Operational technology (OT) systems underpin the critical infrastructure (CI) that almost everyone relies on every day. This includes hospitals, public transport, electrical grids, water and sewage systems, food and groceries and freight services.[1] Attacks on OT can lead to a breakdown in essential services, cause injuries, or even result in loss of life depending on the target and the severity of the attack. For example, an attack on water treatment systems could release toxins into drinking water, putting the population at risk of poisoning. Consequently, it’s no surprise that a spotlight is being shone on cybersecurity for OT systems.
The Australian government has introduced the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) to legislate for the severity and immediacy of the risk facing CI operators. The SLACIP Act identifies 11 critical infrastructure sectors that must abide by increased security and reporting requirements to protect Australia’s essential services. This has become necessary due to the increasing cyberthreats targeting OT, as well as the ongoing severity and velocity of attacks targeting IT, which can be just as catastrophic for CI operators.
Originally, cybersecurity was not required for OT systems as they were not connected to the internet. They were safely tucked away in air-gapped environments where they could only be reached by the most brazen physical attacks. However, as OT and IT have converged, more OT systems have become interconnected and accessible remotely via the internet. This creates a growing risk that OT systems will be targeted by cybercriminals. In fact, recent examples of attacks on OT include the Colonial Pipeline attack and the attack on JBS Foods. Both of these attacks involved the use of ransomware which targeted IT systems, forcing the organisations to shut down their OT systems due to inadequate cybersecurity protection.
Colonial Pipeline was hit with a ransomware attack in 2021 that halted all pipeline operations for six days.[2] Costs to the organisation included a US$5 million ransomware payment on top of the substantial costs involved in remediating the attack, as well as the cost of downtime to the business and the reputational damage it suffered as a result of the attack.[3]
The JBS Foods attack, also in 2021, also involved ransomware and targeted IT systems. It led to the company paying the equivalent of US$11 million in ransom.[4] Meanwhile, production lines were shut down due to lack of protection for OT systems, and the company was unable to operate for a short time.
Most commonly, cybercriminals focus on stealing data from IT systems; however, a recent Fortinet Operational Technology and Cybersecurity report revealed that 61 per cent of intrusions impacted OT systems and, of those intrusions, 90 per cent required hours or longer to restore the services.[5] This delay is concerning given the critical nature of the services that may be disrupted.
The Fortinet 2022 State of Operational Technology and Cybersecurity Report found that an overwhelming 93 per cent of organisations experienced an intrusion in the past 12 months, and 78 per cent experienced more than three.[6] Other than downtime, impacts also included financial loss and brand degradation. What this means is that organisations in critical infrastructure should review their approach to cybersecurity due to the highly problematic risks that cyberthreats pose.
There are three ways critical infrastructure operators can increase the cybersecurity of their OT:
- Visibility
Look for a cybersecurity provider that delivers continuous and comprehensive visibility on any devices on the network to monitor user behaviours. Traffic visibility provides actionable intelligence meaning OT security teams can dictate allowed traffic, ports, protocols, applications, and services. - Uninterrupted monitoring
The cybersecurity provider should be continually monitoring and analysing user behaviours on the network. This helps teams to gather intelligence about known and unknown threats. OT insights with monitoring are also beneficial to always understand user and device behaviour. This lets cybersecurity teams identify anomalous behaviour and act appropriately to mitigate threats. - Controls
Having a cybersecurity provider with a range of controls will bolster the level of protection provided. Examples of these include sandboxing for threat detection and automated quarantine, network segmentation and micro-segmentation for a layered and levelled approach with zones and multifactor authentication to ensure the correct assigned permissions and access.[7]
It’s crucial that critical infrastructure operators review their OT cybersecurity to ensure they are working with the right provider for their specific needs. Cyberthreats are becoming more advanced, happening more often, and causing serious damage to many CI organisations. A cybersecurity vendor should cover the OT security best practices and requirements for the entire converged OT-IT network.
Wavelink partners with Fortinet, a leader in OT security planning and solutions. To learn how we can help your CI organisation prepare for the SLACIP Act and harden your OT security, contact the Wavelink team today.
[1] https://www.cisc.gov.au/compliance-and-reporting/overview
[2] https://static.poder360.com.br/2021/05/colonial-ataque-sibernetico-8mai2021.pdf
[3] https://www.cnbc.com/2021/06/08/colonial-pipeline-ceo-testifies-on-first-hours-of-ransomware-attack.html
[4] https://jbsfoodsgroup.com/articles/jbs-usa-cyberattack-media-statement-june-9
[5] https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/report-2022-ot-cybersecurity.pdf
[6] https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/report-2022-ot-cybersecurity.pdf
[7] https://www.fortinet.com/solutions/industries/scada-industrial-control-systems/what-is-ot-security
