November 29, 2022
Cyberattacks on utilities, industrial organizations, and critical infrastructure demonstrate the need for better security planning and management.
In the past, security experts largely dismissed the risk of cyberattacks on operating technology.
Common wisdom held that manufacturers and utility providers didn’t make easy targets. Cybercriminals would have to painstakingly create malicious firmware from scratch. They would probably need physical access to the equipment to do any real damage. Getting away with such a brazen attack would be near impossible for a random group of hackers.
Now, everything is different. Operating technology has become a fair target. Critical infrastructure attacks are commonplace. Manufacturers and industrial organizations won’t renounce the productivity gains they’ve achieved by integrating IT and OT deployments – but they must protect those deployments with robust security policies.
All Infrastructure is Critical
Cybersecurity experts often point to the 2021 Colonial Pipeline attack as the history-making moment when critical infrastructure attacks hit the mainstream. That’s not entirely accurate.
The Colonial Pipeline attack primarily focused on the operator’s business systems. It decided to shut down its operational technology to prevent the attack from spreading. In that sense, it was not a true OT attack.
The real history-making moment for critical infrastructure attacks came half a decade earlier. The first confirmed cyber operation to successfully take down energy infrastructure happened in December 2015 in Ukraine. State-sponsored attackers cut off power to nearly 230,000 residents.
To do this, they harvested user credentials to log into the center’s SCADA network. They wrote and uploaded malicious firmware for substation converters that process SCADA commands. Once the attack had done its damage, they overwrote the master boot record of the devices they infiltrated so they would have to be replaced manually.
At the time, these were brand-new tactics that nobody had ever seen before. Now, they are a case study in operating technology security. Industrial manufacturers, infrastructure providers, and utility companies can’t dismiss risks that seemed all but impossible just a few years ago.
IT/OT Convergence Must Become a Security-First Initiative
Most industrial organizations launch IT/OT convergence initiatives to become more resource-efficient and cost-effective. They use data to automate and drive operations, which allows them to optimize the use of equipment and power while minimizing maintenance costs and unsold inventory.
There’s no doubt that industrial leaders will continue to integrate IT and OT systems so they can reap these economic rewards. However, it’s vital that leaders approach the process of convergence from a security perspective first.
Leaders who take this approach can leverage convergence to improve their organization’s security posture. The key is ensuring IT and OT systems share security information as effectively as they share mission-critical productivity data.
Ideally, OT systems would provide activity logs to information security staff, allowing analysts to track how users interact with production machinery. User entity and behavioral analytics (UEBA) technology can identify users who deviate from routine activities, prompting an investigator to verify their identity.
Without the ability to share security data in this way, OT systems run the risk of remaining invisible to security analysts and their detection tools. Threat actors would simply avoid breaking into protected IT systems and focus their efforts entirely on unsecured OT alternatives.
No Organization is Too Small to Secure IT/OT Convergence
In November 2021, a small Colorado electric utility provider announced it had been struck by a cyberattack. Having less than 30,000 members did not make it any less a target. The company successfully protected its critical OT infrastructure because those systems were not connected to its IT network.
In the future, small utility providers are likely to pursue IT/OT convergence initiatives for the same reasons major enterprises do. The ability to secure those initiatives should not be limited to the world’s largest industrial organizations. Every organization must secure its IT systems from cyberattacks. The decision to converge operating technology with IT systems should improve security posture, not reduce it.
Castra helps organizations of all sizes with scalable, on-demand security expertise. Contact us today for a free demo.