices in the world and the vast majority of these devices (75%) will be connected to an IoT platform.While this brings incredible benefits to businesses and lives, the increasing number of connected devices also means that the cybersecurity threats are far greater.

The true cost of OT cyberattacks

Unlike IT cybercrimes which tend to focus on data and identity theft, OT attacks target the safety and availability of critical infrastructure such as power and transportation facilities. A breach in OT cybersecurity can have major implications for organizations, including business disruption, information loss, revenue loss, regulatory fines and equipment damage.

Even large global companies with every resource at hand are not impervious to OT breaches. In 2018, a petrochemical plant in Saudi Arabia was hit by a cyber attack meant to sabotage the firm’s operations and trigger an explosion. Earlier this year, a ransomware attack on the Colonial Pipeline, the largest fuel pipeline in the United States, led to gas shortages across the East Coast. If such large companies are vulnerable, smaller organizations simply cannot afford not to have a comprehensive cybersecurity strategy that ensures that their IT and OT networks are well-defended.

There is also a large cost in terms of corporate reputation from cyber attacks as an organization’s vulnerabilities are publicly exposed. This can affect customer loyalty and ultimately, the bottom line and stock prices. IBM estimates that the average cost of a cybercrime on a company in 2020 is USD 3.86 million.

Beyond the organization’s financial and reputational loss, OT cyberattacks can manifest in adverse consequences on people and the environment. A recent report by Gartner predicted that by 2025 cyber attackers will have weaponized OT environments to successfully harm or kill humans, and that the financial impact of attacks using OT resulting in fatal casualties will reach US$50 billion by 2023.

While this may sound alarmist to some, attacks on industrial control systems have risen over the years, and security breaches on OT networks can result in severe disruptions in the physical world.

What’s next for businesses

Organizations need to take a holistic approach to ensure their data, equipment and processes are fully protected. This means implementing cybersecurity solutions that address gaps in increasingly integrated IT-OT networks.

These solutions need to be “secure by design”, meaning they must ensure their hardware and software vulnerabilities are adequately addressed through implementing safeguards, continuous testing and adopting best practices in the industry.

Cybersecurity teams also need to carry out regular assessments to understand their organization’s evolving vulnerabilities, ensuring legacy infrastructure are secure and well-integrated with software solutions. Taking afull lifecycle management approach where IT and OT systems are periodically monitored will enable organizations to identify vulnerabilities early on and perform timely interventions.

Most crucially, businesses need to establish a collaborative culture around cybersecurity. From an organizational standpoint, it may mean appointing a cybersecurity leader who leads a team that looks at cybersecurity holistically across IT and OT.

After all, organizations that allow a “us versus them” mentality towards cybersecurity to persist will be inviting hackers in not due to the lack of technical due diligence, but due to operational silos.