Bill Moore is the CEO and founder, XONA, providers of a “zero-trust” user access platform tailored for remote Operational Technology (OT) sites. Moore is currently working with global power, oil and gas, and manufacturing customers to reduce their remote operations costs and cyber risks. He has more than 20 years of experience in security and the high-tech industry, including positions in sales, marketing, engineering and operations.
Alongside the COVID-19 pandemic, cybersecurity threats soared. Ransomware attacks, phishing scam campaigns, and other attack methodologies reached all-time highs, prompting companies to spend a record amount to enhance their defensive postures.
However, always ready to capitalize on vulnerabilities, threat actors are now targeting critical infrastructure, including water and energy facilities. While the ransomware attack on Colonial Pipeline attracted the most media coverage because of the startling scenes of supply shortages and gas lines, a new joint advisory published by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the NSA, and the U.S. EPA, highlights more expansive challenges for critical infrastructure.
According to the report, several water facilities were targeted in 2021, disrupting both information technology (IT) and operational technology (OT) systems and exploiting vulnerabilities in critical IT and OT systems, which can pose major risks to operations as well as public safety.
Specifically, the report notes, “The increased use of remote operations due to the COVID-19 pandemic increases the necessity for asset owner-operators to assess the risk associated with enhanced remote access to ensure it falls within acceptable levels.”
In response, utilities must recalibrate their cybersecurity efforts, ensuring that they can secure OT operations. For those tasked with making or evaluating those decisions, here are three priorities for securing OT infrastructure.
1. Adapt to Remote Work Trends
Many utilities are turning to remote work while developing remote operations capacity to attract and retain top talent and maintain operational continuity regardless of on-the-ground circumstances. Expanding remote work opportunities comes with many benefits for utilities, but it also introduces new vulnerabilities as hackers increasingly target off-site workers. As The Wall Street Journal reports, “The use of personal devices and internet connections, coupled with the anxiety of balancing work with child care and other tasks at home, has introduced a different set of weak points.”
This is especially true for utilities that are connecting off-site personnel to on-site physical infrastructure for the first time.
In this regard, a utility’s employees are often their weakest link. According to one industry survey, 61% of participants failed a basic cybersecurity quiz. Meanwhile, the average company devotes just 5% of its cybersecurity budget to training and equipping employees in cybersecurity best practices.
Cybersecurity preparedness is not a one-size-fits-all solution, but it should be an integral part of helping utilities keep critical infrastructure secure during this transitional moment.
2. Implement OT-specific Cybersecurity Solutions
Municipalities have invested heavily to fortify their on-site cybersecurity capacity at water and waste facilities. Now, the shift toward hybrid teams requires utilities to update their calculus. In particular, the joint advisory warns, “threat actors can exploit a Remote Desktop Protocol (RDP) that is insecurely connected to the internet to infect a network with ransomware. If RDP is used for process control equipment, the attacker could also compromise WWS operations.”
In other words, as utilities integrate remote operations capacity, they need to implement OT-specific cybersecurity solutions, which isolate and monitor the usage of data protocols.
For utilities, this means protecting OT network access with authorization controls that monitor OEM access, provide precise operational access controls, and enhance existing enterprise IT cybersecurity tools.
Most importantly, utilities should implement a zero-trust cybersecurity framework, including:
- HW token-based multi-factor authentication;
- Protocol isolation;
- Mediated uni-directional secure file transfer;
- Mediated user-to-asset access;
- User-to-asset connection monitoring; and
- Full user access logging and session recording.
With cybersecurity exploiting vulnerabilities in OT remote operations capacity, it’s critical that utilities fortify their defensive posture to protect critical infrastructure.
3. Automate Processes and Reduce Friction
Utilities face unique hiring challenges on every front, but cybersecurity jobs are especially challenging to fill. There are more than 450,000 unfilled cybersecurity jobs in the US, while widespread burnout has led high numbers of qualified professionals to leave the profession. In response, water utilities should turn to software solutions to automate processes and reduce friction whenever possible.
For instance, oversight is critical to maintaining network integrity, but many cybersecurity teams are overwhelmed by the number of alerts and false positives requiring their attention and investigation. By implementing automation technologies that mitigate this dynamic, utilities can best respond to the most urgent risks.
Similarly, for average employees, cybersecurity solutions should be easy to implement and deploy. Many people are unwilling to endure even relatively modest disruptions to their existing workflows, making it critical that utilities minimize friction as they work to secure critical infrastructure.
Supporting Infrastructure That Lasts
Threat actors have demonstrated a willingness to target critical infrastructure to turn a profit. Failure to respond appropriately can have devastating consequences. Utilities provide vital services to millions of people, and any disruption, contamination, or misuse puts people’s health and safety at risk.
In 2022, utilities need to become more operationally resilient through the deployment of OT-centric cybersecurity solutions that minimize risk and make operational processes more efficient.