3 Major Cybersecurity Challenges Facing Critical Infrastructure and OT

Let’s be honest. Operational technology (OT) security issues are expected. Traditional OT systems were designed for specific functional—operational—purposes. Plus, they were designed to last for many decades.

The power grid, the water supply, the manufacturing plant floor, these ubiquitous 24/7/365 operations fuel daily activities—and they power as much business as they do hospitals that care for patients. In the industrial world, security has meant safety and physical protection of the site. But things have changed. Today, the badge scanners and cameras monitoring the physical security of the doors to the power plant are internet protocol (IP)-connected. Building automation systems are networked and OT systems are increasingly interconnected as well.

Research on today’s riskiest devices shows how challenging it is to know everything that might be connected—especially in OT environments. Everything from an IP camera and label printer to the data historian and industrial control system. More cyber attacks target OT protocols, according to Vedere Labs research. In 2023, five OT protocols were repeatedly targeted: Modbus, Ethernet/IP, Step7, DNP3, and IEC10X. While previously the attacks used information technology (IT) and networking protocols like SMB and standard OT protocols like Modbus, DNP3, and IEC10X, now more proprietary protocols such as Siemens Step7 are used in attacks.

Some OT attacks have been motivated by governments where deceptive intelligence techniques target the slowing down of activities or make political statements through “hacktivism.” Some actors just want to show you what they could do and are after financial gain.

Lately, a fair amount of prepositioning is being discovered—especially in North America—where threat actors sit inside networks undetected and wait. Fear of critical infrastructure take downs and take overs are not hyperbole.

Most organizations do not think they are targets. But tiny utilities, such as the Municipal Water Authority of Aliquippa near Pittsburgh, are being attacked. Here’s a recent warning from Andrew Scott, associate director for China Operations with the Cybersecurity and Infrastructure Security Agency (CISA): “CISA teams have found and eradicated Chinese intrusions into critical infrastructure across multiple sectors, including aviation, energy, water and telecommunications … CISA knows many small and medium-sized business owners, including those operating in these sectors, are prime targets for PRC nation-state cyber actors … And what we’ve found to date is likely the tip of the iceberg.”

But this isn’t just one superpower versus the other or only an isolated water authority. In 2023, Denmark experienced a major coordinated attack on 22 companies in the energy sector.

Challenge #1: Keeping Pace with Cyber Risk and Threats in IT, IoT, and OT

More internet-connected devices mean more risks. By 2028, connected internet of things (IoT) devices will expand to more than 25 billion.

Vedere Labs research shows 13 attacks per second in 2023. Ready-to-use attack kits and ransomware are common on the dark web—as are more and more vulnerabilities being exploited in IT hardware, firewalls, and other network protection devices that are also commonly used in OT environments. And now, as artificial intelligence (AI) and automation become more ubiquitous, these innovations will continue to be leveraged by attackers on OT environments. CISA is also concerned about AI within critical infrastructure.

Challenge #2: The Need to Standardize the Technology Stack

In most organizations that operate industrial sites or critical infrastructure, there are not enough security staff or people with OT security knowledge to investigate the new cyber risks and handle the amount of data coming from security tools and bulletins. Most companies we speak with use more than 40 security tools and experience fatigue associated with management overhead of all these tools and isolated security functions that do not integrate well with each other. So, analysis is slow, prioritizing and implementing remediation is hard, and the cyber risk isn’t being managed efficiently.

Consolidating technology and standardizing processes is a necessary part of today’s security objective. Deploying architecture paired with modernization requires much more active management from teams to ensure a secure IT-OT convergence. Automation and integration are a must—as is the ability to leverage renewable energy sources.

Challenge #3: Regulations Are Tightening and Accountability Is Getting Personal

The compliance landscape is also shifting—and some of it is getting quite personal. From the Securities and Exchange Commission (SEC) rules on rapid breach disclosure to specific industry regulations, such as North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards for utilities, expanding scope for risk and threat detection monitoring and accountability of individuals is in the spotlight.

The SolarWinds attack woke up many governments to revisit where accountability should end up. In the SolarWinds case, the Chief Information Security Officer (CISO) was charged with fraud and is barred from ever holding a company officer position again. Similarly, the CISO from Uber was also personally charged to serve probation and fined $50,000 for failure to disclose a breach.

Recently, CISA proposed a new rule to require critical infrastructure companies to report significant cyberattacks within 72 hours and ransom payments within 24 hours. In addition, regulation updates are emphasizing proactive risk monitoring and remediation. All this adds additional tasks to the teams securing OT systems and environments and increases the need for continuous monitoring of OT systems and networks and risk management processes.

Risk Mitigation for OT Security Requires Deep Visibility and Actionable Insights

Organizations need comprehensive visibility across all connected devices down to the firmware, components, and communication requirements to assess vulnerabilities and cyber risks. What’s inside your hardware? What is it connected to? Because you can’t manage risk if it’s hidden and in the dark. Security is a team effort. Everyone from the procurement team to the IT security operator needs to be better informed about security risks.

And here’s a real-world situation to think about: Shutting down critical infrastructure and OT is not an option. Pausing major operations in energy, oil and gas, utilities, and manufacturing, or reverting to the manual techniques of the past, including pen and paper, because the impact of a cyber incident on the OT environment cannot be determined is incredibly disruptive to modern business operations and our society. Business continuity is paramount despite increasing threats. We need to prepare for this new norm and increase the cyber resilience of our critical infrastructure.

Organizations need visibility into their assets and risks, and must be able to detect threats that bypass their defenses. But most importantly organizations need to prepare for how to handle new incidents and have tools to contain the impact and recover quickly, for example, with proper network segmentation and a deep, wide spectrum of threat intelligence and detection to know what is being targeted—and be able to see and isolate anomalous behavior quickly.

—Christina Hoefer is vice president of OT & IoT Strategy with Forescout.