Another year has concluded, now with Operations Technology (OT) not only functioning in our critical infrastructures – but also becoming increasingly integrated and widely used within aspects of our daily lives. Dependence is growing on increasingly connected home automation and building management systems, medical devices and daily transportation – with a greater level of internet accessible OT components, and coming with them, a surge in available threat surfaces. Although through the last year of research, headlines and developments in OT cybersecurity, we can also see a clear way forward for all parties involved, to provide greater protection for infrastructures in the year ahead.
Reflecting on 2018: OT cybersecurity in the headlines
With insecurity in critical OT components, comes not just financial and business risks, but possible social impacts, human safety or environmental pollution. According to CSIS, significant cyber incidents in 2018 included ransomware attacks on US city services, state-sponsored attacks against critical infrastructure in multiple countries and cyber espionage undertaken to collect military and critical infrastructure information. Industrial control systems (ICS) within US, European, East Asian and Middle Eastern power facilities have reportedly felt the hands of malicious activity – with the potential to feel heavy impacts.
Malicious interactions can take various ways, shapes and forms. For a deeper understanding of the possibilities, let’s highlight some research and headlines from 2018:
As per McAfee’s recent report, Operation Sharpshooter targeted defense and critical infrastructure security. Explained at a high level – it was a phishing attack masquerading as legitimate industry job recruitment. Once the bait was taken, reconnaissance was launched for possible exploitation.
Remote access outside a company network forms another attack surface. In mid-2018, VPNfilter malware was uncovered which affected certain brands of consumer grade routers and NAS (Network Attached Storage). It is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber-attack operations.
In late 2018, speculation sparked over an unknown microchip backdoor found on server motherboards supplied to major US organizations. Although the manufacturer had denied the implications, it is a wake-up call to seriously look at supply chain cybersecurity.
A greater emphasis is now also being placed on protecting our critical infrastructures. In mid-2018, Interpol has released a report encapsulating critical infrastructure protection good practices against physical and cyber-attacks with national policies around the globe. This is a handy reference for asset owners, vendors and the industrial cybersecurity community. With resources becoming increasingly more available to assist in securing these facilities, it is also important to realise that looking forward, securing OT requires a collaborative, multi-tiered approach.
Looking forward: What can be done in the year ahead of us?
It is important that Asset Owners take a strong grip on OT cybersecurity, implementing cybersecurity governance to manage policy enforcement, exceptions and residual risks. Ensuring sustainable cybersecurity measures of OT systems are in place is a priority, and organisations should incorporate proper life-cycle management, use of secure by design and vulnerability management. It is recommended for regular security assessments to take place from a trusted and vendor-neutral 3rd party to evaluate security controls – keeping security measures up to date with the implementation of changes or upgrades to OT systems over time. As a recommendation, the IEC 62443 standard forms a fantastic baseline to assess facilities against; providing effective ICS security measures and best practices to implement. Amongst policy and technology improvements, ongoing employee cybersecurity awareness programs will provide mitigation against human error and will help your workforce stay vigilant against suspicious activity in facilities.
The media plays an important role in how OT security issues and incidents are depicted around the world. Sharing incident news boosts awareness of possible impacts that exist, although it is important to avoid speculation and the creation of Fear, Uncertainty and Doubt (FUD.)
From a vendor perspective, it is important to implement processes to manufacture cyber secure end products. Considerations should include:
- Adopting a Secure Development Lifecycle for software and firmware;
- Ensure end products have validated security controls;
- Ensure compatibility with newer system platforms and applications;
- Opt for applicable accreditations to demonstrate cybersecurity for end users.
Collaboration with the security researchers and the cybersecurity community is also an important aspect, with prompt action needing to be taken by a product security team to resolve issues swiftly upon disclosure of vulnerabilities - ultimately to protect their end users and operators.
Working together with vendors and following the “Responsible Disclosure” protocol when new vulnerabilities are uncovered is an important step in the process, giving vendors the opportunity to rectify security issues before they become public knowledge. The industry is also facing a shortage of skilled ICS Cybersecurity practitioners and will therefore also benefit from enhanced training, the sharing of knowledge and encouragement of ICS security community growth.
On a state level, stipulating national policies for critical infrastructure protection and continuing to enhance laws and regulations will assist in governing the proper use of new technologies. With reference to the NIS Directive, it is also important to more clearly define frameworks for auditing requirements and incident notification processes, so organisations are able to meet guidelines and put measures into practice.
For individuals, ensuring compliance with corporate cybersecurity policies at work, staying vigilant in regard to the remote access of corporate resources and incident reporting play an important part in the process for developing cyber secure operations. Online sharing of information (either corporate or personal) on social networks or public discussion forums, carries with it the possibility to disclose sensitive details such as schedules, configurations and device information, which may be used against the organisation.
Keeping your OT cyber secure in 2019
Cybersecurity is the responsibility of every party involved. 2018 has shown that OT security incidents are not an unrealistic scenario, with threats continuing to develop in complexity. On the contrary, a greater emphasis continues to be placed on the protection of OT systems when looking at the increasingly available resources and regulations surrounding industrial cybersecurity. Many aspects are to be considered when taking the steps to ensure critical OT assets and components are protected, although there remains one standout point – the best time to begin implementing sustainable and effective cybersecurity measures is now. If your organisation requires an experienced ICS security partner to help develop and implement necessary cybersecurity practices against internationally recognised standards, contact us for more information tailored to your industry.
 Center for Strategic and International Studies – Significant Cyber Incidents Since 2006
 Operation Sharpshooter – Campaign Targets Global Defense, Critical Infrastructure, December 2018
 Interpol – The protection of critical infrastructure against terrorist attacks: Compendium of good practices, June 2018