In February 2020, a ransomware attack shut down a US natural gas compressor station for two days. A month later, another accessed schematics and drawings related to two power plants in Missouri, as well as data from a coronavirus testing centre maintained by Hammersmith Medicines Research in the UK. These breaches highlight the need for critical national infrastructure to be cyber secure. In our experience, there are six steps to protecting operational technology (OT):
You can’t protect what you don’t know you have. You need to establish effective asset management and collate up to date inventory databases of installed hardware and software. Together, this will inform risk management practices, such as patching, when new vulnerabilities arise.
It’s essential to maintain robust network segregation between IT and OT. Malicious software such as IT-targeting ransomware can have an operational impact if it can access IT-type devices on an OT network. Increasing use of IT to support operations means the boundary between IT and OT is becoming blurred, often resulting in a loss of physical segregation. That means maintaining logical segregation is critically important.
Segregation options include technical or logical solutions such as firewalls, data diodes, step-down servers, de-militarised zones and uni-directional gateways. It’s a question of understanding the rationale that’s driving the connectivity and implementing an appropriate solution to provide the required information while protecting the operational services.
The attack on the US natural gas compressor station happened because a member of staff clicked on a link in a spear phishing email. This emphasises the need to maintain security awareness to augment technical and preventative network controls. So, assess what training each of your people needs to build a positive security culture. For example, we have a portable demonstrator that we use with clients to increase awareness of OT cyber security risks by simulating phishing attacks.
Patching is a challenging subject for operational networks with limited maintenance time and complex safety or change processes. But the principle of knowing what patches are available for the devices on your operational networks and what vulnerabilities those patches address is crucial. This allows for a risk-based assessment to offer a prioritised patch list you can implement on an opportunity or planned basis. In many cases, just knowing about the vulnerability and comparing that with inventory databases can make it possible to deploy alternative mitigations, such as virtual patching on boundary devices or temporary segregation.
Reliable, proven backups are essential to cyber resilience. If technical and procedural backups aren’t fit for purpose, regularly tested and secure, you could face financial, regulatory and reputational impacts as it will take longer to recover from incidents. So, create a process and regularly test backups for integrity so you can quickly recover systems.
Response planning tends to focus on physical disruption. As a result, there’s usually only a limited pre-planned response to cyber-attacks, and a severe lack of awareness about their potential impacts. There must be a tested incident response plan, informed by the OT security risks, that’s kept up to date to ensure recovery from an incident is as effective as possible.
The stakes are high. A cyber-attack on OT networks and systems can have devastating safety, financial, regulatory and reputational consequences. Advanced planning and preparation, and the continual assessment and assurance of security controls, can significantly reduce the impact of a successful cyber security attack and accelerate recovery.