As the world becomes increasingly digital, cyberthreat actors continue to adapt their behaviors, tools and strategies to wreak havoc on enterprises. In 2021, there was no shortage of attention on cybersecurity between frequent headline-grabbing attacks and increased emphasis from the government on proposed legislation and mandates. Gartner projects that security and risk management spending surpassed $150 billion in 2021 alone, a 12.4 percent increase from the previous year. The firm also found that cybersecurity has caught the eye of boards of directors, with 88 percent reporting they now view it as a business risk rather than a technological one. This evolving mindset will undoubtedly empower CEOs to push for expanded cybersecurity budgets in 2022.
Most of the money spent on cybersecurity is focused on protecting information technology (IT) systems, such as office networks that contain critical business information. However, the more vulnerable assets are the operational technology (OT) networks, which are comprised of the industrial control systems (ICS) that are the lifeblood of your business if you manage industrial operations.
OT is the new frontier for threat actors—nation states, hacktivists and other criminals—who are aggressively targeting these systems to disrupt operations. Because these systems control physical machinery such as motors, pumps, generators and valves, a hack can create significant risk to the business, environment and people.
An Expanding Threat Landscape
In 2021, attacks on the industrial sector became commonplace. These incidents highlight the shift in tactics used by cyber criminals. While the primary goal of cyberattacks was once stealing essential data through IT systems, recent attacks on OT systems confirm that threat actors are determined to cause physical harm or real-world disruptions to critical infrastructure for monetary gain, hacktivism, espionage and more.
Take, for example, the Oldsmar water treatment plant attack in February 2021. A criminal leveraged software to remotely seize an industrial control system. Their goal was drastically increasing the sodium hydroxide levels in the local water supply. Adjusting the levels of this compound, which is often used as a pH control agent, could have caused bodily harm to local citizens. Luckily, a facility employee noticed the change and immediately returned the levels to normal before the water reached the public.
This incident illustrates why enterprise leaders in the industrial sectors, managing critical infrastructure, must understand the vulnerabilities of their enterprises’ OT systems and the risks they may pose not only to business performance, but to the environment and the people in it.
The Susceptibility and Impact of OT Systems
By understanding the vulnerability of OT systems and the impact cyberattacks can have on business performance, leaders can better prepare to take the right course of action for their organizations.
Executives must understand that OT differs from IT dramatically. IT networks are interconnections of computers and servers that are used to create, process, store, retrieve and send information. OT networks consist of industrial control systems that monitor and control how physical devices and equipment perform. The tools and methods to secure these environments are different because the underlying technology is very different, but many enterprises don’t differentiate their OT and IT networks. The security and reliability of OT systems often falls under the purview of IT departments instead of skilled OT experts, which typically creates a situation where there is not distinct separation between IT and OT systems. This begs the question, “What’s stopping attackers from using IT systems to infiltrate an enterprise’s OT systems?”
Although the convergence of IT and OT offers competitive advantages and efficiencies, it comes with certain risks. OT systems also have another inherent vulnerability: they’re often outdated and ill-equipped for modern security measures. Systems and machinery deployed at inception—sometimes 20-30 years ago—are often still in operation today, with slight adjustments made to adapt to an increasingly digital business world. The automation and streamlined processes that come from connecting legacy equipment to networks, software and other technologies also expand the attack surface, creating gaps that make it easier for bad actors to penetrate systems and take control.
The Colonial Pipeline incident in May 2021 showed how a cyberattack could bring business operations to a halt and directly impact a company’s bottom line. This unprecedented attack disrupted Colonial’s expansive pipeline operations (which supplies 45 percent of oil to the East Coast) for nearly a week.
How Leaders Can Protect OT Systems
If 2021 was any indication of what’s to come, industrial-sector leaders need to take steps to prioritize OT cybersecurity to protect their businesses, customers, employees and the environment. Here are three steps to take now:
- Assign ownership over OT risk management. Risk management ownership must go to a professional with deep domain expertise in the industry and intricate knowledge of cybersecurity. This person needs to understand the differences between IT and OT systems, the company’s unique risks and how to mitigate them. The company’s Chief Information Security Officer (CISO) usually takes on this responsibility, often outsourcing to OT-specific Managed Security Service Providers (MSSP).
- Understand the organization’s unique OT threats. No two companies or OT systems are the same. The first step is to know what you need to protect. CEOs must empower their CISOs, CIOs, COOs and cybersecurity teams to conduct in-depth reviews of their OT systems. This will identify the most critical cyber assets and vulnerabilities, and prioritize to develop and deploy specific OT cyber risk management programs.
- Educate and generate buy-in from the board. In today’s world, it is imperative that boards understand that cybersecurity isn’t just a technology risk—it’s a business risk. The challenge organizations face is not having a firm grasp on the difference between IT and OT networks and how to address the cybersecurity needs on each network. CEOs, CISOs, CIOs, COOs and cybersecurity teams must educate leadership that an OT attack hits the heart of the business. If the operation goes down, the business stops. This has a significant impact on reputation, competitiveness and the bottom line.
For years, industrial sectors have made disparate updates to bring their operations into the 21st century. But cyber criminals are always adapting, and organizations need to evolve alongside them. Business leaders in industrial sectors can no longer rely on quick fixes and patches to secure their operations and bottom lines. Hackers have progressed far beyond these barriers.
Last year’s attacks should be seen as a warning bell for enterprise leaders as it has undoubtedly been a dinner bell for the attackers. By prioritizing OT cybersecurity and understanding its physical risk, organizations will take the steps toward a safer, more secure industrial future.