After a long period of crisis, cyber security needs renewal

In addition to traditional businesses, such as retail and services, the industrial control systems (ICS) that underpin our critical national infrastructure are facing increasing and immediate risks that can be seen in the growing incidence of ransomware, among other cyber threats.

The impact of these types of attacks means that an immediate response is needed to recover operational resources in the most different market segments.

A disturbing trend, particularly where critical infrastructure is concerned, is the way ransomware is evolving, with some versions specifically targeting industrial control systems, making it easier to hold critical infrastructure operators to ransom.

Changes in connectivity with operational technology is another factor that is increasing the risk to control systems. Changes include the increasing adoption of cloud technology to support or process operational technology data which results in data residing outside traditional boundaries.

An additional vulnerability arises from the closer integration of IT and OT infrastructures, usually for valid business or productivity reasons, but which creates a greater number of access paths to operational technology.

In addition, the growing use of commercial off-the-shelf (COTS) technology means that operational technology is at greater risk from common attack techniques and tools that would previously have been limited by technology to the IT infrastructure. Then there's the risk of the growth of remote working caused by current travel and distance restrictions as a result of the current health crisis, which means more use of remote access.

Greater interest in critical infrastructure for carrying out attacks

The recent attack on the Colonial Pipeline company in the US is a clear example of a ransomware attack aimed at compromising operational technology. The attack itself was first detected on May 7, when the company alerted that it had been hit by a cyber attack, known as DarkSide.

DarkSide is a relatively new strain of human-operated ransomware, first observed in 2020. The group behind it operates double extortion attacks in a ransomware-as-a-service model with several affiliated groups and is highly active online.

This scenario shows that operational technology is also receiving greater attention because there is more information available to attackers. Dedicated Internet search tools, such as Shodan, help discover industrial devices that are connected to the Internet and dedicated operational technology hacking tools, such as "Industroyer", reduce the level of knowledge required to attempt an attack.

At the same time, there is increasing knowledge about industrial systems and operational technology, partly as a result of the change in connectivity and the fusion of technology, but also due to the growing disclosure of vulnerabilities.

So, taking these immediate risks into account, what can be done?

Understand your systems

This first piece of advice is as old as some of the technology in use. It is essential to know what assets you have in your operational technology and understand how they relate to what you do.

If a vulnerability is disclosed for a component, the potential impact of the vulnerability can only be properly assessed if the proliferation of the component within the infrastructure is known. The response will be very different for a component in limited use in an isolated system compared to a common component in several critical systems.

Understand the risks

Risk assessments should be completed for all critical systems and reviewed annually or in response to a significant change in the threat or system configuration. Risk assessments should be based on credible threat scenarios for the organization and should develop into risk mitigation plans.

Ensure critical infrastructure is 'Secure by Design'

It is widely recognized that it is easier and more cost-effective to design something safely from the start, rather than trying to incorporate safety features at a later stage. Although this approach can only be adopted for new systems, the guiding principles of "safe by design" should be incorporated wherever possible.

What's more, the approach must be broad enough to look beyond technology and make people and processes "safe by design" too.

Actively monitor critical systems

It is essential to understand what is happening on your network and at the edges, as well as to have an established baseline of normal behavior for your infrastructure and systems. This can be much easier to achieve with the increased availability of mature, OT-specific monitoring solutions.

Be ready to respond to incidents

Finally, there must be a tried and tested incident response plan that adequately considers the cyber causes of failures and guides the appropriate responses to recover systems to restore operations in line with business objectives.

Using threat intelligence to determine the real risk faced by the organization, combined with an understanding of the way potential attackers strike, is the key to applying appropriate and cost-effective controls that don't alienate the very people who help make things secure.