It is not a question of IF but WHEN.
In 2017, Wannacry ransomware affected more than 230,000 computers in 150 countries, causing damage to key organisations such as UK NHS, European Telecoms companies and Germany state railways. Since then, there have been many others like the NotPetya, Bad Rabbit and Triton just to name a few; wreaking havoc to Operational Technology (OT) networks that are essential to a nation’s security and economic vitality. These incidents have brought the cybersecurity of both IT and OT networks and its challenges into sharp focus.
The convergence of IT and OT has become a business imperative and an important executive management issue. How can we bring cybersecurity into OT and secure those systems?
OT networks can no longer be viewed in silos, as some have interoperability and convergence with IT systems. The complexity increases as many OT networks are legacy systems. The difficulty in identifying, measuring and tracking of risks, as well as the lack of security professionals who are familiar with OT environments, make it even more challenging.
Any cybersecurity framework would have to tackle the opposing needs of OT and IT and keep them both secure; by nature, OT systems cannot afford downtime as their availability is crucial (think power plants and airports).
Some of the key points are:
a. Asymmetrical Battlefield: Organisations have to protect the full scope of their technology, while the attackers only need to pinpoint the weakest link for an attack. Cyber defenders have to get it right every time, while threat actors only need to get it right once.
b.Integrated security framework: Given the nature of OT, the approach to OT Cybersecurity should be engineering-oriented rather than solely IT-centric. We propose a different cyber-paradigm in the security considerations for a system architecture incorporating both IT and OT networks, a Safety Availability Maintainability (SAM) triad. Safety is the top priority for OT networks.
c. 100% elimination of cyber threat: Through our interactions with our clients and research, the best approach to eliminate cyber threats is through a three-pronged human-centric model. Firstly, a well-designed and configured Cyber SOC system should eliminate 90% of the noise and attacks, by using technology (security appliances such as firewalls, anti-malware, endpoint solutions). Next, good security processes, augmented by well-trained people with specialised cyber skills, knowledge and analytics tools, will deal with the next 9% of threats. Thirdly, the last 1% (APTs, zero-days attacks) will require cyber experts with expertise and experience to conduct threat hunting and make sense of the unusual patterns.
Cybersecurity is invariably not just one department’s responsibility, everyone has a role to play because the cyber attackers look for the weakest link and anyone with access to the IT or OT network has a responsibility to safeguard the network by doing their part and being aware of good cybersecurity practices.