Building cyber risk resilient facilities
KPN European Cyber Risk Perspectives
Dana Spataru, EMEA IoT Security Team Leader at Deloitte, contributed to the KPN European Cyber Risk Perspectives report with an article on building cyber resilient facilities. Even though having a large price tag, being protected against cyber threats brings operational and commercial benefits.
By Dana Spataru
ICS Security: so much more than protection
Of course, infrastructure and production facilities need to be protected against the growing danger of external cyber threats. And that protection has a price tag. But smart, cyber-resilient facilities bring operational and commercial benefits, too! Compare it to your car: if you know your brakes work, you can drive faster.
We’ve all read the headlines about ransomware like WannaCry and NotPetya spreading chaos and panic from energy companies in one country to port facilities in another. Attacks often launched by nation states with money to burn and time on their side. But apparently, this threat alone is not enough to spur potential targets into action. Why?
The people responsible for an organisation’s operating technology (OT) are generally engineers who have worked for years or even decades developing their machines and tools. They know their tools, and believe they have visibility on all the risks. Having been trained to focus on commercial aspects like costs of operation and maintenance, they tend to shrug at doom-and-gloom stories about cyber threats.
Lack of awareness
The complacency on the OT side of the organisation is partly a lack of awareness. Engineers tend to believe their facilities are safe from external threats because they’re isolated from the internet. But that is a myth! An air gap between the OT systems and the rest of the IT domain is a good idea, but it is no failsafe solution. Third-party tools are regularly maintained remotely, or by external consultants who come in and physically connect their own laptops or USBs to the tools, either way exposing the OT systems to infection from the outside. The organisation’s own employees may use their laptops to read out or fix computerised OT components. Whatever they say to the contrary, or however they insist that their laptop security is fully up to date, this opens a back door to intruders.
In today’s large organisations, IT is an activity with its own department and own staff, headed by the CIO, while operational activities and staff are headed by the COO. This confirms an artificial divide in the way we think of these activities. IT and OT are in fact not separate domains. All operations these days involve IT. IT risks are overwhelmingly OT risks. A major step towards understanding all these risks is mapping them out in relation to each other. As part of the bigger picture, each of them makes more sense.
This mindset should also be reflected in the workforce. Ideally, an organisation needs engineers with IT security knowhow, and IT staff with operating technology knowhow. This is not the case now, and closing that skills gap is a long-term project. Meanwhile, as long as OT and IT remain ensconced in their respective silos, they will never understand what the other side is trying to tell them. For example, when IT specialists see a security threat in a 25-year-old OT component, they will simply call for its replacement. The engineers will tap their foreheads at this ivory tower solution: replacing this crucial component would mean rebuilding the whole system from scratch, which would cost enough to bankrupt the organisation. And that’s where the discussion ends. But IT staff can’t be blamed for not knowing: they’re often overstretched and lack insight into the nuts and bolts of the dozens or hundreds of facilities that they service.
Learning to listen
If both OT and IT learn to listen, however, they can devise solutions that work. Engineers need to take warnings from IT about unperceived threats more seriously. IT staff, in their turn, must take more account of commercial concerns, and make more of an effort to “sell” their solutions by highlighting the commercial advantages. They must also accept that in an OT environment, eliminating risks altogether is not always feasible. What they can do is mitigate risks through close monitoring, early detection and swift response protocols. Imagine you have a diamond kept in a room with one door that you cannot lock. There are still ways to keep it relatively safe, like installing an alarm on the door, and sending in guards the moment it goes off.
Patches versus real solutions
The good news is that more and more organisations are addressing cyber security issues relating to their ICS systems, sometimes following incidents such as ransomware attacks. The solutions chosen, however, are often short-term patches, which don’t address the fundamental cause of the problem. Ultimately, it’s not only smarter, but in many cases cheaper, to adopt a more holistic approach, looking at the overall risk and strategic objectives in the medium to long term. In our times, organisations are on the brink of transitioning into the digital era. The time can be right for a fully-fledged digital transition roadmap. One that will – obviously! – also include cyber resilience.
If an agile approach is chosen, the first steps can be taken quickly, and these will address the most urgent deficiencies - the very ones that the organisation was tempted to simply patch. The difference is that by also looking at causes and effects, the organisation can avoid patching the same thing over and over, or patching components that may not be so relevant in the future. Insight makes actions more targeted and effective. And ultimately less expensive.
Cyber security versus cyber resilience
Going forward, just as our own technology advances, cyber attacks will also become increasingly sophisticated. And given that the aggressors typically have unlimited resources and lots of time, we can safely assume that if they are determined to gain access to an organisation’s OT systems, they will get in. Absolute cyber security may not be a viable option for the OT space, but cyber resilience is. Robust foundations paired with early detection and response is where our focus should be.
Carrot versus stick
The key to making progress in this area is gaining the trust and cooperation of the OT-organization. As said, scary stories about cyberattacks do not impress engineers. What does make them sit up and take notice is smart, IT-based technology that will actually save them time and money. For example sensors that collect real-time data on the tools and signal when maintenance is needed. Or ones that monitor a process and optimise the flow of feedstock. These are technologies that engineers are eager to buy into. And this is only the beginning of what the Internet of Things will bring us.
Engineers will be sensitive to the argument that a safe environment provides the freedom to explore the massive opportunities of IoT. They will be more than willing to make their operating environment resilient to cyber threats, not because it’s such a dark world out there, but because it’s such a bright world. With reliable brakes on their car, they can confidently speed into the future.
Would you like to know more about increasing your organizations' cyber resilience? Please contact Dana Spataru or Jelle Niemantsverdriet through the contact information details below.