Although news about IT cybersecurity in developed nations has been on the grim side for years, the Identity Theft Resource Center in San Diego ominously believes that 2023 is on pace to beat the data breach record set two years ago. According to IBM, the overall cost of a breach in 2023 was estimated at $4.45m globally, a metric that has increased 15% over the past three years.
With specific advice for the manufacturing sector, Verizon’s venerable “Data Breach Incident Report” notes that manufacturers and suppliers have been the target of numerous denial-of-service attacks, leading it to warn the industry not to underestimate the ability of these attacks to disrupt deadlines. Similarly, cybersecurity firm Dragos says attacks on manufacturing plants increased by over 100% from 2021 to 2022. This swamp of depressing reports is getting attention from senior executives: Gartner reports that two-thirds of all businesses polled indicated plans to increase their technology investments in 2023.
Even so, the important could be eclipsed by the urgent. Operational technology (OT), the rarely publicized cousin of IT networks, is a key profit driver for many companies. Often beyond public awareness, OT networks are used in manufacturing, energy production, power distribution, water and waste-water treatment, transportation, healthcare, building automation, and others. But, after years of being the sleepy backwater of mainline networks, OT has been targeted with destructive intent by adversarial nations and criminal syndicates.
What are Common OT Characteristics and Applications?
The differences between OT and IT cybersecurity are many. IT is considered a business network because it primarily transmits communicative data (think words). OT shares values and sensor data among automated devices, comprised of devices and software, often embedded, and designed, to monitor and regulate processes. For instance, industrial control systems (ICS) are common and used in automation at the intersections of manufacturing, process management, and transport. Distributed control systems (DCS) are a subset of ICS, used to control discrete processes or continuous manufacturing.
Supervisory control and data acquisition (SCADA) systems process data to facilitate network monitoring, analysis, and control. SCADA systems are often used in electric transmission, water flows, and railways. Programmable logic controllers (PLC) are industrial computers used in ICS, DCS, and SCADA systems, adapted to rugged environments where high reliability, programmability, and fault diagnosis are needed.
Industrial Internet of Things (IIoT) devices are less known than their consumer counterpart, Internet of Things (IoT) devices. IIoT tech usually operates over wireless networks, making them frequently subject to security scrutiny. Their use is rapidly building, with projected investment doubling between 2019 and 2025.
It is agreed that OT networks require different security skills and methods to cope with their unique malware threats. The Cybersecurity and Infrastructure Security Agency’s (CISA) OT cybersecurity advisories have reportedly increased by almost 150% since 2020, yet despite this, successful attacks against OT networks are much fewer than in the IT space. An OT network can also be negatively affected by an attack on its companion IT business network. If the IT network is suddenly encrypted, the OT network might have to slow or stop if the IT side is unable to determine what is being refined, produced, transported, or distributed. This is largely what happened in the Colonial Pipeline attack.
Are OT Attacks a Thing?
Reported OT network cyberattacks have included the Stuxnet virus attack on Iranian nuclear centrifuges, the Trises malware used in the 2012 attack on ARAMCO in Saudi Arabia, and Russia’s cyber-attacks on Ukrainian electric infrastructure in 2014, 2016, and again in 2022.
In late July of 2023, the North American Electric Reliability Corp (NERC) warned the House Committee on Energy and Commerce that China’s threat to the nation’s grid is growing, saying “Chinese activities are alarming,” particularly their ability to access OT networks. The New York Times claims China has some ability to interfere with the operation of electric grids and pipelines serving U.S. military bases. The director of National Intelligence has said China is likely capable of launching disruptive cyberattacks on U.S. critical infrastructure, including pipelines and rail systems.
So, Why Has Less Attention Been Given to OT Attacks vs. IT Attacks?
It is rare to read reports of OT networks being breached, in part due to different operational dynamics between OT and IT networks. While encouraging, OT attacks have far more destructive potential, so OT risk is getting broader attention from governments and industry. OT previously has consisted of single systems, “air-gapped” from the internet. But with advances in network technologies and improvements to integrated systems that connect to shared IT systems, OT is exposed to more risks.
For instance, OT has become easier for underfunded, low-skilled hackers to identify the locations of wireless networks and begin analyzing their prey. Reconnaissance is the first step of a proficient criminal hacker, and wireless mapping websites make it easier to identify a potential target’s location, scan for possible weaknesses, and exploit them.
