- Organisations can reduce risk by implementing a security control framework, Gartner says.
- Key challenge is the convergence of an increasingly OT-aware and capable threat landscape with the digital transformation of the industrial community.
- Liability for cyber-physical security incidents will pierce the corporate veil to personal liability for 75 per cent of CEOs by 2024.
- Financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023.
Cybercriminals will have weaponised operational technology (OT) environments to successfully harm or kill humans by 2025 as the financial impact of cyber-physical system attacks (CPS) is expected to grow due to a lack of security focus and spending.
Attacks on OT – hardware and software that monitors or controls equipment, assets and processes – have become more common. They have also evolved from immediate process disruption such as shutting down a plant, to compromising the integrity of industrial environments with the intent to create physical harm.
Recent events like the Colonoial Pipeline ransomware attack have high highlighted the need to have properly segmented networks for IT and OT.
One of the main challenges facing the community is the convergence of an increasingly OT-aware and capable threat landscape with the digital transformation of the industrial community.
In operational environments, Wam Voster, senior research director at Gartner, said that security and risk management leaders should be more concerned about real-world hazards to humans and the environment, rather than information theft.
“Organisations in asset-intensive industries like manufacturing, resources and utilities struggle to define appropriate control frameworks,” he said.
The research agency defines CPSs as systems that are engineered to orchestrate sensing, computation, control, networking and analytics to interact with the physical world (including humans).
Katell Thielemann, Research Vice-President at Gartner, said that liability for cyber-physical security incidents will pierce the corporate veil to personal liability for 75 per cent of CEOs by 2024.
She said that regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them.
Some of the governments have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry.
Ransomware, Trojans are key threats
According to Gartner, security incidents in OT and other CPS have three main motivations – actual harm, commercial vandalism (reduced output) and reputational vandalism (making a manufacturer untrusted or unreliable).
Gartner predicts that the financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023.
Even without taking the value of human life into account, the costs for organisations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant.
Joint research by IBM X-Force and Dragos shows that ransomware and remote access Trojans are the most common attack types against enterprise networks connected to OT networks.
Ransomware attacks made up nearly one-third of all attacks on OT-connected organizations last year, underscoring the interest ransomware adversaries are taking in industrial victims.
All the ransomware attacks impacting industrial organisations, such as those found in the electric, oil and gas, manufacturing, rail and mining industries, between 2018 and 2020, 56 per cent had an impact on operations.
After ransomware, which made up 30 per cent of attacks, remote access trojans (RATs) were the second-most common attack vector against organizations with connected OT networks in 2020 and 2021, making up 16 per cent of intrusions on these organisations.
Digital world to have a much greater effect
Thielemann said that CEOs, soon, won’t be able to plead ignorance or retreat behind insurance policies.
“Even without taking the actual value of human life into the equation, the costs for organisations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant.
“Technology leaders need to help CEOs understand the risks that CPSs represent and the need to dedicate focus and budget to securing them. The more connected CPSs are, the higher the likelihood of an incident occurring,” she said.
With OT, smart buildings, smart cities, connected cars and autonomous vehicles evolving, incidents in the digital world will have a much greater effect in the physical world as risks, threats and vulnerabilities now exist in a bidirectional, cyber-physical spectrum.
“A focus on ORM (operational resilience management), beyond information-centric cybersecurity, is sorely needed,” Thielemann said.
Organisations urged to adopt a framework of 10 security controls to improve security posture across their facilities and prevent incidents in the digital world from having an adverse effect on the physical world.
10 security control frameworks
1. Define roles and responsibilities: Appoint an OT security manager for each facility, who is responsible for assigning and documenting roles and responsibilities related to security for all workers, senior managers and any third parties.
2. Ensure appropriate training and awareness: All OT staff must have the required skills for their roles. Employees at each facility must be trained to recognise security risks, the most common attack vectors and what to do in case of a security incident.
3. Implement and test incident response: Ensure each facility implements and maintains an OT specific security incident management process that includes four phases: preparation; detection and analysis; containment, eradication and recovery; and post-incident activity.
4. Backup, restore and disaster recovery: Ensure proper backup, restore and disaster recovery procedures are in place. To limit the impact of physical events such as a fire, do not store backup media in the same location as the backed up system. The backup media must also be protected from unauthorised disclosure or misuse. To cope with high severity incidents, it must be possible to restore the backup on a new system or virtual machine.
5. Manage portable media: Create a policy to ensure all portable data storage media such as USB sticks and portable computers are scanned, regardless of whether a device belongs to an internal employee or external parties such as subcontractors or equipment manufacturer representatives. Only media found to be free from malicious code or software can be connected to the OT.
6. Have an up-to-date asset inventory: The security manager must keep a continuously updated inventory of all OT equipment and software.
7. Establish proper network segregation: OT networks must be physically or/and logically separated from any other network both internally and externally. All network traffic between an OT and any other part of the network must go through a secure gateway solution like a demilitarised zone (DMZ). Interactive sessions to OT must use multi-factor authentication to authenticate at the gateway.
8. Collect logs and implement real-time detection: Appropriate policies or procedures must be in place for automated logging and reviewing of potential and actual security events. These should include clear retention times for the security logs to be retained and protection against tampering or unwanted modification.
9. Implement a secure configuration process: Secure configurations must be developed, standardised and deployed for all applicable systems like endpoints, servers, network devices and field devices. Endpoint security software like anti-malware must be installed and enabled on all components in the OT environment that support it.
10. Formal patching process: Implement a process to have patches qualified by the equipment manufacturers before deploying. Once qualified, the patches can only be deployed on appropriate systems with a pre-specified frequency.
Related Posts:
- Pakistani APT group unleashes new wave of attacks targeting India’s public sector infrastructures
- What are the ways to bypass NSO Group’s Pegasus spyware?
- Lasting impact of cybersecurity in 2020 elevates importance of CISOs