Risks to critical infrastructure will increase

Critical infrastructure security has become a primary concern for governments around the world, especially in the US and EU countries. And with good reason. By 2025, 30% of critical infrastructure organizations will experience a security breach that will result in the suspension of mission-critical systems and their operations, according to Gartner predictions.

“Governments are realizing that their national critical infrastructure is an undeclared battlefield,” says Ruggero Contu, research director at Gartner. “They are now taking steps to require more security controls for the systems that underpin these assets.”

Research from the consultancy listening to 401 OT professionals revealed that 38% of them expected to increase security spending by between 5% and 10% in 2021, with a further 8% of respondents predicting an increase of over 10%.

Throughout this year, attacks on operational technologies have evolved from immediate process interruption (such as shutting down a factory) to compromising the integrity of industrial environments with the intent of creating physical damage. Other recent events, such as the Colonial Pipeline ransomware attack, have highlighted the need for properly segmented networks for IT and OT.

With the evolution of OT, smart buildings, smart cities, connected cars, and autonomous vehicles, incidents in the digital world will have a much greater effect on the physical world as risks, threats and vulnerabilities now exist across a two-way cyber-physical spectrum. However, many companies are unaware of the CPSs already deployed in their organizations, either through legacy systems connected to corporate networks by teams outside of IT or because of new business-driven automation and modernization efforts.

The consultancy defines CPSs as systems designed to orchestrate sensing, computing, control, networking, and analytics to interact with the physical world (including humans). They underpin all connected IT, operational technology (OT), and Internet of Things (IoT) efforts, where security considerations span the cyber and physical worlds, such as asset-intensive, critical infrastructure, and clinical health environments.

Due to the nature of cyber-physical systems (CPSs), incidents can quickly cause physical harm to people, destruction of property, or environmental disasters. In the consultancy’s accounts, the financial impact of CPS attacks resulting in fatalities will reach more than $50 billion by 2023. Even without considering the value of human life, the costs to organizations for compensation, litigation, insurance, regulatory fines, and loss of reputation will be significant.

In the United States, the FBI, NSA, and the Cyber and Infrastructure Security Agency (CISA) have already increased the frequency and details provided about threats to critical infrastructure-related systems, most of which are owned by industry. Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.

What to do?

According to Gartner, security incidents in OT and other cyber-physical systems (CPS) have three main motivations: actual damage, commercial vandalism (reduced production), and reputational vandalism (making a manufacturer untrustworthy or untrustworthy).

The consultancy recommends that organizations adopt a framework of 10 security controls to improve the security posture at their premises and prevent incidents in the digital world from having an adverse effect on the physical world. They are:

1. Defining roles and responsibilities

Appoint an OT security manager for each facility, who is responsible for assigning and documenting roles and responsibilities related to security for all workers, senior managers, and any third parties.

2. Ensuring adequate training and awareness

All OT employees should have the skills required for their roles. Employees at each facility should be trained to recognize security risks, the most common attack vectors, and what to do in the event of a security incident.

3. Implement and test incident response

Ensure that each facility implements and maintains an OT-specific security incident management process that includes four phases: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity.

4. Backup, restoration, and disaster recovery

Ensure that proper backup, restore, and disaster recovery procedures are in place. To limit the impact of physical events, such as fire, do not store backup media in the same location as the backup system. Backup media must also be protected from unauthorized disclosure or misuse. To handle high severity incidents, it must be possible to restore the backup to a new system or virtual machine.

5. Manage portable media

Create a policy to ensure all portable data storage media such as USB sticks and portable computers are scanned, regardless of whether a device belongs to an internal employee or external parties such as subcontractors or equipment manufacturer representatives. Only media found to be free from malicious code or software can be connected to the OT.

6. Have an up-to-date asset inventory

The security manager must keep a continuously updated inventory of all OT equipment and software.

7. Establish proper network segregation

OT networks must be physically or/and logically separated from any other network both internally and externally. All network traffic between an OT and any other part of the network must go through a secure gateway solution like a demilitarized zone (DMZ). Interactive sessions to OT must use multifactor authentication to authenticate at the gateway.

8. Collect logs and implement real-time detection

Appropriate policies or procedures must be in place for automated logging and reviewing of potential and actual security events. These should include clear retention times for the security logs to be retained and protection against tampering or unwanted modification.

9. Implement a secure configuration process

Secure configurations must be developed, standardized and deployed for all applicable systems like endpoints, servers, network devices, and field devices. Endpoint security software like anti-malware must be installed and enabled on all components in the OT environment that support it.

10. Formal patching process

Implement a process to have patches qualified by the equipment manufacturers before deploying. Once qualified, the patches can only be deployed on appropriate systems with a pre-specified frequency.

“Security and risk management leaders should accelerate efforts to discover, map and assess the security posture of all cyber-physical systems in their environment,” warns Contu. “And also Invest in threat intelligence, as well as participate more actively in industry groups to stay informed about security best practices, future mandates, and requests for input from government entities.”