Situation critical: Operational tech and cyber security resilience

  • Attacks on critical infrastructure have been in the news of late, with electricity, gas and water just some of the targets of cyber criminals.

  • The convergence of operational and information technology is creating new avenues for hackers to cause disruption.

  • Governments are increasing regulation requirements on critical infrastructure organisations, but resilience will be the key to holistic business security.

In the last few years, a spate of high-profile attacks on critical infrastructure have made headlines. 

In 2019, a ransomware attack on a major South African electricity supplier left a quarter of a million people without power.1 In 2021, suspected hackers accessed the computer system of a Floridean water treatment facility with the aim of adulterating the water supply.2 Just months later, hackers gained access to the IT systems of the United States’ Colonial Pipeline, resulting in a pre-emptive shutdown and widespread gas and oil shortages.3

Such attacks are not new. Many of us will remember the infamous Stuxnet attack on Iran’s uranium enrichment facility in 2007 or the targeting of a Ukrainian power grid in 2015 and 2016.4 But with cyber attacks in general on the rise, and state-based actors threatening governments and business alike,5 the potential for catastrophic destruction to critical infrastructure is an area of increasing concern. 

Governments are implementing reform when it comes to critical infrastructure hoping to achieve greater situational awareness of threats. Defending against such incursions, however, requires more than just knowledge of their existence, and as a new PwC report, Building cyber resilience in critical infrastructure, explains, a holistic approach to creating resilience.

The risk of convergence

In many sectors, particularly industrial ones, critical infrastructure organisations are experiencing a growing convergence of information technology (IT), such as traditional office-based computer systems, and their operational technology (OT) systems, such as industrial machinery and assets. 

Traditionally, these two environments were kept fairly separate, but as automation and data-driven analysis become critical to making business decisions they have become increasingly entangled. Together, they are creating a larger attack surface (ie. ways in) for nefarious actors. 

The advantages this mix of IT and OT offers, such as business efficiencies and agility, means that avoiding or reducing the convergence of the two systems is not a viable way to mitigate its risk. Instead, more focus needs to be given to strengthening resilience across the IT/OT divide, in particular, uplifting maturity of the OT systems and processes which are often well behind IT practices.

Five factors for holistic resilience

As outlined in more detail in the report, there is an increasing focus by governments on tighter regulatory control and an all-hazards approach to resilience. It should go without saying therefore, that organisations need to be aware of legislative obligations at all levels. Beyond compliance, there are other challenges that need to be addressed more holistically as critical infrastructure attacks become inevitable, instead of just possible, and they will require a shift from prevention alone to a resiliency-based approach across people, processes and technology.

Here are five areas to focus on to achieve resilience:

  • Hack from within - Penetration testing, or hacking your own system to find vulnerabilities does happen within critical infrastructure IT environments, but it’s often seen as too risky for core OT systems. But there are methods, and specialists, that can help businesses undertake such testing safely to provide a level of assurance.

  • Create an OT cyber champion - Expanding the role of the CISO to include operational technology is a good idea (just make sure they have the authority/mandate to change what they need to) or create an OT cyber champion who can elevate the topic of OT security across the workforce.

  • Think bigger - Utilities and other critical infrastructure organisations are used to resilience-based thinking when it comes to natural disasters and other more ‘traditional’ emergencies. Scenario planning, and practice-testing, should be expanded to include cyber hazards at a company-wide level.

  • Advanced continuity - Continuity plans that deal with events that threaten business operations, including defining responsibilities, mitigation and restoration should be expanded to include ransomware (the most prominent cyber threat in recent times) and what to do if systems go down (or need to be shut down) in response to an attack (as Colonial did).6

  • Measure your success - Resiliency can only be sustained or improved if its success is being measured. Accurate data and the right metrics to use, such as risk reduction and compliance markers, will be crucial.

Mission critical

Cyber maturity has been on the rise in the utilities sector, but other areas of industry are yet to see the same degree of executive and board involvement. As perceived threats locally and globally rise, the barriers in the way of progress (such as a lack of investment or expensive legacy technology) need to be addressed with urgency. As cyber threats become more sophisticated and increasingly target critical infrastructure operators, organisations must urgently assess and uplift their cyber resilience. 

Breaches are financially costly, but when it comes to the machinery that runs society, from energy to banking, telecommunications, healthcare, food, defence, transport and everything in between, the impacts of an attack could have far greater, and far more damaging, consequences. 

It’s critical that resilience is built up now.

 


For more information on addressing the challenges of today’s cyber landscape, visit PwC Australia’s cyber security hub.



References

  1. https://www.bbc.com/news/technology-49125853
  2. https://www.washingtonpost.com/nation/2021/02/09/oldsmar-water-supply-hack-florida/
  3. https://www.politico.com/news/2021/05/08/colonial-pipeline-cyber-attack-485984
  4. https://www.bbc.com/news/technology-35297464
  5. https://theconversation.com/cyberattacks-are-on-the-rise-amid-work-from-home-how-to-protect-your-business-151268
  6. https://www.politico.com/news/2021/05/08/colonial-pipeline-cyber-attack-485984