Francis Cianfrocca – CEO, InsightCyber
It is no longer just computer networks that are under siege by cyber criminals. Consider This: In April, America’s Top National Security Agencies issued a warning Describe in detail how cyber attackers gain greater access to operational technology (OT), the connected devices and systems in control Toolstransportation, production, oil and gas facilitieshospitals and other critical sectors.
The stakes couldn’t be higher. In reality, Gartner predicts that by 2025, cyber attackers will have armed OT systems to successfully injure or kill people. This should give everyone a chill. And for leaders, it should lead to initiatives to find new methods of dealing with the threat.
Here are some steps business leaders, CIOs, and people responsible for security operations can take to better secure cyber-physical systems.
Understand that OT and IT are worlds apart.
Too often organizations lump OT together with IT: the computers, networks and data that are the lifeblood of business. However, they are different domains. You can’t just extend the security approaches used in IT and expect them to work for OT.
For example, PCs, laptops and servers are designed to be regularly updated and patched. It was clear from the start that IT environments had to be managed with security in mind. That’s why today we have established practices for protecting IT systems and data. Not so with OT. You cannot patch most OT devices because they are running on firmware or no longer work as intended. Cybersecurity was never a design priority because most OT systems have only recently been brought into the world of IP networks (in the past they ran on proprietary systems, often in isolated environments).
It is also important to note that the data generated by OT devices is fundamentally different in structure and content than data from IT devices. This is important because IT security uses advanced tools that understand and analyze traffic to diagnose problems. Adding OT data is like injecting a foreign language; you can enter it in the tools, but you can’t understand it practically.
Protecting OT means finding new approaches to cyber-physical security.
Don’t use 20th century practices for 21st century problems.
I’ve found that the cornerstone of IT cybersecurity has long been to focus on vulnerabilities. The attitude is defensive: Keep a list of every attack that has worked in the past and watch for signs that another attack is taking place. The hard work of IT security teams is to monitor the company’s ongoing network activity and look for known malware, data signatures, or other evidence of problems. This is untenable for protecting the unknown waters of OT.
Society cannot afford to wait for new disasters. I think a much more effective approach is to focus on attacks, not vulnerabilities. If you can immediately identify the small operational anomalies that signal the early stages of a complex attack, you stand a good chance of avoiding serious damage.
Until recently this was impossible. But thanks to advances in AI, it is now possible to effectively apply behavioral analytics to devices. My company and others in the industry have worked to create AI solutions that are adept at recognizing patterns and detecting subtle irregularities with a speed, scale, and precision that humans cannot match. Applied in an OT environment, AI can tell you what is happening with any connected asset in different geographies, networks and facilities in an organization, and spot early indications of potential problems.
Generate the right kind of inventory.
You cannot protect what you cannot see. A good way to start protecting OT is to ask if your organization has a reliable inventory of all devices across the organization. If you’re honest, the answer is probably no.
One of the open secrets in IT and OT is that it is virtually impossible to create an accurate inventory with today’s tools. This keeps managers up at night, as compliance and risk regulations require many organizations to express trust in their infrastructure and data.
To meet this challenge, you’ll need to explore new solutions to automate continuous discovery of all connected devices, so you know which devices are turned on, off, or communicating with other devices — and when. Make sure your tools understand OT’s unique language and can translate it into terms your systems recognize.
This level of visibility is essential for baseline operations. But for cybersecurity there is more.
You may know what a device should do, but do you know when it’s rogue? When a smart light switch starts sending encrypted data to an IP address in Asia, there is technically no failure because the design of the device allows such behavior. Therefore, it will not be identified as a problem by current security tools. But there isn’t a security manager in the world who doesn’t want to know about it.
Take action early to limit damage later.
After breaching corporate environments, adversaries often spend weeks or months undetected reconnaissance as they prepare to launch a coordinated attack. When they finally strike, those responsible for safety think to themselves: If only we had seen it!
It reminds me of a story a colleague once told me. One day he saw a black ant on the floor in his house. A small alarm went off in his head, but he crushed the intruder and continued on his way. A few weeks later, he saw three more. A month passed. Then suddenly there were black ants everywhere. A visit from the exterminator soon revealed an expensive and rapidly spreading plague. He said to himself, “If only I had noticed that first ant!”
I’ve noticed that cyber-attacks never strike like lightning. Not even in the wide open world of OT. The bad ones build up over time and usually leave little clues, like that black ant.
The goal is not to keep hackers away, because unfortunately effective attacks will always be with us. Instead, the focus should be on finding new ways to recognize what’s happening in the environment and taking action early enough to prevent attacks that could lead to human disaster.