Organizations that leverage operational technology (OT), particularly military and government entities, have been keenly aware of the rising threats to critical infrastructure. OT is foundational to driving operations within the Department of Defense, such as Navy vessels, where maintaining strong security posture is crucial.
Unfortunately, the attack surface is expanding as OT becomes internet accessible. In fact, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) released an Activity Alert earlier this year that warned of increased malicious activity targeting critical infrastructure and urged organizations to take immediate action to secure OT assets.
As National Critical Infrastructure Security and Resilience Month just wrapped up, I’m sharing a few key measures for protecting these safety- and mission-critical systems in the era of IT/OT convergence.
Understanding Adversary Motives
Recently, I had the opportunity to speak with Christopher Cleary, the chief information security officer for the Department of the Navy, at Tenable’s virtual user conference, EDGE Week 2020. During our fireside chat, Christopher described Navy vessels as akin to floating cities, full of industrial control systems (ICS) that can be compromised during a successful OT attack. As these OT environments converge with IT, cyber risk becomes a priority concern.
Preventing attacks in these converged environments requires strategic awareness and defenses, including a keen understanding of adversary motives. “We see adversaries, depending on which one, begin to shift from solely looking at traditional IT systems,” Cleary said. “Certain bad guys want to get in to steal money, others may want to steal industrial secrets, but what’s worrisome is when you see the adversary looking to target ICS. It’s concerning because the biggest reason they would want to be there is to degrade those environments from operating, which would impact our ability to execute on our mission, whatever that may be.”
OT attacks differ from traditional IT attacks as the true, underlying motives of OT attacks are often blurred. “Today, it might be someone targeting a power distribution facility, such as what happened in the Ukraine. Nobody really figured out what happened during the time the power was out. Our adversaries may only need the light to go out for a minute to allow special forces to run through a field in the dark,” Cleary explained. “They may not need to take a piece of critical infrastructure of ours down to bare metal, they may just need to turn it off for a little bit. You could drive yourself crazy thinking what an adversary may want to achieve with targeting critical infrastructure.”
With potential motives boundless and an attack surface that now extends from OT to IT, today’s adversaries are able to traverse from one environment to another with relative ease. For this reason, taking a proactive stance in addressing cyber risk is crucial in order to see a threat, predict how it may affect operations and act to address it in real time.
Being proactive means security teams must secure OT by staying on top of critical vulnerabilities that an adversary can exploit to gain access to critical infrastructure. Identifying these high-risk vulnerabilities and moving quickly to remediate them allows teams to stay one step ahead of attackers. In order to identify these vulnerabilities, organizations should start with unified visibility.
Maintaining Visibility Across Converged Environments
I previously served as director of the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS‐CERT), where I saw corporations, civilian agencies and military entities spend millions to billions of dollars in protecting IT infrastructure, with little attention and investment made in OT security. Luckily, organizations are now starting to recognize the importance of also protecting these systems that power our global economy.
A key part of securing converged environments is holistic visibility. Organizations must have a bird’s-eye view of where both their IT and OT assets reside, who interacts with them and how exposed they are.
In the Navy, for example, visibility is especially critical to securing operations. “There are no two electrical systems in our base that look the same,” Cleary said. “We make sure to consider if we know where all the parts and pieces are, and who we can work with to put it together – often it is the person that built it 20 years ago. … Once every system is identified and their roles are understood, it’s just as important to understand what to prioritize when a fix is needed.”
It’s crucial for security teams to keep tabs on which assets are most critical to operations in order to prioritize vulnerabilities. Effectively identifying these high-risk vulnerabilities allows security teams to address attack vectors that are more likely to be leveraged instead of using precious time sorting through low-risk vulnerabilities.
Communicating Cyber Risk
Security leaders are now tasked with understanding the full scope of cyber risk in order to communicate to mission owners how a potential attack could directly affect operations. Without counterparts from the operations side on board with tackling cyber risk, it can be difficult to improve an organization’s security posture. For this reason, security leaders must translate cyber risk into a common language to communicate the ripple effects of a cyber threat – both in monetary loss as well as mission failures. “At my level it’s about trying to articulate the risk and the interdependencies of all of it, how I can present that risk and how we can look at ways of mitigating that risk,” Cleary said.
As adversaries set their sights on vulnerable OT, more organizations are taking a proactive stance to predict adversary motives and reduce their risk. Organizations that operate critical infrastructure, especially military entities, must maintain full visibility across IT/OT environments, prioritize high-risk vulnerabilities and communicate cyber risk to peers in order to effectively improve security posture in converged environments. Taking these critical steps allows security teams to secure cyberspace and avoid interruptions to mission critical operations.