by Andrew Joyner, Cyber Security, Thales Australia
Today’s digital and physical worlds are increasingly overlapping as digital devices that monitor and/or control physical effects become commonplace. While the convergence of IT (information technology) and OT (operational technology) can bring many benefits, it also poses new and unique risks to critical national infrastructure, particularly with cyberattacks having consequences in the physical world.
Perhaps the most important lesson learned from the past decade of IT security is that threats are better managed proactively rather than reactively. With IT and OT becoming increasingly integral in critical national infrastructure, upfront action to address risks posed by the convergence of IT and OT is of paramount importance.
The concern with IT and OT is that since IT and OT systems have converged, OT devices that monitor and control physical items are being connected to either the internet or wider networks, particularly in terms of critical national infrastructure providers. While this connected-ness is no doubt beneficial, it means that OT systems are no longer isolated and stand-alone, meaning that a cyberattack on the internet-connected combined IT–OT system can have direct physical consequences. When the organisation is part of critical national infrastructure, such an attack can have a potentially major impact on national security.
Critical infrastructure providers in Australia cover a broad range of organisation types. Some are government agencies or government-owned corporations, but a large proportion are run by commercial organisations, which may be privately owned companies, public corporations or part of multinational organisations. Government-owned providers may be at the federal, state or local government level, with differing access to resources and security expertise.
Research shows that although most organisations haven’t seen much change in their degree of IT–OT convergence over recent years, in the next two years they expect a rapid increase in convergence. Most providers interviewed for this research expected a high degree of convergence and extensive two-way connectivity. This will also be driven by the proliferation of the Internet of Things (IoT).
In the past, an organisation might have had a ‘stovepiped’ system provided by a single vendor communicating using proprietary protocols, with a single gateway into the back-office IT system. Today, it’s more likely that there will be a range of different vendor systems communicating with each other in a complex mesh network, and the concept of a clear boundary between IT and OT domains is less relevant.
Although the use of cloud services can bring security opportunities, unless managed appropriately it can bring new vulnerabilities by making formerly separate corporate systems accessible through the wider internet.
Finding a solution
In order to manage this risk appropriately, critical infrastructure organisations have a responsibility to enable careful decision making, communication and monitoring of their OT cyber risk appetite. They also need to ensure that the right skills and tools are available to address problems and that there is effective sharing of threat intelligence and best practice, requiring organisations to prioritise resources to appropriate parts of government.
In Australia, the federal, state and territory governments have defined critical infrastructure as physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact Australia’s social or economic wellbeing. Examples include the systems providing:
- Health care
Studies show that these providers have a high level of awareness regarding the threat of IT and OT convergence; however, they do not have a clear directive on OT risk appetite and felt there was a scope to do better.
In order to protect critical national infrastructure in an era of IT and OT convergence, providers must set expectations, undertake risk identification and management, consider the use of standards and guidelines, be involved in relevant education, share threat information and be ready to respond to incidents.
For government organisations, the recent NSW cyber strategy sets a clear mandate for all government agencies to ensure that there are ‘no gaps in cyber security’ related to physical systems.
In order to excel in cyber security in the age of convergence, providers need to clearly understand their obligations. For regulated industries this often means that licence conditions are used at a local or state level to set expectations, though this means that these expectations and obligations may differ depending on the region a provider operates in.
While setting expectations is important, action is required to see results. With the right tools, providers will be enabled to embed a culture of security throughout the organisation with good governance to ensure this is happening.
Risk identification and management
Given the differences between IT and OT security, the right tools need to be chosen. This is because an IT firewall might not protect an OT network from malicious traffic, and a standard IT security monitoring solution might not detect OT attacks, as the characteristics of hostile activity will be different.
Critical infrastructure providers have commented on the lack of mature commercially available solutions to assist with this, although other industry experts suggested the problem may in some areas be overlapping or competing solutions, along with unrealistic marketing claims. An appropriate framework would help to assess these claims and identify any gaps in the market where government intervention may be appropriate.
Standards and guidance
The right standards can work well in setting a baseline, provided they’re implemented as part of a holistic strategy and not as a checklist. However, inappropriate standards will at best give a misleading picture and at worst may drive insecure behaviours.
Standards should be reviewed on a sector-by-sector basis. For example, using a guiding council of experts in a given sector in order to identify which standards should be recommended as suitable for organisations to adopt and regularly audit against.
Education and sharing threat information
Given the potential risks of IT and OT convergence, it’s vital that there are effective mechanisms for sharing threat information and lessons learned. However, there seems to be a divide in the availability of sector-specific OT threat intelligence.
The sharing of OT security information seems to be noticeably less common than for IT security, which is likely due to resources, contact details and security clearances being focused on IT security. Several organisations within government can help with building cross-sector threat intelligence information and disseminating it. These include:
- The TISN
- The Australian Cyber Security Centre
- The Business and Government Liaison Unit in the Australian Security Intelligence Organisation
For organisations within government to effectively assist, there needs to be clear leadership and ownership, not just by top-down information flow from government but by facilitating sharing between peers in each sector.
Incident response readiness
Organisations need to ensure that they have clear response and recovery plans for attacks. The plans need to go beyond documents that are only accessed when something goes wrong.
There’s room for improvement in testing incident response plans, but organisations need to go one step further with exercises that bring together boards, executives and business continuity teams to work through potential risk scenarios, and technical red-team testing that simulates the activity of an attacker to test detection and response capabilities.
Interested in learning more about how your organisation can guard itself against cyber security threats? Click here to download the Report on Cyber Threats to Operational Technologies in the Energy Sector.