Are We Effectively Managing the Risk of “Digital Virus” Attacks on our Critical Infrastructures?

Recently, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned companies operating critical systems about potential cyber threats following a ransomware attack on a natural gas compression facility. The attack caused the entire pipeline involved to shut down for two days. Similarly, Croatia’s largest gas station chain was impacted by a cyber-attack. The news headlines are filled with such cybersecurity incidents, indicating a growing risk to businesses and critical infrastructures.

Cyber incidents by vertical (DHS 2016)

Incidents responded to by the Department of Homeland Security (DHS) in 2016 provided an early indication of the risk to key US infrastructures such as critical manufacturing, energy, water, transportation, etc. Some of these verticals include extensive connected operational technology (OT) infrastructure. An example of OT infrastructure in water utilities is process control systems involving SCADA, advanced metering, HVAC, telecommunication, etc. OT equipment and device- comprising networks present numerous challenges when it comes to cybersecurity. For example, OT devices are often not designed with cybersecurity in mind. While the connected capital equipment is meant to last for many years, the software components within them have a relatively shorter life cycle. Adversaries typically invest in finding security vulnerabilities in software components. Hence, if these OT systems aren’t upgraded with the software versions that are well-maintained for cybersecurity, they can serve as targets for cyber-attacks. According to Verizon research, more than 70% of cyber-attacks exploited publicly known vulnerabilities!

Further, the OT experts aren’t always well versed in cybersecurity and, while IT personnel usually have a degree of cybersecurity knowledge, they sometimes struggle with fully understanding OT. As a result, many IT security practices applied to OT have ended up creating operational disruptions. For example, vulnerability scanning is a common IT cybersecurity practice. However, many OT devices shut-down or reboot under active scanning. Hence, active scanning isn’t recommended while the devices are performing important operations.

Cybersecurity awareness, including associated risk factors and applicable practices, is also needed among the executive leadership team. When it comes to cybersecurity, some executives only think about data and IT systems, while others think about perimeter controls such as firewalls and access management. Some executives delegate relevant responsibilities entirely to the IT teams. The analysis of many cybersecurity incidents in the water sector, however, reveals that executive leadership can benefit from staying engaged in this critical enterprise risk management topic. The key learnings are:

  • The frequency of cyber-attacks on water utilities is increasing, indicating a higher probability of facing cyber-attacks

  • Many of the cyber-attacks impact OT infrastructure, causing operational disruptions and financial impact

  • Many cyber-attacks are insider-led, requiring focus not only on the perimeter controls but also on internal vigilance, process, policies and culture

Cybersecurity incidents in the water sector; OT Cybersecurity; Insider Theats; ResiliAnt
Executive job loss due to cyber breaches; FTC cases for failing to have reasonable cybersecurity practices and defenses

A 2019 Ponemon Institute survey involving 1,700 utility professionals further supports the preceding analysis. About 56% of respondents reported at least one shutdown or operational data loss per year with many reporting outages, damage, injury, and even environmental consequences. The survey also reported that insider threats represented the majority of attacks in OT. A separate 2019 Ponemon Institute study involving 700 IT and IT security practitioners from the organizations that include OT infrastructure revealed that 45% of organizations experienced attacks involving IoT/OT assets.

Executive leaders can be held liable, especially when risk involves operational disruptions and insiders. To that point, FTC has brought more than 60 cases against companies for failing to have “reasonable” or “industry standard” cybersecurity practices, defenses and responses. There have been cases in which executives, and in some cases members of the board of directors, have lost their jobs as a result of cybersecurity breaches.

Cost to government from cyber-attack

While sovereign immunity provides some legal protection to federal and state government entities, many government entities nonetheless had to pay fines or settlements related to cybersecurity breaches. There are some exceptions as determined by statute where claims may be allowed against government entities. For example, if property damage, injury or death occurs due to negligence or a wrongful act, legal claims can be brought forward under the FTCA or similar state laws. Typically, the cost of managing cybersecurity is much less than the cost of managing disruptions, fines and reputational loss. When executive leadership is fully engaged, they can enable ROI-minded approaches to ensure effectiveness, efficiency and adaptability in cybersecurity risk management.

Key challenges and a solution approach

The Ponemon Institute study involving 1,700 utility professionals also reveals the key challenges organizations face in managing cybersecurity. They are:

  • a lack of visibility into operating assets

  • keeping track of new vulnerabilities and threats impacting organizational assets and networks

  • a lack of alignment between OT and IT security

  • an incorrect belief that protections designed for IT are effective for OT

  • a lack of investment in training and personnel

  • human capital gaps, including difficulty procuring and building industrial cyber skills

  • a lack of a response plan and a slow response to past incidents

Clearly, these challenges can neither be solved by implementing a single technology solution nor via one-time activity. It requires an organization to take a programmatic approach that includes cross-functional engagement with an appropriate operating mechanism involving all areas such as technology, processes, policies, people and culture. The program has to be championed by operating or line executives, supported by IT, security and OT leaders, and be linked to the Board of Director’s risk oversight process.

ResiliAnt has developed a proprietary solution to help organizations manage their IIoT/OT cybersecurity risks, inclusive of a platform that helps address all of the challenges mentioned above starting from tracking inventory, vulnerabilities and threats to training personnel, mitigating risks, and responding efficiently when an incident takes place. If you have interest in learning more about ResiliAnt’s solution, you can reach us at info@resiliant.co.