by Michael Litherland, Cyber Security, Thales Australia
Critical infrastructure providers are under increasing pressure to deliver services more efficiently and at a lower cost, as a result of market competition, technological change and stringent regulations. To achieve this, many organisations have sought to automate and integrate more and more of their Information Technology (IT) and Operational Technology (OT) systems. While this brings many benefits, it also highlights new cyber security vulnerabilities. Unless security is considered up front and threats are managed proactively rather than reactively, the impacts can be severe – organisations must ensure their staff are all on the same page when it comes to cyber security awareness.
Effective security starts with leadership. Boards need to provide strong awareness and sponsorship, setting and communicating their risk appetite in a way that drives their approach to IT–OT convergence.
Given there are few board members with specific cyber security expertise, the key will be to encourage and enable boards to be more inquisitive — creating a culture in which they can ask questions and explore issues in an open and transparent manner. This shift in board understanding and engagement is what has occurred in recent years with ‘traditional’ cybersecurity.
Of course, just mandating or setting a vision is not sufficient; action is needed to see it realised. The right tools need to be made available to enable providers to embed a culture of security throughout the organisation, and the right governance to ensure that this is happening.
Addressing the skills shortage
The general shortage of cyber security skills in the workforce has been well documented and discussed, but one of the acute challenges involves the lack of suitably-skilled OT security professionals.
Education will be the key to addressing this gap. This should start with broad user education, as part of building the right culture across an organisation, supplemented by the right policies and processes.
This can help avoid some of the most common weaknesses. For example, some cyber attacks are thought to have been facilitated by a well-meaning employee inserting an unknown USB stick into a computer to check who it belonged to, while a study by Honeywell found that 44 per cent of USB devices present at surveyed industrial facilities had a security issue.
Common resources should be created for use in general user education and executive awareness, as well as ongoing education and professional development for those in the industry.
Formal education can be supplemented by other approaches, such as a program of secondments between IT and OT security teams. In any case, while an OT security team needs to be specialised and focused on this area, it will need to work closely with IT security professionals to share expertise and also to identify and stop threats that cross the domains.
In cyber security, we’re stronger together, and given the relative lack of maturity and the potential risks, it’s vital that there are effective mechanisms for sharing threat information and lessons learned.
Such mechanisms should be made accessible to a broad range of geographically dispersed stakeholders — tier one major companies can attend summits in Canberra, but local councils running transport or water companies won’t have the resources for extensive travel.
Ensuring incident response readiness
Organisations need to ensure that they have clear response and recovery plans for attacks. The plans need to go beyond theoretical documents that are dusted off and read only when something goes wrong.
There’s always room for improvement in testing incident response plans, but organisations need to go one step further with active war-gaming exercises that bring together boards, executives and business continuity teams to work through scenarios, and technical red-team testing that simulates the potential activity of an attacker to test detection and response capabilities.
The Australian Cyber Security Centre runs a national program for the owners and operators of Australia’s critical infrastructure that uses exercises and other readiness activities that target strategic decision-making, operational and technical capabilities, strategic engagement and communications.
Additional resources could be provided to ensure that this is extended to cover OT security incident scenarios and is accessible across the spectrum of critical infrastructure providers.
Interested in learning more about the threats to Operational Technology and how your organisation can guard itself against them? Click here to download the Report on Cyber Threats to Operational Technologies in the Energy Sector.