Almost all organisations operating in today’s hyperconnected digital society understand the importance of cyber security and continue to invest in strategies to improve their security posture to defend against threats. According to data from the Australian Cyber Security Centre (ACSC), it responded to 2,266 cyber security incidents from June 2019 to June 2020 and, on average, assists six entities to respond to cyber security incidents each day.
The Australian federal budget has allocated $42 million for building stronger security defences around infrastructure assets deemed critical. This funding would also assist critical infrastructure owners and operators to respond to significant cyber attacks.
However, despite the growing awareness of cyber threats and understanding the importance of maintaining a strong security posture, some organisations remain unaware of the nuances involved in creating a strong cyber security strategy. In particular, businesses are failing to grasp the potential risks introduced by the convergence of information technology (IT) and operational technology (OT).
This lack of awareness is one of the biggest threats to organisational security. Without understanding the different needs of OT and IT, businesses will fail to efficiently defend their systems, assets, and company against cyber criminals. For organisations that operate in the critical infrastructure space, this can have far-reaching impacts on wider society.
For example, the Triton malware, first discovered at a petrochemical plant in the Middle East, can disable safety systems, which could cause a disaster on a massive scale. Triton is the first known malware specifically designed to attack the industrial safety systems that protect human lives.
cyber security must be incorporated into the overarching business strategy. Failing to do this will expose businesses and communities to new threats and vulnerabilities. Fortunately, CISOs can assist boards of critical infrastructure organisations to better understand the risks associated with the convergence of IT and OT and help them to elevate their security posture for a better and more strategic defence.
Building stronger cyber security from the ground up
In the first instance, boards and business leaders must clearly understand the differences between IT and OT, and their specific security-related needs. Too often, business leaders may incorrectly assume that implementing cyber security strategies for corporate IT tools and networks will be sufficient to also protect OT systems and processes. In fact, the unique features of OT systems make them difficult to secure, and IT-focused security solutions aren’t appropriate for OT technology.
It’s critical to recognise the different security strategies that IT and OT will need independently, as well as what gaps or vulnerabilities are exposed when the two converge. Whereas IT systems are largely concerned with cyber activity, and primarily need security focused on confidentiality and data protection, OT systems operate more in the physical world and interact with real-world assets, making safety and productivity more of a priority. A successful cyber attack on OT systems will have ramifications that are felt in the real world, such as physical injuries, the breakdown of systems required for the smooth running of society, or even death.
As a result, programs must be developed for the security of both IT and OT. This will make it easier for boards to:
- identify potential implications for the core business — and for wider society — if an attack were to occur;
- determine the investment requirements needed to prevent this; and
- set cyber security practices accordingly.
When it comes to developing an effective cyber security strategy, it’s essential that organisations in the critical infrastructure space have a comprehensive understanding of what assets they have, who has access to these assets, and who controls the access. Understanding the flow of information and access is a fundamental step in developing an effective cyber security strategy and strengthening the organisation’s security posture.
Establish, execute, and evaluate the strategy
Managing OT security effectively is essential for risk management. It’s crucial that CISOs help boards understand the assets in their environment that could fall victim to a cyber attack and the potential repercussions. They need to establish a set of metrics based on risk appetite where standards can be measured. It’s one thing to be able to establish and execute a cyber security strategy but the real benefit comes from measuring it against set metrics.
It’s not enough to put security systems in place and assume that the controls are working. Cyber security is a constantly changing and evolving landscape, and it’s essential that businesses continuously assess their systems to monitor the effectiveness of their security systems. They need to review and validate their processes and technologies. This will help to build resilience and go a long way towards reducing the potential consequences of a cyber attack.
Corne Mare is the chief information security officer (CISO) at Fortinet