The focus on Critical Infrastructure globally is high and particularly in Australia due to the confluence of heightened awareness as to the cyber risk and threat actors allied with amendments to the Security of Critical Infrastructure Act 2018 that is currently going through parliament.
Critical Infrastructure, defined by the Critical Infrastructure Centre as “..the systems and infrastructure the public rely on to deliver essential services that are crucial to our way of life” are heavily reliant on Operational Technology (OT) or Industrial Control Systems (ICS) that are often legacy systems that are decades old and were never designed to be connected to the corporate IT networks let alone the internet. The disruptions to critical infrastructure in the last few months – including Colonial Pipeline, JBS, and others – further solidify that the risks to OT/ICS is real for everyone. No industrial operation is immune and wherever you are on your industrial cybersecurity journey, the important thing is to start strengthening cyber defences and resilience now.
Understanding risk
Some risks are more straightforward to deal with, such as providing remote workers with access to your organization’s industrial environment for asset maintenance or process management and optimization. Without OT-specific remote access controls in place, you’re exposing your organization to risk unnecessarily. But other risks need to be analyzed within the context of your unique environment to determine the right actions to take to reduce industrial cyber risk.
Actions: Every industrial environment has more vulnerabilities than could ever be mitigated, which is why you need to map your asset inventory against a comprehensive database of security flaws present in specific asset models. Next, you need to assess how feasible it is for an adversary to exploit that flaw and further infiltrate your network to damage or disrupt operations. With asset risk scoring capabilities that provide nuanced risk assessments for individual assets, zones, and even across industrial sites, you can gain a deep understanding of risk and the tradeoffs involved as you determine your risk mitigation strategy.
Prioritizing risk
No organization has the resources, bandwidth or permissible downtime required to fully mitigate every risk it faces. And even if they did, it wouldn’t be a wise way to spend these precious resources. This is especially true for industrial environments, where availability or uptime is directly tied to the bottom line. The risk of disruption and downtime to implement a new security control, patch or system upgrade is often a non-starter. Not to mention that making changes to the multimillion-dollar systems that run production environments usually voids warranties.
Actions: You need to be able to prioritize the vulnerabilities and other security weaknesses that need to be addressed immediately, as well as those that can be managed using a compensating control, either indefinitely or until a maintenance window allows for patching. With the ability to map how a potential attack could play out against your industrial environment, including every possible type of communication and pathway, you can prioritize and identify best next steps for remediation.
Reducing risk
The aim of the Security of Critical Infrastructure Act 2018 that is currently being amended is ultimately to reduce the risk to Australia’s Critical Infrastructure to an acceptable level and strengthen industries that are crucial to Australia’s way of life. Once you have understood and prioritized the risks including mitigations, you are ready to take the appropriate actions to protect your industrial operations.
Actions: Until a patch can be administered, focus on vulnerable communication flows and apply additional verification or other compensating controls to network traffic. A growing number of industrial cybersecurity professionals are applying a least privilege model in an OT/ICS context. This entails continuously verifying and authenticating all users, internal or external, their location, and other data to determine whether to trust the user, machine, or application seeking access. The ability to implement and enforce authentication policies along these lines can drastically reduce the risk of actions, unintentional or malicious, that could threaten the safety, reliability, and/or availability of industrial environments. Additionally, secure remote access solutions with strict controls over sessions provide offsite access to OT environments while minimizing the substantial risks introduced by remote workers.
Recently, the Assistant Minister for Defence, The Hon Andrew Hastie MP was quoted in a speech “The effectiveness of our economy depends on the cyber security of our businesses, our research institutions, our critical infrastructure and our essential service providers. It also depends on all Australians feeling confident and secure to be active online. And this is more important than ever before”.
Fortunately, with the ability to create and maintain a current asset inventory, and to understand and prioritize the risks to those assets, you can proactively take steps to protect your industrial environment.