Last Friday, Prime Minister Morrison announced that a sophisticated state-based cyber actor is targeting Australian critical infrastructure providers, government agencies, the health and education sector, and industry organisations, resulting in an increase in cyber threats.
Against this backdrop, it is worth highlighting the 2019 policy brief, “Protecting critical national infrastructure in an era of IT and OT convergence” by Rajiv Shah for the Australian Strategic Policy Institute (ASPI) International Cyber Policy Centre.
Shah comments that the increasing convergence between the digital (IT) and physical worlds (OT) has created the “internet of things” (IoT), resulting in many benefits, but also new cyber risks.
A cyber-attack on OT systems may have a significant impact on entire communities, and insecure OT systems may provide hackers with easy access to otherwise well-secured IT systems.
In addition, the level of maturity and understanding of the specific risks to OT systems lags behind that of IT systems, which is exacerbated by an OT security skills shortage. There are relatively fewer available commercial solutions, and boards lack specialist knowledge and experience in relation to asking pertinent questions of their CEOs and/or CISOs.
Shah examined the understanding and management of the risks of IT–OT convergence in critical national infrastructure, particularly the telecommunications, energy, water and transport sectors, which are all critical to Australian security and the focus of government legislation.
The study explored approaches to IT–OT convergence, the level of understanding of the risks and approaches to managing the risks.
Challenges of OT Cybersecurity
Historically, OT systems were physically isolated, and cybersecurity was not prioritised until the recent convergence trend propelled it up the agenda.
There are different risk metrics with OT systems (e.g. unlike an IT security attack, a successful OT attack can cause major physical damage and/or loss of life), which is likely to affect an organisation’s risk appetite.
In contrast to IT security, OT systems availability of service is often more important than confidentiality e.g. shutting down a system to stop an attack might not be an option for an OT system, or applying updates to fix known vulnerabilities may not always be feasible.
Integrity may also be more important, in light of the potential safety‑critical impact of changes to data in OT systems. Examples include:
- The operational lifetime of OT systems is typically much longer than that of IT systems;
- Systems may not be built to withstand modern threats, and support and security patches might not be available;
- Firewall design and security monitoring tools are based on characteristic indicators of IT attacks, thereby potentially allowing undetected OT attacks to pass through.
Conclusions and Recommendations
Shah’s three key recommendations are:
- Boards of critical infrastructure providers should explicitly set their tolerance to OT cyber threats and monitor their organisation’s performance against it. This may require a combination of regulatory mandate and enforcement through recommended standards and approaches tailored to each sector.
- Prioritisation of resources to ensure that the relevant organisations are able to implement all of the required actions at the required pace;
- Better education and information are needed to improve the understanding and management of risks, from both business and technical perspectives. Key areas for action include:
- Awareness and training- although the supply of specialist skills is low, boards can be enabled to be curious to ask the right questions, understand and measure the risks, and build an appropriate risk culture;
- Increase the availability of specialist courses;
- Improve threat information sharing by various government agencies, and provide leadership and ownership of this responsibility for the critical infrastructure sector;
- Technical information sharing – the maturity of commercial solutions, specifically to address OT security requirements, should be reviewed and gaps identified to assist in accelerating development of the required capabilities.
Without security being at the core of IT and OT convergence, malicious cyber threats will remain a constant risk. Agilient’s expert security consultants are readily available to assist executive teams and boards of critical infrastructure providers in ensuring that appropriate enterprise-wide risk management programs are in place.
Author: Phillipa Lee, Agilient Consultant