Navigating blind or steering by (in)sight? PART 1

How well-secured is your operational technology? Are you aware of all vulnerabilities in your production environment susceptible to cybercrime? Do you have full insight into your assets? Today, we are witnessing an increasing number of breaches in critical infrastructure and production environments. This is an area where the use of operational technology (OT) is only increasing due to innovation and digitization. Most of the organizations or supply chains affected do not see attacks in time, or may not report them out of shame or fear of reputational damage.

While preparing for the 2022 CGI Industrial Cybersecurity event on May 17^th in Veghel, we spoke with three of our local experts. They are working in this particular domain with CGI in the Netherlands and Belgium, with their teams and clients. This blog is the first in a series of expert blogs that we publish around this event.

What could be the economic and social impact of increasing cyber threats?

“A successful attack on one organization is bad enough.” says Lucien Sikkens, Director OT Security Center of Excellence at CGI in the Netherlands. “Most organizations today are not working in isolation. They are part of complex value chains. Impact on one organization can have major consequences for the wider ecosystem.”

It is obvious that the possible economic damage and impact can be enormous. This is especially true when the attack targets manufacturing and professional service companies at the heart of our society. What if one or more energy providers are hit and then power supply fails? Not only are we at home in the cold and dark; our food and water supplies are also failing. Supermarkets cannot open, refrigerated products go to waste and payment systems become unavailable. Our national infrastructure, trains, road transport: everything stops. A large part of our communication comes to a standstill. Offices close, government services can't continue. Experts agree: the social unrest would be incalculable, with a high risk of violent eruptions.

Less focus on OT compared to IT

Operational Technology 'is' everywhere in our society and is highly branched out. It is part of almost all sectors and industries, from water supply, electricity and food supply, to water management (locks and weirs!), the entire manufacturing industry as well as defense, but also hospitals, for example.

“Even the ventilators in the ICUs use OT.” says Eddy Boonen, Director Consulting Services for Health at CGI in Belgium. “Nobody wants cybercriminals to get their hands on that.”

And yet OT security still receives less attention than IT security, certainly when it comes to regulation. The latter is well known, for example if our privacy is compromised. This is strictly regulated, including through internationally applicable agreements from the General Data Protection Regulation. OT security then comes off a bit poorly, although a tentative turn is visible. More about that in the next blog.

‘Unsecure by design’

So what's wrong with OT's security? In fact, it starts with the original designs. In principle, OT was not designed to be cyber-secure. In IT, confidentiality of data and systems is most important, followed by integrity of the data and finally availability of the systems. In English abbreviated to CIA. In OT this is exactly the other way around. Means of production must work, be available to the maximum. Apart from safety for people and the environment, availability therefore comes before 'integrity' (the quality of, for example, food or medicines) and confidentiality. All measures that could stand in the way of availability and reliability (such as authentication, authorization or encryption, which are now self-evident in IT) have therefore been avoided in the past. Because the more ballast you remove from the overhead of network communication, the more effective it becomes. OT was therefore not 'secure by design' originally.

Convergence of IT and OT

In recent years, production facilities have been expanded considerably with new digitized assets, and more and more existing assets are equipped with sensors and control electronics. In the modern business environment there is an increasing need for insights from the boardroom in order to enable further optimizations. But also inventory management, quality monitoring, planning: it requires (real-time) data from the production lines – and vice versa. Sensors, wireless, remote access: for those working on Industry 5.0, it is essential technology. As a result, OT and IT come closer to each other, they converge, until they can hardly be seen separately from each other. However, this increases the vulnerability. The IT environment can be hit by cyber criminals and thus 'infect' the OT. The April 2021 hack that attacked the American Colonial Pipeline Co. was conducted through an outdated VPN account that allowed employees to access the company's network remotely. But the result was the blockage of the largest oil pipeline in the US and fuel shortages on the economically important East Coast.

The fog: missing knowledge of own OT environment

Digitization of OT assets makes them easier to access, monitor and maintain remotely. But it also makes them more vulnerable to unwelcome activities. Perhaps the biggest problem with this is that many organizations have insufficient insight into their OT landscape.

“On average, 30 percent of assets in OT environments are unknown.” says Willem Jan de Graaff, Director Service Delivery for Manufacturing at CGI in the Netherlands. “ Operators simply don't know they exist.”

New assets are added to the network over time, but often without any history of those changes being built up. Assets are not registered, their status is not fixed and nothing is known about their connectivity. Companies are therefore often insufficiently aware of what they have 'in-house', and they simply do not know what they do not know. As a result, they are completely unaware of the so-called 'attack surface' of their production environment and vulnerabilities. When plotting their OT security course, they navigate in the fog. A hacker who unexpectedly manages to gain access to even the smallest part can therefore go on for a long time and thus cause major damage in the system. Every reason for companies to put OT security high on the strategic agenda.

The good news

The good news is that the latter is already happening more and more. CGI's annual strategic client interviews highlight that 90 percent of participating client executives with production responsibility for IT and OT security view IT and OT security as one of the most important trends in their future investments.

“More and more vendors are coming up with services and solutions for OT security.” says Lucien Sikkens, Director OT Security Center of Excellence at CGI in the Netherlands. “There is also an increasing range of training courses that specifically focus on OT security.”

But what can a manufacturing company, being aware of the urgency and wanting to act accordingly do to raise their OT security level in the relatively short term? How do they get out of 'the fog' and set out on a course for such a clear target?

Click here for more information about CGI OT Cybersecurity Assessments that help increase security awareness and resilience and thus lift 'the fog'.

Are you interested?

Register here for the latest insights, developing regulations such as NIS2.0, relevant best practices and solutions at the 2022 Industrial Cybersecurity event which we are organizing together with Nozomi Networks and Fortinet on May 17 at the Cultuur Haven Veghel.