krunja - stock.adobe.com
Critical infrastructure under relentless cyber attack
A lack of visibility into the attack surface, inadequate security staffing and reliance on manual processes undermine operational technology security capabilities, a study reveals
At least one cyber attack in the past two years resulted in downtime at half of organisations relying on operational technology (OT), including critical national infrastructure providers, a survey has revealed.
In the same period, 45% of respondents said they had experienced an attack that involved OT or internet connected devices (internet of things), according to the Cybersecurity in operational technology report by the Ponemon Institute, sponsored by security firm Tenable.
The report said 37% reported a “significant disruption” to business processes caused by malware, 33% reported a cyber attack caused “significant downtime”, 23% reported that they had been hit by nation state attacks and 60% said disruptive cyber attacks are among the threats they are most worried about.
“Nation-state attacks are especially concerning in the OT sector because they’re typically conducted by well-funded, highly capable cyber criminals and are aimed at critical infrastructure,” the report said.
The report is based on the analyses of responses from 701 representatives of the US, UK, Germany, Australia, Mexico and Japan working in industries that rely on industrial control systems (ICS) and other forms of OT.
The report revealed that cyber attacks are relentless and continuous against OT environments. Most organisations in the OT sector have experienced multiple cyber attacks causing data breaches and/or significant disruption and downtime to business operations, plants and operational equipment, with many being hit by nation-state attacks, the report said.
The finding showed cyber attacks are having an effect on physical systems, according to Eitan Goldstein, senior director, strategic initiatives at Tenable. “That is a really big change and that’s why the risk isn’t just theoretical anymore,” he told the BBC, adding that one of the main reasons for the increase in attacks on these systems is increased connectivity to the internet to enable remote analytics and maintenance.
Read more about ICS security
- Cyber attacks targeting industrial control systems on the rise.
- The security of industrial control systems (ICS) is at risk in key verticals due to under staffing, under investment and human error, a report reveals.
- Security alert for vulnerabilities in Siemens PLCs.
- Cyber attackers specialising in industrial control systems are fast, efficient and able to move between IT and OT environments, a study has revealed.
Analysis of the data shows that OT sector organisations expect significant threats in 2019, with many concerned about third parties misusing or sharing confidential information and OT attacks resulting in downtime to plant and/or operational equipment. “Worries about nation-state attacks continue at a significant level,” the report said.
According to another recent report, malicious cyber activity increased to almost half of the industrial infrastructure protected by security firm Kaspersky Lab in 2018, but the UK is among the most secure countries, ranking fifth after Ireland, Switzerland, Denmark and Hong Kong.
The top three countries in terms of the percentage of ICS computers on which Kaspersky Lab prevented malicious activity were Vietnam (70%), Algeria (69.9%) and Tunisia (64.5%).
Overall, the Ponemon report said organisations using OT are facing challenges to improve cyber security. Few organisations have sufficient visibility into their attack surface, and gaining the required visibility will continue to be a challenge due to a combination of staff shortages and heavy reliance on manual processes.
However, the report also found that the C-level is heavily involved in the evaluation of cyber risk. C-level technology, security and risk officers are most involved in the evaluation of cyber risk as part of their organisation’s business risk management, the report said, with nearly half of organisations attempting to quantify risk from cyber events.
The data shows 48% of organisations in the OT sector, compared with just 38% in the non-OT sector, attempt to quantify the damage a cyber event could have on their business, and they are most likely to quantify the impact based on the downtime of OT systems.
Top priorities
Although 2019 governance priorities vary, the report said increasing communication with the C-suite and board of directors about cyber security threats facing the organisation and ensuring third parties have appropriate security practices to protect sensitive and confidential data are top priorities for 2019.
The top security priority in 2019 is to improve the ability to keep up with the sophistication and stealth of attackers. “This isn’t surprising given the significant number of OT sector organisations that have suffered a nation-state attack in the past 24 months,” the report said.
Sylvain Gil, vice-president of products and co-founder at security firm Exabeam, said the issue with industrial systems is that many of them are 10-20 years old in some cases.
“Often there is not necessarily a practical way to upgrade them due the criticality of their availability, and because industrial networks were designed before cyber threats emerged, they lack the visibility and policy enforcement layers that enterprise IT networks have.
“We need more insight into the behaviours of these systems,” he said. “They are rudimentary and were never thought to be vulnerable to people outside the operating facility – but they certainly are.
“We’ve seen enough examples that we know they can be manipulated, not just in terms of being used for cyber crime, but also in terms of having physical consequences, like a shutdown or explosion,” said Gil.
The report recommends that organisations using OT
- Improve communication with the C-suite and board of directors about the cyber threats facing the organisation to identify and address gaps between the risk appetite and actual risk exposure.
- Improve visibility into the attack surface. Blind spots can result in unmanaged and unsecured IT and OT systems. Complete visibility is required for organisations to assess their risk.
- Increase the use of automated processes to compensate for the security staff shortage.
- Continue to recognise the security impact of interdependencies between IT and OT systems. Vulnerabilities and other weaknesses in IT systems can put interconnected OT systems at risk, and vice versa.