As threat actors continue to target manufacturing plants and utilities, boards of directors and executives are beginning to better understand the value of securing the operational technology (OT) that underpins this critical infrastructure.
The days where OT and IT environments were completely separate are long gone, but questions about securing traditional IT infrastructure have still traditionally taken priority over those surrounding critical OT systems. Executives now better understand the potential risks of an increasingly automated OT environment, but they are also realizing that existing enterprise IT security programs do not include OT, CISOs at critical infrastructure organizations said at a Tuesday Dragos event.
“We’re seeing executives, board of director members, CEOs, CFOs, presidents, all these different organizations at executive levels realize that enterprise risk, enterprise security didn’t mean the enterprise, it meant enterprise IT,” said Robert Lee, CEO of Dragos in a Tuesday event. “And it’s for all the right reasons we do that amazing work in enterprise IT. We don’t want to not invest in our IT infrastructure, it supports a lot of what we do and it enables the business. But it is that OT infrastructure that is the purpose of the business, it is that critical part, that ability to impact society, the ability to drive revenue at those companies.”
Part of the challenge when it comes to OT is that “copy and pasting” the same IT security approaches is not viable for these systems, which face different threats, use different technologies, network communications and protocols, and could yield very different impacts if attacked. As OT systems become more connected and automated, it’s making it more difficult to understand systems as a whole, and that complexity makes root cause analysis more challenging.
A number of high-profile cyberattacks have hit critical infrastructure entities in the past few years, including ransomware attacks like the ones on Colonial Pipeline and Maersk. As recently as two weeks ago, Schneider Electric’s sustainability division was also impacted by ransomware. At the same time, one of the more formidable threats in the OT security landscape has been the emergence of malware called PIPEDREAM, a custom-built framework developed by a state-level threat group that was discovered in 2022. PIPEDREAM is scalable, has the ability to target 15 types of OT devices, and can set the stage for disruptive and destructive cyberattacks.
"There’s a level of understanding - and a desire for further understanding - that our boards and executives are asking for and essentially requiring."
“It’s difficult to overstate the importance of that development, the ability to have a piece of malware that can potentially impact multiple types of OT systems,” said Michael Daniel, President and CEO of the Cyber Threat Alliance on Tuesday. “That is an enormous change in the threat landscape, and it starts to move OT much closer to the threat landscape that enterprise IT systems have faced for years.”
All of this is encompassed by recent efforts by the U.S. government and CISA to secure industrial control systems (ICS) by developing a number of security performance goals for critical infrastructure sectors and by expanding the Joint Cyber Defense Collaborative (JCDC) - an agency effort to develop cyber defense plans with both public and private sector entities - to focus on ICS security by bringing in new partners. Both of these developments have put the level of risk associated with OT security on the radar of executives. Jason Nations, director of Enterprise Security at OGE Energy Corp. said that conversations around OT security are “radically different than they were four to five years ago.”
“There’s a level of understanding - and a desire for further understanding - that our boards and executives are asking for and essentially requiring,” said Nations. “Things like the SEC regulation, to understand what materiality means to us and how that works, I think those are all questions many companies are dealing with now… part of that is the regulation that our industry faces and that the world around us is moving.”
Challenges still remain in this area when it comes to securing smaller operators grappling with limited resources. However, Lee and other executives expressed optimism due in part to a push for more collaboration between government and private sector entities on securing OT.
“Luckily we are seeing some really good strides… not only are there some leading organizations doing quite a bit in cybersecurity of operational technology, but again the policy makers are doing a good job of amplifying it, and more than ever before, we are seeing, especially in the United States, government and non-government organizations working really closely together,” said Lee.