The number of attacks launched on critical infrastructure by nation state groups doubled in the past year, according to the 2022 Microsoft Digital Defense Report. In the period from July 2021 to June 2022, cyber-attacks on companies in IT, financial services, transportation, and communications infrastructure accounted for 40% of total activity compared to just 20% in the previous 12-month period.
Mathieu Gorge, CEO of VigiTrust, and Ian Bramson, global head of industrial cybersecurity at ABS Group, sat down to discuss the issues related to critical infrastructure security, the role of OT and IT in protecting critical facilities, and how security leaders can communicate these concerns to board members and those in the C-suite.
Critical infrastructure security
In the wake of attacks like those against the Irish Health Service Executive (HSE), Colonial Pipeline, and JBS Food, the world has woken up to the significant threat ransomware poses to the set of essential systems, networks, and assets that facilitate a country’s society and economy. This set of facilities and service providers is commonly referred to as “critical infrastructure,” and encompasses things such as education systems, public health facilities, energy plants, transportation systems, water treatment plants, and security services among others.
The security risk to critical infrastructure has skyrocketed in recent years as digital integrations in legacy environments opened these facilities up to attack. Threat actors quickly realized the potential for financial gain associated with interference in these sectors, prompting governments and private entities alike to intensify their discussions about the security of essential services.
Critical infrastructure and trend attacks
According to Ian Bramson, the threat environment is evolving. Attacks are becoming more sophisticated as nation-backed and independent actors have shifted their focus from informational to operational environments.
Although there have been other examples in the past—like Stuxnet in 2010—attacks like the one to Colonial Pipeline have served as a warning sign that public and private sectors should strengthen their security for such systems. At the same time, they have piqued the interest of cybercriminals, as they’ve shown the potential payoffs of executing such a large-scale and impactful attack.
“There are a lot of threat actors that now say, ‘Wait, wait, I can shut down an oil pipeline,’” Bramson explains. As attacks have become more sophisticated and the Ukraine conflict intensified attacks in OT systems, more and more bad guys are gaining ground and adopting these types of attack. The real question for cyber specialists at present is “Will they adapt faster than we can evolve?”
The leadership knowledge gap
In Bramson’s opinion, board-level decision-makers don’t yet have an organised pattern for addressing these concerns. They’re still figuring out who is responsible for the security structure of their organizations’ operational technology (OT) environments. This is due to a lack of knowledge about the ways in which informational technology (IT) and OT teams and policies interact in their organization. This misunderstanding makes it difficult to determine who is responsible for each area, who should be held accountable for mistakes, and how the structure works.
Although both IT and OT professionals are involved in security, their roles differ. While IT teams focus on data control based on information security policies (reliability, integrity, and availability) and the prevention of data breaches, OT teams are responsible for the security of the physical controls in the environment. They’re tasked with ensuring that operations remain active and uncompromised.
Any breach of an OT network can impact critical infrastructure, disrupt public services, affect the global economy, and put human lives at risk. This becomes a challenge when the emphasis is on IT—and board-level leaders often don’t have clear insight into this nuance.
Translating OT and IT risks for the board
Bramson’s approach when explaining these risks to board members is to speak their language. “When cyber leaders go to the board, they give a lot of technical information,” he explains. “And it’s information the board doesn’t understand.”
Instead, he suggests CISOs and other cyber specialists:
- Explain cyber concepts as they would to a layman. On the OT side, for example, they should make it clear that the threat to OT isn’t just about stealing data. In this case, the bad guys are trying to disrupt operations which can have a tangible impact on the physical security of facilities and the safety of employees and members of the community at large.
- Show the impact on the company’s revenue and business risk. For example, a cyber leader at a power station would want to emphasize how a cyberattack could impact a facility’s ability to generate power and distribute it safely.
- Demonstrate what they are doing to detect and respond to incidents. Articulate how those actions and policies can minimize the impact of an attack.
Approaching the board
Bramson believes the best approach to negotiating with the board is to keep it simple. He suggests starting by framing the conversation around these basic questions:
- Do we know what we need to protect?
- Do we know where the holes are? Do we know how bad actors could get in?
- Can we see if someone has breached the system?
- Do we have a plan in place to get someone who has breached the system out of it?
According to Bramson: “Putting the issue into those simple terms can help board-level leaders understand what the right questions are, so that cyber specialists can drive the right conversations.”
Source: https://www.forbes.com/sites/forbesbooksauthors/2023/01/10/critical-infrastructure-why-its-the-new-target-for-cybercriminals-a-discussion-with-ian-bramson/