Author: E-Yang Tang
Critical Infrastructure provides us with essential services like energy, food, water, transport, communications, health and banking and finance. While new technologies are constantly emerging to drive efficiencies in these sectors, each advance brings about a new set of cybersecurity challenges.
Staying abreast of these changes and continually reviewing cyber security practices is crucial to protecting critical Infrastructure and the essential services we rely on every day.
Key cyber security challenges
The reality is that cyber security approaches are not perfect, and there are limitations and weaknesses in every industry and sector. The critical Infrastructure space is no different.
Firstly, technical solutions often take precedence over strategy, frameworks and processes. Infrastructure custodians may make security hardware or software acquisitions without understanding how these solutions impact the overall risk reduction of the critical Infrastructure environment.
There’s also often a lack of collaboration between the IT team and the Operational Technology (OT) team in a critical Infrastructure setting. A common mentality is that OT environments are segregated from the IT environment, and that the OT environment is safe.
This is a myth.
If the technology behind the operating environment is not current, it comes with inherent risks and vulnerabilities. Legacy operating systems are highly vulnerable to threats, both from external and insider sources.
Although the convergence of IT and OT platforms is very much desired in a critical Infrastructure setting, there needs to be a conscious effort to protect the OT environment. Without this, the doors are opened to cyber security threats.
Addressing these problems
Overcoming challenges in a critical Infrastructure setting requires a commitment at both an organisational and individual level.
From an organisational standpoint, cyber security needs to be driven by risk, not technology. It is critical to understand the cyber security posture of the organisation, and from there build a roadmap or strategy to augment the controls/technology and reduce risk.
Logically, it will be astute to embark on a symbiotic awareness program to create awareness on how OT architecture, operations and protocols are different from IT and vice versa. However, more needs to be done besides educating each other on the intricacies of OT where “Availability” is priority and IT where “Confidentiality” is paramount.
Individually, the cultural boundaries of ‘IT vs OT’ must be taken down. Cyber security threats don’t see a difference between IT and OT, so there needs to be a strong collaborative culture between the two teams.
My approach to encouraging collaboration is to ensure that our teams are as diverse as possible. Our employees come from different backgrounds, genders and ages, and all are encouraged to contribute their ‘IT vs OT’ points of view. Our more experienced OT team members mentor our new recruits and in turn they are encouraged to bring fresh ideas to the table and challenge the status quo. The challenge will test the mentor and mentee relationships, however this ‘discomfort’ will inevitably bring improvement. This approach has helped drive collaboration and innovation in my own team at CGI.
With this approach, the convergence of IT and OT will be placed on a strong foundation and increase the probability of success. From a cyber security perspective, the outcome will be a cohesive strong unit defending against threats together, making it harder for malicious activities targeting IT and OT.