by Andrew Joyner, Cyber Security, Thales Australia
Cyber attacks pose an ever growing threat to organisations across the water, energy, transport and communications sectors as IT (information technology) and OT (operational technology) converge, creating new and unique risks in both the physical and digital worlds. In order to manage and minimise these risks, organisations first need to assess their cyber maturity.
A Kaspersky study of 320 worldwide professional OT security decision-makers showed that 77 per cent of companies ranked cybersecurity as a major priority, 66 per cent saw targeted attacks as a major concern and 77 per cent believed that it was likely that they would be the target of an OT cybersecurity incident. Furthermore, two thirds believed that the Internet of Things (IoT) brings more significant OT security risks.
While there is clearly an awareness amongst organisations with regards to the threat of IT and OT convergence, only one organisation of the twelve interviewed had a clear directive on its OT risks appetite. Other providers said that their OT risk tolerance was lower than for IT systems and that an assessment had been undertaken of benefits versus risk before IT and OT convergence occurred.
Making an assessment
In order to gain cyber maturity and be prepared for likely incidents resulting from IT and OT convergence, organisations need to assess their weaknesses, identify what needs to be fixed in their systems and approach and then systematically work through any fixes that need to be implemented.
For many Australian providers, cyber risks are recognised at a board level and managed throughout the organisation. According to the Kaspersky study, OT cyber risks are reported at least quarterly to the board in two thirds of organisations, though this is usually reported alongside IT risks rather than as a standalone issue.
Considerations for organisations
In order to properly assess and manage risk, it’s important that organisations are employing people with the right expertise to prepare for and mitigate cyber threats. This study showed that seven out of the twelve organisations had at least one director at board level with expertise, meaning that five were unequipped to progress to cyber maturity and security.
In order to manage this risk appropriately, organisations have a responsibility to enable careful decision making, communication and monitoring of their OT cyber risk appetite. They also need to ensure that the right skills and tools are available to address problems and that there is effective sharing of threat intelligence and best practice, requiring organisations to prioritise resources to appropriate parts of government.
While some organisations are putting themselves at a high level of risk in the absence of staff with specific expertise in this area, an encouraging 80 per cent of respondents said they had shared in lessons learned and best practice for both IT and OT security across their sector, which will contribute significantly to maturing other organisations’ approaches.
While this is a step in the right direction, many organisations clearly felt that they could be more prepared for the event of a cyber threat resulting from IT and OT convergence. Half said that there was room to improve their understanding of the degree of convergence in their systems and in understanding the associated risks and vulnerabilities. Less than half could confirm that vulnerability testing of their OT systems was carried out at least once a year.
While eleven of twelve organisations had an incident response plan in place that had been tested in the past year, in one third of cases the OT security incident response plan was considered the same as the IT plan. This may explain why many organisations felt only partially prepared or underprepared to respond to a cyber incident.
The journey to cyber security is one that requires ongoing and dedicated assessment, learning and preparation. No single ‘safeguard’ will eliminate the risk of a cyberattack, making it critical for professionals to build a clear understanding of various physical systems, networks, software, computers and other devices, as well as their interdependencies and connectivity. With this, it will be possible to move forward with assessing and filling the gaps to achieve cyber security.
Interested in learning more about how your organisation can guard itself against cyber security threats? Click here to download the Report on Cyber Threats to Operational Technologies in the Energy Sector.