ipopba - stock.adobe.com

How critical infrastructure operators can secure OT data

Cohesity’s CISO discusses the challenges of securing data in operational technology systems and what can be done to mitigate security threats

With critical infrastructure under relentless attack by threat actors, the importance of protecting data stored in operational technology (OT) systems that keep industries and economies humming has become more critical than before.

Yet, a recent study conducted by Cohesity across the UK, US and Australia revealed that backing up and protecting data was a priority and crucial capability for just over half of more than 2,000 IT decision-makers. Only four in 10 SecOps respondents said the same.

In an interview with Computer Weekly, Brian Spanswick, chief information security officer (CISO) and head of IT at Cohesity, sheds light on the data protection challenges faced by operational technology operators and how they can secure OT data and prioritise their efforts.

What are the key challenges that critical infrastructure operators are facing when protecting data stored on OT systems? Could you elaborate from a people, process and technology perspective?

Spanswick: The key challenge that organisations and their IT and security teams face when protecting data is how they can manage and protect the data to ensure their core systems, business processes and operations are not disrupted. This is important regardless of where the data is stored because an organisation’s attack surface is defined by its business-critical data.

Malicious actors gain leverage by focusing on the sensitivity of the data and/or the criticality of that data to core business processes. This is why we see acutely targeted attacks, as malicious actors look to disrupt operations and potentially impact revenue. We also see malicious actors threatening to release sensitive data or demanding multiple payments to be able to retrieve data in a restorable form in ransomware campaigns.

“An organisation’s attack surface is defined by its business-critical data”
Brian Spanswick, Cohesity

Ransomware attacks create significant data protection and business continuity challenges for organisations. The first level of ransomware attacks was fairly common and unsophisticated, and could be mitigated with traditional backup and recovery solutions.

The next level of ransomware attacks started destroying backups first, then encrypting production data. This type of attack is designed to reduce the target’s ability to recover operations from backups, which limit the attacker’s ability to demand ransom.

Finally, and most recently, ransomware attacks are focused on encrypting, exfiltrating or stealing data to expose the data or sell it unlawfully as part of double extortion schemes.

To address this challenge from a people, process and technology perspective, it is vital that different parts of an organisation come together to address sophisticated cyber threats. For example, ITOps and SecOps can collaborate to deliver a cohesive security posture that focuses on preventing a breach and minimising the impact of a breach. This will require organisations to implement processes, policies and security controls that allow data to be protected and recovered in the face of adverse cyber events.

Modern data management platforms that align with zero-trust principles and provide capabilities such as data visibility, anomaly detection, snapshot immutability, and identity and access management will help to enable this level of cyber resilience.

What types of data stored on OT systems are most valuable and susceptible to cyber threats?

Spanswick: Simply start by focusing on what data is vital for your business to continue to operate and where the level of sensitivity of the data that, if leaked, could have a significant business impact if stolen.

If the exploitation of the data will cause significant business impact, then it is valuable to malicious actors and is susceptible to cyber attacks.

How would the growing convergence of OT and IT systems shape or change the way we look at data protection, including backup and recovery, in OT systems?

Spanswick: First, it’s important to recognise that OT and IT systems independently and together are vital in establishing cyber resilience, which is centred on the premise of being able to continuously deliver business outcomes and operations despite an adverse cyber event.

When cyber resiliency becomes your objective, instead of compliance to a published standard, your focus is on conducting business securely. This defines the requirements your targeted security posture needs to address to ensure your organisation can continue to function during a cyber event.

The questions companies that should be able to answer are: Can you restore a certain file individually or do you need to do a full restore? How long does this take? Do you have immutable backups with time relevant snapshots? Is your data encrypted in transit and at rest? Do you test your backups against your targeted recovery time and recovery point objectives?

Are critical infrastructure operators backing up their OT data? Why and why not?

Spanswick: OT data is foundational to critical areas of operations – a breach to OT systems can risk core business process operations and expose critical data. There is still some maturity required among organisations in prioritising backup and data protection as part of their organisation’s security posture and planned response to a cyber attack.

Based on research we did in April 2022 across the UK, US and Australia of over 2,000 IT decision-makers and SecOps professionals, only 54% of IT decision-makers said backup and data protection was a top priority and a crucial capability, while only 38% of SecOps respondents said the same.

Many organisations focus on “protect controls” to reduce the likelihood of a breach, but they also need to look at security controls that limit the impact of a breach. This means ensuring your recovery capabilities can meet aggressive recovery time and point objectives, so that you can resume business operations while minimising the impact of a ransomware attack. 

In that same research, when respondents were asked what would give their organisation greater confidence that they could recover business systems quickly in the event of a ransomware attack, almost half (44%) of all respondents said greater communication and collaboration between IT and security was key.

When there is a large-scale attack, such as the cyber attacks on JBS or Colonial Pipeline, the question most often asked of the CISO is: Do we back up our data?. Previously, that was the right question to ask when backups offered good protection against accidental data deletion by a user, a major disaster or even some early ransomware attacks.

But to understand an organisation’s current level of exposure, the question to be answered is: How quickly can we recover core business processes, and from what recovery point? Having an answer to that question that aligns with the objectives of your business validates your state of cyber resiliency.

Which levels in the Purdue Model should critical infrastructure operators be more concerned with from a data protection point of view?

Spanswick: Understanding where critical data is, how it is stored, and how it transits through your systems is the first critical step. Understanding your core systems and how they use data to support core business processes is a critical component to controlling your attack surface.

If you look at what might be perceived as the traditional vulnerabilities within an OT environment, let’s say in accordance with a framework like the Purdue Model, these would typically be classified as existing at the Process Level/Level 0, the Control Level/Level 1, and the Supervisory Level/Level 2.

Most enterprises would say their vulnerabilities lie in the internet demilitarised zone/Level 5, the Enterprise Admin level/Level 4, or the Ops Admin Level/Level 3. Organisations should focus on how they can become agile and robust enough to respond to attacks at Levels 3 to 5, while locking down Levels 0 to 2 as much as possible.

At Cohesity, we help organisations manage, protect and recover their data – regardless of whether it is IT, OT, or both – that in turn helps them create cyber resiliency, and ultimately maintain business continuity.

Read more about OT security in APAC

Read more on IT risk management