Companies cutting across industry lines are highly interconnected today. The critical infrastructure (CI) industries (think power, oil and gas, healthcare, mass transportation and water utilities) are no exception. A proliferation Internet-of-Things (IoT) devices has made these organizations increasingly connected to the outside world. Increasing reliance on cloud services from 3rd party vendors or in-house developed software and services leveraging platforms of major Cloud Service Providers is also rising in CI. "This represents a significant shift for such organizations which have traditionally relied on isolation via air-gapped networks. Connectivity in general is great, but in the CI space it comes with significant newer threat vectors to which these industries were previously not exposed to" says Krishna Chaitanya Tata, a senior operational technology (OT) cybersecurity architect with IBM.

How Prepared Are Organizations For Imminent Cyber
How Prepared Are Organizations For Imminent Cyber Threats In Critical Infrastructure Pixabay

Compounding this paradigm shift, is the volatile geopolitics of current times. Recent cyberattacks on Ukrainian transportation and logistics industry, on Danish state railways' networks, the colonial pipeline hack are just tiny samples of the alarming frequency at which CI industries are being targeted. "In most of these cases, the hackers are associated with rival nation states or are independent rogue actors loosely associated with a rival nation. Center for Strategic and International Studies (CSIS) keeps a list of such major cyber incidents, which I encourage everyone to get familiarized with" explains Krishna. Cyber warfare is a reality, and the problem will only compound in future.

Disruption of essential services is a major motivator for cyber-attacks on CI industries

CI industries share certain commonalities and unique characteristics, such as heavy emphasis on 'zero downtime' when it comes to their networks in relation to cybersecurity. These characteristics make them prime targets for cyber attacks on critical infrastructures, explains Krishna, which we've outlined below.

The Purdue reference model, which was an enterprise architecture model for automation is still the gold standard for segmentation in CI. This model worked fine for decades until the proliferation of IoT devices and cloud services. These devices, sensors or services cannot be neatly slotted into logical levels of the Purdue model and can interact with cloud or even internet from anywhere.

The much-dreaded legacy devices are also ubiquitous in networks of CI industries. These can be Distributed Control Systems (DCS), Programmable Logic Controllers (PLCs) and Supervisory Control and Data Acquisition (SCADA) systems. These are often old, past their sunset period and are running proprietary firmware using proprietary protocols. "Upgrading or hardening them could have unintended consequences and are rarely undertaken, given the high premium placed on zero downtime" Krishna further says.

In addition, risk management as a function is almost non-existent in these organizations as it relates to cybersecurity. The reality that cybersecurity threats can result in shutdowns is not very well understood or addressed. Using authoritative frameworks such as those from NIST or ISA/IEC to assess cybersecurity controls is also uncommon.

All these characteristics and gaps within the CI industries are exploited by adversaries in getting access to control networks and disrupt essential services.

A comprehensive cyber security program to improve security preparedness is needed in CI

Krishna comments "It is almost impossible to undo the blurring of lines between corporate and industrial control networks. Interconnectedness will only grow, with the proliferation of IoT and cloud. There are, however, best practice initiatives that can be undertaken to mitigate the risk." Some of those are explained further.

Comprehensive OT security programsconsisting of all domains of cybersecurity such as access control, network security, data security, device build and hardening and so on are needed. Threat modeling is of extreme importance within the CI industries to deal with all potential threat vectors that adversaries can use to gain access to networks. "The threat vectors keep changing rapidly as the organizations themselves change, and so the threat modeling needs to be performed periodically to be relevant" stresses Krishna.

Periodic risk assessments of all IoT devices, access points and 3rd party services must be conducted ona component-by-component basis to determine risk, quantify the risk, and put in remediation actions in place.

Securing industrial control networks shouldn't just involve perimeter security, but a whole range of security controls that the security program must implement, including lateral segmentation, possibly micro-segmentation, device level hardening, and device access control. Special controls must be in place for IoT devices as well. Of course, a thorough risk assessment and/or a controls-based assessment drawn from authoritative frameworks such as NIST or ISA/IEC is highly recommended

The program must be effectively backed by a governance structure that proactively addresses security as a critical function within the organization. Without full executive backing and dedicated resources, any programs will likely not yield the desired outcomes.

Lastly, Krishna emphasizes that though the Purdue reference model will continue to be foundational, a more evoled and hybrid model that factors in IoT devices and 3rd part services, that don't follow logical swimlanes, must be adopted. Mapping of data flows including API calls within and outside of the networks is very critical for optimal segmentation strategy.

A former US secretary of Defense, had once cautioned nations about an impending

'cyber-Pearl Harbor' that cripple nations' economies and essential services. The words have quite literally become a lived reality. US Cybersecurity and Infrastructure Agency (CISA) routinely comes out with advisories, news articles and guidelines regarding cyber warfare. How seriously organizations within CI prioritize OT cybersecurity and act accordingly will eventually position themselves for success into the future.