How to defend critical national infrastructure from a cyber attack
Tom Westenberg, Senior OT Security Consultant at Thales, shares his insights into the evolving landscape of cyber security for critical national infrastructure (CNI) such as energy and water supplies:
How are approaches to CNI systems changing?
Modernisation and operational efficiency improvements are the main drivers for critical national infrastructure (CNI) operators. Today, organisations are shifting to off-the-shelf components, such as Cisco Switches and Windows operating systems for example, rather than standalone control equipment.
A whole new class of functionality has been adopted from remote access functionality, as one likes to see the performance of the power plant from home, to data integration, which can be used for activities such as business forecasting. As we see with the example of IT security, everything that we do needs appropriate protection against threats. What sets CNI operators and systems apart is that, unfortunately, the consequences of CNI cybersecurity incidents have a much greater potential impact.
How big is the current risk to CNI?
The current risk is fully dependant on the means, motive and opportunity of the threat actor. Attacks on critical national infrastructure are most often carried out by people with clear intentions. CNI operators should be vigilant to a range of information sources to understand the threat to their operations. This could range from geopolitical events to threat intelligence and connecting with National Cyber Security Centre or Information Sharing and Analysis Center communities.
What do organisations need to do protect CNI?
CNI operators should realistically prepare to face a cybersecurity incident that could affect industrial control systems in any capacity. From our experience at Thales, we engage with both smaller CNI operators that are as ready as they can realistically be for such an incident without requiring a significant change in their organisation or funding, and much larger CNI operators across the globe. The work that we carry out with these organisations includes preventative detection capability as well as recovery, incident response and triage capability.
CNI operators should look to protect their organisations across the domains of people, process and technology - in that order of priority. At Thales, the top three recurring challenges that we witness are:
- An insufficient workforce development programme that covers awareness training for operational technology (OT) operators, as well as specialist OT security knowledge for key individuals.
- A lacking cybersecurity strategy and roadmap for the next few years that outlines set objectives and an appropriate level of resources.
- Missing detection and response capabilities in relation to monitoring for threats that specifically target industrial environments.
What does the future hold for threats to CNI?
In terms of threats, ransomware and the monetisation of attacks are here to stay for the foreseeable future and CNI operators should be vigilant against this specific type of threat. With the correct attention, funding and support from senior leadership, putting up a significant level of defence is achievable and within reach of any CNI operator. However, there will always be successful intrusions and incidents affecting CNI and industrial control systems. This is something that we have to learn to expect and plan for. Going forwards, expect to see increased regulatory pressure that will require CNI operators to take cybersecurity more seriously if they are not doing so already.
Read more about how you can protect your operational technology at the Cybels Operational Technology Security page