Protecting Critical Infrastructure Means Getting Back to Basics

Critical infrastructure organizations are undergoing dramatic changes in their technology and cybersecurity landscapes that make them both more efficient and more vulnerable. 

Power, oil and gas, utility, and other sectors that rely on operational technology (OT) are integrating more Internet of Things (IoT) and smart devices, while OT systems are being converged with IT operations that are steadily moving onto cloud platforms. The convergence of OT and IT streamlines operations, which enables organizations to make use of mobile computing, perform predictive analysis in the cloud, and expand their networks to include third parties and supply chain partners. But it also makes them more vulnerable to both external and internal cyberattacks.

Meanwhile, nation-state actors and cybercriminals increasingly are targeting the industrial and manufacturing sectors, especially if they involve critical infrastructure. Ransomware attacks, which are again on the rise after a lull in 2022, frequently target infrastructure, because the critical nature of their operations make it more likely that victims will pay ransom to unfreeze their systems.

Another reason attackers target industrial and manufacturing systems is that a lot of OT consists of older devices and sensors that are inherently unsecure because they weren't designed to be used in Internet-accessible environments. Original equipment manufacturers (OEMs) are applying security controls to new devices, but it likely will take years before they are fully integrated into existing systems.

The Real Threats May Not Be What You Think

Industrial and manufacturing organizations may once have been able to rely on the segregation of OT from IT, but they can no longer build an OT security strategy around segmented environments. Mixing OT and IT streamlines operations, but it also creates cybersecurity gaps that threat actors can take advantage of, leveraging the connectivity to move from one topology to another. Most attacks involving OT start with attacks on IT systems.

Securing the converged environments can become a complex challenge, compounded by the fact that it is difficult to find both security engineers and OT experts. As a result, most companies struggle with the delineation between OT and IT/security. 

Building a security strategy that encompasses the entire enterprise requires practicing the basics of security, understanding where weaknesses exist and the paths an attacker can take, conducting simulations, and practicing responses. And it helps to start by understanding a couple essential facts. 

Russia and China Aren't Your Biggest Concern 

Nation-states get the headlines, and with good reason. Russia, China, Iran, and North Korea are targeting critical infrastructure, which tends to be heavy with OT, and have been responsible for some of the most high-profile attacks in recent years, such as those on Colonial Pipeline. But most OT organizations should be more worried about opportunistic criminals looking to make money from ransomware or other profitable attacks.

It's Not the Devices; It's the Access 

Many OT devices are rife with vulnerabilities and need to be upgraded, but they are not the real problem when it comes to industrial systems being vulnerable. The real problem is the access to IT systems. Threat actors don't exploit OT devices directly. They take advantage of vulnerabilities in IT systems — most often misconfigurations and poor architecture — to gain access and then move through the network.

Practice, Practice, Practice

Protecting a converged OT/IT environment is less about modernizing old OT devices as it is about performing basic hygiene and ensuring that good IT and OT practices are in place.

To begin with, remember the old security dictum that you can't manage what you don't know you have. Rigorous asset management — bridging both IT and OT — is essential. That visibility allows you to identify the vulnerabilities most likely to be targeted by attackers and understand how an attack can be carried out.

It's also important to simulate attacks against the organization's assets, which will improve your ability to predict how and when those attacks could happen. Chief information security officers (CISOs) need to implement tight security programs that regularly simulate attacks, focusing on attacks against IT that cascade to OT and the shock points along the way. And then, do it again — practice, practice, practice. There is no silver bullet from a vendor that will solve your problems.

A vendor can help an organization with response readiness, determining where the choke points are between IT and OT. A third party can, for example, show you how to identify at an early stage any attack that bridges the perimeter and how best to mitigate it. It can also help with establishing simulations and training staff. After all, because hiring and retaining skilled IT pros is one of the biggest challenges in cybersecurity, improving the skills of the people you already have is especially important.

For critical infrastructure organizations, however, it still comes down to the basics. They need to first recognize that the technology and cybersecurity landscapes have changed. And then they must perform rigorous asset management and repeated simulations to enable their security teams to fend off even the most sophisticated threats. There may not be a silver bullet, but following a solid plan like that can help keep defenders ahead of modern and complex attacks made against their increasingly mixed IT and OT environments.