As cyber threats evolve and persist, a pressing need to build greater resilience in OT
For several days in May 2021, there were long queues at petrol stations up and down the East coast of the United States. These were caused not by fuel shortages or rising energy prices, but by a cyber attack against the Colonial Pipeline Company. Ransomware delivered by a well-known criminal group paralysed its operations, preventing it from pumping as much as 3 million barrels of fuel per day between Texas and New York.
This very public incident brought home our dependence on the Operational Technology (OT) systems that underpin our most important services. Energy and water suppliers, transport and manufacturing companies, education and healthcare organisations: all these and many others are critical to our lives as citizens and to the economic security of our nations.
They depend on a huge range of devices, and on the hardware and software which monitors and controls their operations. In recent decades, these have been transformed by technology, but as control systems have been increasingly digitised and connected to the internet, the opportunity for cyber attacks has grown dramatically.
Cyber criminal groups and some nations have seized these opportunities. Over the last 3 years, we have seen countless attacks on operational technology.
Water treatment plants in Israel and Florida were tampered with, Honda’s global vehicle manufacturing was brought to a halt, a hospital in Germany was unable to admit patients, some schools in the UK lost student data, and pharmaceutical companies were taken offline. Attackers seek to disrupt business operations either to extort money or to create chaos and exert pressure for political reasons.
Every advanced nation faces these challenges, because operational technology is where cyber security and the physical world come together. We need to ask how to protect our critical services: to harden our networks and devices against attack and to make our systems more resilient. In short, how do we prevent the disruption of the services we all rely on at home and at work?
In response to this challenge, Singapore’s Cyber Security Agency (CSA) published an OT Cybersecurity Masterplan in 2019. Last year, despite the Covid-19 restrictions , CSA brought together the Operational Technology Cybersecurity Expert Panel (OTCEP). Members are drawn from many countries, reflecting the fact that no one is immune from cyber threats and we all have an interest in sharing ideas and learning from one another other.
Last year’s OTCEP forum explored some common problems in approaching the cyber defence of these operational systems and organisations. Many attacks are delivered through poor ‘IT hygiene’ — a failure to get the basics of defence right, for example in patching and upgrading software. Criminals are constantly scanning for these basic weaknesses and will exploit them in real time if they are given the chance.
The event also discussed the culture of these critical organisations, which are often not as advanced in cyber security as financial services and other sectors which are used to being targeted by criminals. But operational organisations, for example in the energy or maritime sectors, have highly developed health and safety policies and procedures. Their staff exercise these regularly. How can we build the same cultural approach to cyber security in the operational space?
Last year’s conference also recommended a change of mindset for OT cyber professionals, away from a checklist or tick-box approach to security. We all need to move from assessing risk and putting the right policies in place for compliance reasons, to actually reducing cyber risks in the real world. We need to make things better rather than simply filling in the forms. Compliance matters, but it is not enough in itself.
I took part in many discussions last year, including one with members of Singapore’s civil aviation sector on how to assess the risks coming from the supply chain. Even if you believe your own network defence is good, what about the hundreds or thousands of suppliers that are linked to you? How can you improve their security and prevent them from compromising your critical organisation?
Finally, last year’s meeting looked at how to improve skills and increase the flow of talent. Even in a country with a highly successful education system like Singapore’s, there is simply not enough cyber security talent. This is a global problem. We need to find ways of upskilling those who are already very expert in operational technology and industrial systems, and helping them to think in terms of IT security and cyber threats.
These cyber threats to operational technology — to the critical systems we rely on — can only be met by government and private sector working in partnership. Together, we can build a safe and secure environment and we can become resilient against cyber attacks.