Andrei Merkulov - stock.adobe.co

Bouncing back from a cyber attack

Organisations need to move away from victim blaming when cyber attacks on OT systems occur and focus on fostering collaboration between teams to minimise downtime, among other efforts to bounce back and return to business

You could argue there's always something an organisation might have done better to dodge a cyber attack. 

Networks and devices need to be secure by design. But even then, there are still too many projects taking place where secure by design isn't considered, known, or understood as a concept. There may be projects which are considered secure by design, yet the designer does not fully grasp the principles of securing a specific network media, for example the intricacies of securing wired versus Wi-Fi or radio frequency (VHF/UHF) based networks.

While there's an appreciation of the fundamental importance of security in IT, that can't always be said of operational technology (OT). The security posture of OT and IoT systems are going through the same pains IT did 20 years ago of building these skills and understanding, often from scratch. 

The Asia-Pacific (APAC) region is on the pulse of IoT adoption with spending expected to reach $437bn by 2025. Big tech, car manufacturers, consumer electronics, and even healthcare providers are aggressively pushing smart devices, and for good reason. There are infinite benefits for consumers and businesses alike with the efficiency and support, real-time visibility and action networked devices provide. 

But the millions of new devices joining networks daily is expanding the threat surface area, creating new points of access for hackers to exploit, whether to steal data or use a device as an attack vector or entryway to access other parts of the network. 

In fact, APAC was the most cyber-attacked region last year, making up 31% of global instances. These numbers rendered victim blaming a common occurrence.

A cyber attack, or rather, the act of cyber crime, is still a crime. And while greater involvement and offensive capabilities from law enforcement will support the cause, organisations need to remember when a disaster strikes, it’s about what you do next

You could look at it like a customer service issue. If confronted by an unhappy customer, an organisation knows to listen to them, identify a solution, and follow them up to ensure their issue is resolved and doesn’t happen again – this is how you would make good on an issue, and encourage return to business. Alternatively, if none of those efforts are made, disaster will inevitably strike again and again, and force customers to move away from the businesses’ services. 

In the case of a cyber attack, the inconceivable has already happened – all you can do now is bounce back. 

The big picture issue is that too often IoT (internet of things) networks are filled with bad code, poor data practices, lack of governance, and underinvestment in secure digital infrastructure. Due to the popularity and growth of IoT, manufacturers of IoT devices spring up overnight promoting products that are often constructed using lower-quality components and firmware, which can have sometimes well-known vulnerabilities exposed due to poor design and production practices. These vulnerabilities are then introduced to a customer environment increasing risk and possibly remaining unidentified.

So, there’s a lot of work to do, including creating visibility over deep, widely connected networks with a plethora of devices talking to each other. All too often, IT and OT networks run on the same flat network. For these organisations, many are planning segmentation projects, but they are complex and disruptive to implement, so in the meantime companies want to understand what's going on in these environments and minimise disruption in the event of an attack. 

Unlike wired networks, gaining successful and reliable visibility and detection tools for wireless networks in the OT and IoT space is challenging as many products are incapable of operating in the wide frequency ranges used in the OT space. However, there are now tools capable of monitoring a wide bandwidth and detecting malicious wireless traffic and behaviour. 

Systems downed, here’s how to reboot

When cyber defences are shot and a threat actor gains access through your IoT and OT network, collaboration between teams is essential to minimise casualties and downtime and enable a successful restart.  

Typically, maintenance and engineering teams will lead and navigate this process, relying on documentation and blueprints of the device network. Their experience in cold-starting a physical site from a significant outage is invaluable, with their knowhow to update or confirm changes to safety and production before reboot. It’s imperative maintenance and engineering – the ‘reboot’ team – maintain communication with health and safety teams at this stage. 

In the case a critical device or programmable logic controller (PLC) needs to be replaced because of an incident, a partial or full system re-commissioning may be required. This could extend as far as testing individual devices and circuits to ensure correct operation. 

Read more about cyber security in APAC

  • Cyber security incidents were the cause of most data breaches, which rose by 26% in the second half of 2022, according to the Office of the Australian Information Commissioner.
  • The chairman of Ensign InfoSecurity traces the company’s journey and how it is leading the charge in cyber security by doing things differently, investing in R&D and engaging with the wider ecosystem.
  • The president of ST Engineering’s cyber business, outlines the common myths around OT security in a bid to raise awareness of the security challenges confronting OT systems.
  • Australia is spending more than A$2bn to strengthen cyber resilience, improve digital government services and fuel AI adoption, among other areas, in its latest budget. 

The reboot team will need to identify any change in a given system and ensure all changes have been captured and accounted for. It’s important to identify whether anything has altered that might require a revisit to a Job Safety Analysis or similar document. There are multiple factors that must be considered including network configuration such as firewall rules that could trigger a need to re-certify an installation before restart. 

Once the environment is safely back online, an organisation needs to take into account their insurance, legislation, pre-start approvals from other parties that may not have applied pre-incident and assess whether anything has changed that could trigger a need for a policy update. 

It should also be emphasised that businesses may need legal assistance when involving a third-party investor relations consultancy in the process. In certain cases, companies have experienced a worsened reputation due to third-party disclosures about compromised systems and processes within their facilities. 

Last but not least, patience is a virtue. The reboot team needs to allow sufficient time for systems to reboot and startup because some processes can take several days to reach safe operating conditions.

Big picture defence

Turning back to defensive capabilities, the problem has been a chronic under-investment across the region in how countries and organisations build their cyber security posture across IT, OT, and IoT systems and networks. But the tide is changing – slowly but surely. 

Australia, for example, is expected to spend 5.5% of its total technology spend on security solutions by the end of this year. While this is only half of the 10% benchmark considered as best practice, Gartner predicts we’ll see an increase in 2024. Some 87% of both Australian and New Zealand CIOs and technology executives cite cyber security will receive their largest increase in technology investment in the year ahead. 

This comes at a time where Australia is at the forefront of collective cybersecurity regulation. The Security of Critical Infrastructure (SOCI) Act of 2018, amended in 2021 and again in 2022, is an example of an APAC government raising the security bar of infrastructure providers. This legislation sets out to adopt an all-hazards security approach to cyber and information security. 

While it’s critical for APAC organisations to follow such frameworks, and ensure they’ve invested in the latest ransomware and security tools to affectively protect themselves. Cyber crime is still a crime – it happens when you least expect it. 

We equally need to see a move away from victim blaming when cyber attacks occur and focus on how to bounce back. It’s an arms race after all. 

Marty Rickard is director of customer success and technical support for Asia-Pacific at Nozomi Networks

Read more on Hackers and cybercrime prevention