According to CISA, the nation’s cybersecurity mentor and watchdog, security awareness and effective policies have left OT lagging behind IT, particularly in internal monitoring and sensing. Nevertheless, as CISA has pointed out, quick responses to cybersecurity incidents are likely greater in OT environments than IT business settings.
What New Regulatory Enforcement Requirements Impacting OT are Imminent?
These and other technological developments, combined with the demonstrated capabilities of adversary nations and criminal syndicates to undermine OT networks, have led to increasing concern that the U.S.’s critical infrastructure is vulnerable. Congress thus passed the Cyber Incident Reporting and Critical Infrastructure Act of 2022 (CIRCIA), and the Biden administration issued Executive Order 14028, compelling the federal government to digitally secure itself and assist the public in doing so. Several agencies of the federal government are also issuing new or updated regulations.
CIRCIA – CISA was tasked with developing and implementing regulations requiring particular components of U.S. critical infrastructure known as “covered entities” to report “cyber incidents” and ransomware payments to CISA. CISA will use this new reporting to deploy resources and assistance to ransomware victims while using the aggregated data to spot trendlines and share analysis with network defenders. OT networks are not specifically mentioned, but OT network breaches will likely be involved in the regulations.
What constitutes “critical infrastructure” has not been determined but is described by CISA as representing 16 different industrial sectors whose assets, systems, and networks are considered so vital that their incapacitation would have a debilitating effect on the nation. CIRCIA’s reporting requirements are subject to federal rulemaking processes and have not been announced.
Nonetheless, we know from the statute that a “covered entity” victimized by a cyberattack must report that attack to CISA within 72 hours after the victim “reasonably believes” a “covered cyber incident has occurred.” It also requires victims to report descriptions of cyber incidents, vulnerabilities exploited, victim’s security defenses, and categories of information accessed by the attacker. Finally, the entity must “preserve data relevant to the covered cyber incident or ransom payment.”
Regardless of the companies or organizations subject to these requirements, compliance will be difficult for some. Understanding when you’ve been hacked can be difficult to determine, and knowing which data was accessed can be almost impossible if files are encrypted or the company lacks the resources to log network activities. Fortunately, Congress included protections, like making reports non-public (with limitations), guards for trade secrets, preservation of privileges, and others.
SEC Regulations – In late July 2023, the SEC issued its long-awaited cybersecurity regulations. The new rules “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and material cybersecurity incidents by public companies.” They require “registrants” (companies subject to SEC oversight) to disclose any “material” cybersecurity incident. Registrants must describe aspects of the nature, scope, and timing of the incident, plus the likely impact of the incident, including operations.
Whether an incident is “material” must be determined, which implicates reporting OT cybersecurity incidents whenever “material.” While most commentators have not considered OT networks when discussing these rules, thought should be given to compliance for companies who rely on OT networks for material facets of their operations.
FERC Regulations – FERC is the federal regulatory agency responsible for electric transmission and sales and directs the U.S.-Canadian combined North American Electric Reliability Corporation (NERC) on matters within its authority. In January 2023, it directed NERC to file new or modified reliability standards that incorporate “internal network security monitoring” (INSM) for high-risk bulk electric systems (BES) in critical infrastructure protection (CIP) networks.
Current CIP requirements focus on threats from the internet, insiders, and remote users, and require demilitarized zones (DMZ) at internet access points (IAPs) to protect BES transmissions. INSM will add collection of data that could indicate the presence of an unauthorized intruder. INSM implementation could be extremely expensive depending on the regulated company but should improve incident responses and protect against cyberattacks.
TSA Security Directive Pipeline – In July 2022, TSA issued its “Third Directive” to the owners and operators of pipelines and liquified natural gas facilities that TSA had previously identified as “critical.” Owners and operators of designated pipelines must submit cybersecurity implementation plans to TSA for approval. Operators are further required to develop incident response plans (IRPs) and cybersecurity assessment programs. Of note, IRPs are common in the IT world but are just catching on in OT environments.
USCG Guidance – The Maritime Cybersecurity Assessment and Annex Guide
was issued in 2023 to cover maritime-related port facility cybersecurity, with particular emphasis on OT networks under the Maritime Transportation Security Act (MTSA). It is voluntary yet recommended for preparing MTSA-required facility security assessments and facility security plans under 33 CFR 105.105. It includes “best practices” for maintaining cyber hygiene in port areas, and applies to IT, OT, building automation, and security systems. The MTSA-regulated facility plans assessments must be approved by USCG’s captain of the port.
