U.S. officials and private security experts have warned that this country’s physical infrastructure is being threatened by growing stealth attacks from sophisticated nation-state adversaries and criminal hacking rings. Hackers linked to a Russian military intelligence unit have taken credit for striking multiple water utilities in Texas already this year. Each time, the Russian attackers have reportedly posted videos on social media to show off their manipulation of software interfaces that are used to control physical equipment inside the water plants. Officials believe that one attack in January caused a tank at a Texas water facility to overflow.
In recent Congressional testimony, FBI Director Christopher Wray openly warned that China’s hackers “are targeting our critical infrastructure—our electrical grid, our oil and natural gas pipelines, our transportation systems—and the risk that poses to every American requires our attention now.”
When the FBI chief feels compelled to issue such a candid statement before Congress, that seems like an apt time for the American public to consider the core structural issues behind this alarming threat.
The Difference Between IT Cybersecurity and OT Cyber Risk
First off, it is critical to make a clear distinction between cybersecurity and cyber risk management. Cybersecurity involves securing all of an organization’s information technology (IT) and data, which is the domain of CISOs and security operations centers. However, facilities operators are largely responsible for securing the operational technology (OT) that’s used to manage physical plants for power, transportation, and energy systems.
OT components include controls for heating and cooling, telecommunications, and building cameras and security systems. Often, there may be a gap or gray area between the CISO and OT manager regarding who oversees facets of OT security and risk for certain systems and devices. Vulnerabilities can include backdoors that are hidden in equipment to install malware that later compromises related systems and devices. Other threats involve cutting off power sources to damage hardware, or shutting down machines to cause system failures.
Cyber risk management accounts for the probability of these attacks and the estimated severity of various types of incidents. In this way, businesses can model the potential damages that a successful attack would inflict. A cyber risk management approach needs to recognize an organization’s state of cybersecurity at any point in time, but it also must calculate how much the business is targeted based on its industry, size, location, customer base, and other parameters.
CISOs in critical infrastructure industries face the risk of securing their enterprise IT infrastructure and OT environments with equipment that is continually connected to the internet for management and maintenance. This connectivity of applications and infrastructure creates a vector that can expose equipment to cyber incidents and ransomware attacks. When threat actors succeed with a ransomware attack on an OT system, the disruptions can lead to production shutdowns, fulfillment delays, and damage to the brand’s reputation, as well as a maze of safety, legal, and regulatory concerns.
Taking Steps to Analyze and Prevent OT Cyber Risk
Cyber risks are all too abundant at OT facilities, from employees who lack training on how to recognize phishing emails to partners who lack basic cybersecurity programs. The risks can also involve contractors who are improperly onboarded and offboarded, or acquired facilities that never implemented basic cyber hygiene practices such as password management policies.
To address this multifaceted problem from all sides, CISOs and CFOs need to get a better handle on the many complex scenarios they face, and which security measures should receive top priority based on a cost-benefit analysis. They also need to develop repeatable practices to quantify cyber risk in monetary terms and to evaluate the ROI of mitigation strategies. This approach optimizes cybersecurity investments while also preparing the organization to obtain adequate cyber insurance coverage in compliance with recent SEC regulations on cybersecurity.
New strategies for OT risk mitigation include cyber risk quantification and management (CRQM) tools that give CISOs and CFOs an advantage by assessing the full range of business damages that could be caused by vulnerabilities. CRQM tools help by thoroughly analyzing the impacts of any potential cyber incidents, and then prioritizing the top sources of risk for mitigation. Cyber risk assessments can also enhance cybersecurity assessments by adding contextual information to the evaluation. In this way, organizations can proactively manage their cyber risk portfolio to prioritize risk mitigation projects and make clearly informed cybersecurity investment decisions.
With more dangerous foreign attacks escalating on U.S. infrastructure almost every day, it is no longer practical to overlook or disregard the potentially devastating risks that lurk in our mundane operational technology. More comprehensive cybersecurity and cyber risk assessments will be needed to guard against these attacks and their potential harm to critical infrastructure and the American public.