Author: Irfan Najeeb
Whether we are talking water, energy, manufacturing, transport, health or any other critical infrastructure industries, Operational Technology (OT) underpins the essential services our society needs. Our reliance on essential services means that OT solutions are highly valued and prove to be more of a target for threat actors.
Enhanced customer experience and digital transformation has blurred the lines between IT and OT environments, which were once considered two different worlds. OT cybersecurity is now incredibly important, but also magnified with challenges due to the nature of its operation, technology and the criticality of the associated services. At CGI, we are committed to helping organisations navigate those challenges.
I want to share my thoughts on OT cybersecurity, the challenges, the potential solutions, and how we at CGI work with organisations to ensure they can mitigate or manage cybersecurity risks.
The challenges of cybersecurity in Operational Technology
There are four major challenges that spring to mind when I think of OT cybersecurity:
Complacency
Industries utilising OT cannot afford to be complacent. Digital disruption has evolved the technology landscape, and this is driving organisations to change with the expanding security risk landscape. Ensuring availability of OT systems continues to be the top most focus for most organisations.
The common sentiment that “Nothing has happened for the past 80 years so nothing is going to happen in the immediate future” puts industries at significant risk. Stuxnet, Night Dragon and Duqu are just a few high profile targeted cyber-attacks that have served as a wake-up call for the OT industry.
Although no large-scale security breach is known to have affected Australian critical infrastructure organisations and the community thus far (touch wood!), that does not guarantee that it would not happen.
In fact, it is almost inevitable that something will happen.
Communication
There is often a lack of communication between peer organisations, industry and service providers. For example, if one industry organisation is experiencing a cybersecurity breach, there is no guarantee they will alert other peer organisations, sectors or services providers.
It makes perfect sense to say, “I was impacted by this threat, so make sure you have your controls in place.” However, every organisation is focused on tackling their own problems and they tend to overlook information-sharing with the wider community in a timely manner. Further, there often is no enforcement from regulators to compel information-sharing securely.
Over-communication is better than under-communication as the time window to respond to a cybersecurity incident is limited.
Cybersecurity is the sum total of all available information.
Regulation
This leads us onto the next challenge. Cybersecurity is a complex area, and as such, regulators are correctly avoiding the applications of prescriptive requirements or saying, “You should do this, like this”. Instead, regulators are providing descriptive requirements.
If, however, basic hygiene requirements or standards are not being met under the descriptive requirements, the regulators should still be able to perform effective regulation.
If a malicious actor gains access to an organisation’s OT systems and changes or manipulates parameters, they can cause impact to the wider community. For example, if hospitals don’t have the proper backup systems, lives could be in danger or a compromised energy utility system could see a power grid go down for an extended period.
Regulation should be able to assess the effectiveness of the implemented controls and processes against the descriptive requirements.
Training
Finally, organisations depend on a trusted workforce to defend and protect the OT systems from cyber criminals. Training, awareness and education for the workforce employed in OT become the foundation for the effective use of technology and process to strengthen OT cybersecurity.
Training and learning for OT security is limited and not widely available and the few courses available are expensive. Employers are not often able to sponsor their employees because of budgetary limitations.
Spend requires significant justification – which can be difficult when there is little quantification baseline available to assess against risk reduction or earning potential.
This is a catch-22 for OT cybersecurity professionals.
Addressing these problems
Ultimately, I believe both organisations and regulators must collaboratively drive change towards overcoming these obstacles. If a baseline level of mandatory cybersecurity and OT requirements is defined, industry organisations, their peers and the workforce will benefit from the outcome. Some short-term pain will result in long-term gains.
In terms of available methodologies to address cybersecurity challenges, one of the most important approaches is known as ‘Defense in Depth’. This is the idea of putting many defensive layers, like an onion, around your systems and assets so an attacker needs to peel and peel to get to the target. This is one of the approaches that CGI has been focusing on with organisations in Australia.
Organisations also need to be proactive, not reactive, with cybersecurity.
Do not wait until someone breaks into your house. Put a fence up. Add locks to your doors. Add an alarm for additional visibility.
Prevention is better than a cure as the cost of a cyber-breach is significantly expensive.
How CGI is helping to enhance Australian cybersecurity
At CGI, security is part of everything we do. We have over 40 years of heritage of creating and securing critical business systems in complex environments. CGI also supplies and supports OT solutions through our own IP-based solutions designed for the Australian market. The combination of cyber analyst and OT experts has enabled CGI to respond to the needs of the OT industry.
We deliver end-to-end security services built on a record of accomplishment of defending Australia’s critical infrastructure, assessing and analysing millions of events on a daily basis. We have helped clients manage complex security needs from audit and compliance requirements, to policy, architecture and engineering, with a business-focused approach.
Due to the sensitive nature of certain data and systems, traditional IT security detection and monitoring is not sufficient. Instead, our approach is to conduct passive monitoring and look for any suspicious activities for further assessments. Our teams engage with our experts who have a significant heritage in OT and business to understand if this nature of behaviour is normal.
Why CGI is a great place for cybersecurity experts
CGI is a fantastic place for cybersecurity practitioners to work – whether they have decades of experience or are just cutting their teeth. Personally, I love the diversity of the team and the fact the awareness and importance of OT cybersecurity is growing into a mature environment. We address real problems that impact our lives and we do so collaboratively: engineers, developers, cyber analysts and OT practitioners all rowing in the same direction. Because we work with practitioners who have been in the OT industry for 30+years, difficult problems can be quickly and easily solved through consultation.
CGI has an approach to OT cybersecurity that puts the organisation – our client – at the centre of everything. The key themes of the CGI cybersecurity approach are:
- We conduct security assessments to identify, quantify and prioritise cyber-risks to understand what can go wrong. This forms the risk profile and the cyber journey for an organisation.
- We build secure outcomes through a security first approach by designing, building and implementing processes and technologies to manage the risk of an organisation.
- We continuously monitor, detect, hunt, respond to cyber-threats and make sure that we’re on top of developments as they happen through our Security Operations Center
CGI’s cybersecurity approach covers security from all angles of technology, business and legal and has a 360-degree view of global and local threats. Because we are practitioners, not just consultants or engineers, we bring end-to-end expertise. You get a blended experience, expert guidance and a customised approach based on your industry.
What do you see as the biggest cybersecurity issues in OT? How do you think security in the OT space will evolve into the future?
