Cyber attacks are getting more frequent and more debilitating for companies. And now, the rapid pace of digitalisation has added another facet to the risk with the physical equipment spread throughout the organisation opening up new attack surfaces. Today, the securing of operational technology (OT) has to carry at least equal weight as the more traditional information technology (IT) when it comes to cyber security.
Steve Quane, executive vice-president: network defense at Trend Micro, points out that a communication divide between OT and IT managers is often the first hurdle to overcome.
“OT probably doesn’t even talk to IT, even if it’s on the same network,” he says. “Sometimes our customers come to us when their security people have been given OT, and we have been asked to broker that conversation.”
Henk Olivier, MD of Ozone Information Technology Distribution, says organisations have to become more aware of the security risks that exist across both the physical and virtual planes. They also need to become increasingly aware of the difference between the two.
Not many companies know the risks when unauthorised users gain physical access to their networks just by plugging directly into it, or using a guest WiFi access point. A threat or a virus can be easily introduced to the network, especially if the guest network hasn’t been separated from the business one.
“I did a test in one of the airport lounges, searching for computers on the network using some network tools and I gained access toa few computers with open network shares that had no passwords protecting them,” says Olivier. “It took me less than two minutes to run the tool, access eight computers, and I could have done so much damage in that time. Companies have to control who accesses their network and how.”
The logical layer of software security across firewalls or antivirus software also has to be considered. These basic interventions are critical to the ongoing security of the company, regardless of its size. Firewalls and antivirus solutions are also useful tools in setting up access restrictions, managing devices and networks and establishing specific security rules.
Ultimately, software security is only as good as the rules created in the software and by ensuring that it is bolstered by the latest security updates and versions.
“You have to constantly manage and monitor your software systems, ensuring that they are patched and prepared and secured against the latest threats or vulnerabilities,” says Olivier. “As for hardware, it is only as good as the system running on it and the policies put in place to prevent physical access to the hardware. It is possible to enter a network through poorly protected or regulated hardware.”
There are so many different moving parts to the security machine. There’s the software, the hardware, the physical access controls, the logical software level access, the backups and, of course, the backups of the backups. These are a measure of how rapidly the business can recover after it has been breached, held to ransom or attacked.
“IT and the network cannot operate in isolation, they have to work together to mitigate the security threat,” concludes Olivier. “Organisations should also be open to learning from one another, open to new technology, and be capable of adapting as rapidly as the market and threats adapt. Few organisations can say that they operate in isolation. Rather be exposed to new technologies as, while they may introduce risk, they also allow access to new solutions that can make a difference in the how the organisation copes in the event of a security breach.”
Mike Bergen of GECI International points out that a holistic approach is not always possible, since OT in most traditional heavy industries and infrastructure facilities have been run in silos behind “air gaps” for so long that the board assumes they are safe from attack.
“Traditional approaches are no longer enough to secure heavy industry and infrastructure from cyberattacks,” he warns. “The traditional ‘air gap’ between IT and OT is closing amid new business requirements associated with digitalisation, and this is increasing the potential attack surface and hence the cyber risk.
“We see a growing trend for ransomware and crippling attacks launched against key systems that keep infrastructure and societies functioning worldwide.”
But motivating for additional spend on top of existing, traditional cybersecurity budgets can be challenging.
Bergen recommends outlining the significant risks the organisation could face in the event of an attack, including costly production outages leading to financial losses, catastrophic safety failures and environmental damage leading to potential liability issues, or theft of corporate IP resulting in a loss of competitive advantage.
GECI partner CyberX notes that the discussion with the board around OT security should be framed as a strategic one, rather than a technology issue. Key factors to be considered are risk management and regulatory and compliance requirements – particularly in those organisations providing essential services such as energy, water, health care, banking and financial services and digital infrastructure.
Key metrics on system maturity and risk should be presented to the board in an unambiguous, comprehensive and understandable way. These metrics should be directly linked to enterprise goals and strategies and clearly measure the consequences of alternatives. Importantly, potential financial losses should be modelled to present a financially-based position statement on the importance of securing industrial and OT assets.
Bergen adds” “Thousands of attacks are getting through even the best organisational defences. The South African Banking Risk Information Centre (SABRIC) states that South Africa has the third-highest number of cybercrime victims worldwide, losing about R2,2-billion a year to cyber attacks.
“In the US for example, 53 cities were hit last year by ransomware attacks, usually demanding hundreds of thousands of dollars to reinstate the victim’s systems. In the first six months of this year, 25 to 30 more US cities were attacked, and in August 23 cities in Texas alone were hit by ransomware.
“Dozens of large and small companies worldwide have also suffered costly attacks recently. In this country, a much-publicised attack on Johannesburg’s City Power was met with shock, particularly by electricity clients in that city. But that is just the beginning. South Africa is a wide-open cybersecurity target market. And as the doors close for cyber criminals overseas, they will be heading to our shores. It’s no longer a matter of “if”, but “when” you will be attacked.”
As seen in Futurewave