The idea of cyber-attacks causing severe physical damage to power plants and oil refineries is no longer a hypothetical for the screenplays; in today’s world, it’s the subject of real news headlines.Cyber attackers are targeting energy and oil and gas organisations like never before, and the need for better industrial cybersecurity is real.
In a recent Tripwire survey, 70% of security professionals in the energy industry said they are concerned that a successful cyberattack could cause a catastrophic failure, such as an explosion, says Tim Erlin is VP of Product Management & Strategy at Tripwire.
In the past, energy organisations and other industrial operators only had to worry about physical security. Now that most industrial control systems (ICS) are connected to the Internet, the energy industry needs to pay attention to new cyber threats. We commonly hear about hackers breaking into computer systems to steal data, typically for financial gain. With critical infrastructure, however, cyberattacks can disrupt critical operations, damage physical equipment and even cause loss of life. We’re seeing more and more real-life examples of this.
In a recent historical moment, the FBI and Department of Homeland Security issued a joint report describing a massive Russian hacking campaign to infiltrate America’s critical infrastructure. In a first, the US government publicly blamed Russia’s government for attacks on energy infrastructure.
We’ve also seen discoveries like Triton (aka Trisis), which shut down a Saudi petrochemical plant last year and is believed to have been designed to cause an explosion. Six months before that came Industroyer, modular malware which can take down ICS systems by speaking to industrial communication protocols and deploying wiper malware.
Responding to the threat
In Tripwire’s survey of security professionals in the energy industry, 59% said their companies increased security investments because of ICS-targeted attacks like Trisis/Triton, Industroyer/CrashOverride and Stuxnet. However, many feel they still don’t have the proper level of investment to meet ICS security goals.
More than half (56% ) of respondents to Tripwire’s survey felt it would take a significant attack to get their companies to invest in security properly. This may be why just 35% of participants are taking a multilayered approach to ICS security – widely recognised as a best practice. 34% said they were focusing primarily on network security and 14% on ICS device security.
The other challenge in industrial cybersecurity is organisational: the longstanding divide between information technology (IT) and operational technology (OT) teams. According to the Tripwire survey, however, 73% of participants said that their IT and OT teams are working better together now than compared to the past.
Organisations are realising they have no choice but to get their teams to work together as the threat of attack continues to rise. In the survey, IT and OT teams were aligned on what could happen if they don’t get industrial security right, such as operational shutdown and the safety of their employees.
While collaboration is certainly improving, most of our survey respondents suggested that IT still leads the initiative. When asked whether IT or OT teams were taking the lead on ICS security needs, 50% of total participants said IT, 35% said its evenly shared between IT and OT and 15% said OT.
It’s not surprising to see IT teams taking the lead, as they typically have more history with cybersecurity. The digital threat is relatively new for the OT side of the house. That said, operational environments are very different from IT environments, and successful converged teams let their OT counterparts lead when they have the expertise. Partnership from the OT team is absolutely crucial in implementing an ICS security program that won’t disrupt operations.
A three-step approach for building defense-in-depth:
While not as easy as 1-2-3, organisations can approach industrial cybersecurity in three steps:
First, secure the network. Organisations should segment networks by implementing the ISA IEC 62443 standard, secure all wireless applications, and deploy secure remote access solutions for troubleshooting and problem-solving. Companies should also monitor their networks including industrial network infrastructure equipment.
Second, secure the endpoints. This can start with investing in asset discovery and creating an inventory of endpoints on the network. Organisations must then ensure endpoints are securely configured and monitored for changes.
Third, secure the controllers. Companies can better protect ICS by enhancing detection capabilities and network visibility by implementing security measures for vulnerable controllers, monitoring for suspicious access and change control, and detecting/containing threats in a timely manner.
The physical and digital worlds continue to converge, bringing along new opportunities for better productivity and optimised operations. It’s important, however, to integrate security into the digital transformation journey to protect critical infrastructure from new digital threats.