By Ian Bramson, Global Head of Industrial Cybersecurity, ABS Group.

The nations’ ability to protect critical infrastructure from cyber attacks has come under the spotlight. Notable events such as the cyber attack on the U.S. Colonial Pipeline and recent Russian attacks on power stations in the Ukraine have drawn the attention of the private and public sectors alike. In the U.S., the Biden Administration reacted to these attacks by adding a mandatory 72-hour maximum time frame for reporting cyber attacks to the Cybersecurity and Infrastructure Security Agency (CISA). Regulatory action may help to shore up the country’s defense against cyber threats, however government oversight has a tendency to move slowly, and even when fully implemented it can be limited.

Take, for example, the recent TSA cyber regulations for pipelines which created confusion and contained unwieldy requirements. These new regulations are generally focused more on personal computers as opposed to pipeline controllers and suggest a lack of industry insight into the regulatory framework. Companies that build our critical infrastructure must lead the fight to secure operational technology (OT) environments from cyber threats, but are they equipped to do so? The numbers don’t look great.

Where are Organizations Lagging Behind? Just About Everywhere

A recent survey from the SANS Institute titled “Threat-Informed Operational Technology Defense: Securing Data vs. Enabling Physics” has exposed glaring holes in the industries’ capacity to prepare for inevitable cyber attacks on OT systems.

To start, an organization must know their points of vulnerability and have the ability to detect an attack. Sadly, many threats go undetected for an extended period of time such as the SolarWinds attack in 2020. In that instance, threat actors infiltrated the company’s software system “Orion” for 6 months before the attack was even detected. According to the SANS survey, 30-40% of respondents don’t have a formal process to identify and inventory OT and industrial control system (ICS) assets and 65% indicate their visibility is limited for these control systems. Without having the ability to properly assess and detect vulnerabilities, these organizations remain exposed to potential cyber threats, a dangerous place to be in today’s heightened geopolitical climate.

Additionally, even after an organization is able to detect a threat, they need to develop a way to effectively respond to it once detected. However, the SANS survey found that 47% of ICS organizations do not have dedicated 24/7 OT cybersecurity response resources to manage OT/ICS incidents. Furthermore, slightly more than 40% of organizations report not having completed training exercises to prepare for potential attacks. This startling lack of preparedness leaves critical infrastructure vulnerable to threat actors who increasingly seek to disrupt cyber operations that can lead to cyber and physical consequences. Unlike attacks on informational technology (IT), attacks on OT environments can result in physical harm to workers, equipment and the environment.

Why the Lack of Preparedness?

The results of the SANS survey also reveal the disconnect between workers on the frontlines and the decision makers. 61% of survey participants indicate a gap exists in the perception of cybersecurity risk to their ICS facilities between OT/ICS cybersecurity frontline teams and other parts of the organization. Responsibility for OT cybersecurity typically sits with IT since the perception from the C-suite is often that the same solutions and practices that protect IT can be replicated in OT environments. However, this just isn’t the case. The Department of Homeland Security points out, “Standard cyber incident remediation actions deployed in IT business systems may result in ineffective and even disastrous results when applied to ICS cyber incidents, if prior thought and planning specific to operational ICS is not done.” Organizations need to have a clearly defined security structure that has knowledge of OT environments and does not rely on IT practices to protect OT systems from physical, real-world consequences.

The lack of cybersecurity programs in industrial environments has had massive impacts on the chemical industry, with a recent study out of the U.K. estimating that cyber attacks cost the industry £1.3 billion per year. The chemical sector is an appealing target because it deals in large sums and organizations are especially invested in maintaining a positive brand reputation. If a cyber attack forces production to grind to a halt, the consequences are often severe, making companies highly motivated to pay large ransoms. In 2021, chemical distribution company Brenntag paid a $4.4 million dollar ransom to prevent the cyber hacker group DarkSide from leaking stolen data.

What Does the Future Hold- The Race to Build OT Cybersecurity

The good news is organizations are becoming increasingly aware of the impact cybersecurity has on industrial settings and the surging threat to OT environments. Results from the SANS survey show a trend towards greater investment in OT security practices with increased visibility into control system assets (52%) and implementing ICS-specific network security monitoring (NSM) for control systems (51%) ranking as the top two budgeted initiatives for organizations within the next 18 months. On a broader scale there is evidence of industrial and technology organizations from the private sector attempting to take the lead on cybersecurity initiatives and standards, rather than relying on federal mandates and compliance-based action to do the job. The Operational Technology Cybersecurity Coalition, formed in April of 2022, aims to lobby Washington to give the private industry managing critical infrastructure a voice in how cybersecurity standards are created and implemented for OT environments.

The results of the SANS survey reveal how the industry is playing catch up to a threat that’s already here. Companies managing critical infrastructure are severely lagging in OT cyber practices. No longer are cyber attackers here just to steal data; recent attacks have demonstrated the harm that can be caused to people, equipment, and the environment if organizations are unable or unwilling to be proactive in the war against cyber. It’s not “if” you will come under attack, but “when”. Is your organization OT cyber ready?