How Can Companies Assess Their OT Risks and Improve Resilience?
My observation from working in cybersecurity and studying the issues is that assessments to improve defenses and maximize resilience are more challenging in OT settings than in IT. With IT, there are innumerable ways to architect a network yet end up looking alike, in part because the devices generally used are designed to be interoperable. In contrast, if you’ve seen one OT network, you’ve seen one OT network. OT devices don’t integrate as easily, and architectural designs are more complex. While IIoT is changing that paradigm, allowing more exposure to the internet could replace one challenge with another—like patching vulnerabilities.
The best place to start is by performing an OT risk assessment and doing so on a recurrent basis. While assessments are mandatory for some companies, they are beneficial and CISA offers a variety of assessment tools at no cost. Without assessing potential vulnerabilities, a company cannot plan or remediate effectively. In the context of OT systems, the term “air-gapped” can give the false impression that breach exposure is minimal, though recent incidents suggest this is rarely the case. Vendors and integrators are often able to remotely access and operate these systems, which is another reason OT has been thrust into the crosshairs.
OT assessments can yield common problems. A 2017 DHS-directed study of over 130 ICS cybersecurity assessments concluded that boundary protection (usually where OT meets IT) was a prevalent weakness. This creates challenges in detecting unauthorized activity and regulating IT intersections. It also noted common weaknesses in:
- Seeing and accounting for users
- Lack of network baselines (what is normal?).
- Lack of trained backup personnel when a primary is not present; and
- Unauthorized physical access to field equipment.
The National Institute of Science and Technology (NIST) has provided recommendations for governance and authoritative guidance for corporate networks. It includes ensuring:
- OT cybersecurity policies are established and well-communicated.
- OT cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners.
- Legal and OT regulatory requirements regarding cybersecurity, including privacy, are understood, and managed; and
- Cybersecurity risks are integrated with corporate risk management processes.
Other commentators recommend ensuring both IT and OT cybersecurity teams function within the others’ awareness. An IT attack can have effects on OT cybersecurity and vice-versa. Sometimes the place of a breach is undetermined, so established, practical, and practiced collaboration can be essential.
Although expensive, INSM can make an informed defense of an OT network more agile and deliberate, along with understanding data flows. Properly configured firewalls and DMZ unidirectional gateways are helpful too. There are other areas where focused examinations pay dividends as well but with one caveat: OT assessments can lead to unbudgeted requirements. Including finance and operations senior leaders while the OT cybersecurity team performs assessments (which often require a consultant’s assistance) is highly recommended.
Should OT Networks Have an Incident Response Plan?
Most government publications recommend establishing and maintaining tailored IRPs. With NERC and TSA, these plans are required. They come in all shapes and sizes, but they should clearly state what triggers the IRP, who is responsible for what, who is empowered to make which decisions, and how to immediately contact everyone necessary for the plan’s expedited execution. Depending on a company’s priorities, other requirements may be necessary.
When a network is locked up, devices aren’t responding, or data is being inexplicably extracted, there is no time to determine the finer points of the corporate hierarchy. As CISA has pointed out, “The speed and effective actions required to respond to an ICS cyber incident is directly dependent on the amount of forethought and planning that took place in advance of the cyber event.”
A great degree of preparation can be required to develop the IR plan and associated security playbooks, focused policies and procedures, and realistic tabletop exercises. This should entail hands-on, progressive training. The IR team should be put through its pace as though an actual incident was occurring, with participation from company staff and senior leadership.
It is clear bad actors have shifted their focus to bigger fish and larger, more lucrative hauls. Industrial operations and critical infrastructure are increasingly caught in their dragnets. Under this new paradigm, OT systems should be treated with the same level of importance and precaution as IT business networks. Instituting good cyber hygiene across various OT systems should be a priority. Period.
Gene F. Price has substantial real-world experience in cybersecurity and focuses on Frost Brown Todd’s privacy and data security practice and incident response planning. Recently retired from the U.S. Navy as a Rear Admiral, Gene served as Commander of the Office of Naval Intelligence, Commander of the Naval Information Forces Reserve, and Director of the National Maritime Intelligence Integration Office. He was also Deputy Commander of Fleet Cyber Command/U.S. Tenth Fleet, where he supported U.S. Cyber Command, the National Security Agency, and U.S. global cyber interests.
