As a CISO in a power plant responsible for generating electricity, there are specific challenges and “gotchas” that you should be aware of to ensure the security of critical infrastructure.
Here are some key considerations for Powerplant CISOs, regarding Operational Technology:
Industrial Control Systems (ICS) Security
Power plants rely on complex industrial control systems to manage and control their operations. These systems are often interconnected and may use legacy technology, making them vulnerable to cyber threats. In addition, the drive to further digitize operations is causing fairly rapid adoption of digital technologies and opening up the OT networks to attack from the Internet. The CISO must ensure that robust security measures, such as network segmentation, intrusion detection systems, and access controls, are implemented to protect their ICS environment.
In 2021, approximately 90 percent of manufacturing organizations had their production or energy supply hit by some form of cyberattack.
The state of
industrial security
in 2022 by Barracuda
Enhancing operational technology (OT)
Enhancing operational technology (OT) cybersecurity is challenging for Powerplant CISOs, as it presents barriers in multiple areas: technical (such as legacy and remote solutions), operational (such as the decisions on which parts of the process the IT and OT teams own), and investment (such as a shortage of the trained skill set). However, (according to McKinsey), as the world is becoming more digital, industrial organizations are making progress in securing OT environments by following three key principles:
- Strengthening technological foundations. Organizations are securing OT environments with proper accesses and standardized controls through today’s technology.
- Assigning clear responsibilities. Clarifying role responsibilities for OT and IT teams, along with external partners, enables a quick response to cyberincidents.
- Increasing risk-aware capabilities and mindsets. By applying the proper incentives, organizations can proactively involve all stakeholders.
Effects of cyberattacks on OT environments
Powerplant CISOs have to watch for OT cyberattacks, that tend to have higher, more negative effects than those in IT do, as they can have physical consequences (for example, shutdowns, outages, leakages, and explosions). Of 64 OT cyberattacks publicly reported in 2021 (an increase of 140 percent over the number reported in 2020), approximately 35 percent had physical consequences, and the estimated damages were $140 million per incident. Geopolitical risks in 2022 resulted in an 87 percent increase in ransomware incidents, with 72 percent of the overall rate increase over the 2021 figures coming from Europe and North America (40 percent more in North America, 32 percent more in Europe, and 28 percent more in other continents, compared with 2021 data).
Cyberattackers often use ransomware and less-secured third-party connections to hijack OT devices, an action that can stop production and operations. Industrial organizations typically face technical and operational challenges, including the following, when trying to protect against such attacks:
- legacy systems, which can be 30 or more years old, with old vulnerabilities and limited security controls (for example, attackers can infect 2008 Windows servers using a specially crafted font to execute malicious code)
- limited ability to implement security controls on legacy OT devices supplied before cybersecurity became an issue and managed by OEMs (for example, sensors installed on valves and connected to a network without internal hardening procedures)
- third-party remote connections to control OT devices connected to an internal network (for example, attackers can strike a vendor-created network and use it to infect other devices)
- unclear ownership between OT and IT teams that makes it difficult to centralize, manage, and govern OT cyber operations (for example, integration of manufacturing execution systems with enterprise resource planning without the introduction of a 3.5 demilitarized zone).
- risk awareness versus risk tolerance leads to competing business priorities for OT decision makers who need to decide between increasing productivity and securing devices (for example, increased production versus patch management that could cause interruption in operations)
- shortage of combined cybersecurity and automation skills with the required cybersecurity and automation-control-system-specific experience (for example, an expert in OT cybersecurity but lacking automation and process expertise)
- business, operational, and technical restrictions that mean a continuous process may run for three years before a planned shutdown, which limits the ability of OT teams to patch devices and implement time-sensitive solutions (for example, stopping an energy supply to update an operational server with a security patch)
Some more issues that Powerplant CISOs need to contend with are listed here: https://newsroom.trendmicro.com/2022-06-02-Cyber-Attacks-on-Industrial-Assets-Cost-Firms-Millions
