Would you risk it for a brisket?
Cyber security has become a hot topic across the world and an area that governments are paying more attention to, particularly around critical infrastructure. Every day, people across the globe wake up to the news of a new cyberattack, often in the form of crippling ransomware that encrypts files and locks users out of systems until a hefty ransom is paid.
More worryingly, many of those attacks have targeted organisations classified as critical infrastructure, which are typically reliant on operational technology (OT). OT environments have recently become more targeted, and any security breach can have catastrophic consequences.
Consider the recent attack on the Colonial Pipeline, which supplies almost half the fuel consumed on the east coast of America. The ransomware attack in May this year was one of the most devastating cyberattacks on US soil, targeting the oil pipeline’s IT network and forcing the business to cease production before the attack could spread to its OT systems. The five-day shut down drove fuel prices to a six-year high and caused fuel shortages across several states, and even affected operations by some airlines and airports. Additionally, the organisation was forced to pay the hackers US$4.4 million to bring its operations back online.
Less than a month later, North America and Australia were battling a ransomware attack on the operations of the world’s largest meat supplier, Brazil-based JBS Foods. The attack was initiated through the company’s IT systems and forced the business to proactively shut down its OT network and operations across the US, Canada, and Australia. The five-day closure of 47 sites in Australia affected 11,000 workers, with the ripple effects being felt by suppliers such as truck drivers and farmers forced to cancel deliveries. The cost to the company was significant too, outlaying US$11 million to Russian cyber gang REvil to unlock its systems.
The third example, while not cyber related, is another illustration of how globalisation has become so central to our daily lives, and how an action in one part of the world can have a direct impact on the wellbeing of governments, organisations, and individuals on the other side of the globe.
On March 23, one of the largest container ships in the world, the Ever Given, became stranded in the Suez Canal, which accounts for 15 per cent of global shipping traffic, including the daily transit of one million barrels of oil and roughly 8 per cent of liquefied natural gas. The daily cost to the Suez Canal Authority was US $14-15 million, delaying passage to over 400 other ships. The incident disrupted supply chains around the world, costing an estimated $60 billion in global trade between Asia and Europe, with the economic burden being borne by businesses and shoppers at the checkout.
While the benefits of our progression to globalisation are manifold, these incidents expose how our interdependence can also be our undoing. The “butterfly effect” in the IoT age means an attack in the US now affects Australian meat workers and an incident in Africa delays the delivery of whitegoods in the Philippines.
Even businesses not reliant on global supply chains can be devastated by a single keystroke from a threat actor halfway around the world. Businesses reliant on operational technology in sectors such as manufacturing, mining, energy, water and waste, transport and aviation are particularly vulnerable to ransomware attacks, due in part to challenges they face in upgrading cyber security controls across these environments. As such, protecting OT networks should be a critical priority. But where to start? A good place to start, no matter what your business’s size, is addressing three basic questions.
What is your baseline security level?
Every organisation should know its OT security posture. Conducting a security health check is fundamental to ascertaining your organisation’s baseline around processes, technology, and people.
Establishing a baseline enables you to benchmark your organisation according to international best practice in relation to industrial control systems (ICS) management systems such as ISA/IEC 62443 or C2M2 frameworks.
Standards and requirements will differ according to industry, particularly when the federal government’s Security Legislation Amendment (Critical Infrastructure) Bill 2020 takes effect later this year, expanding the scope to 11 sectors now deemed “critical”. Knowing where you stand now is important in understanding where you need to be.
What is most at risk?
If a baseline health check provides a helpful macro view, a security risk assessment enables organisations to narrow their gaze to focus more closely on immediate threats.
A thorough risk-based approach allows organisations to categorise and prioritise threats according to its baseline, accounting for security deficiencies, likelihood of attack and biggest impact.
Just like a hospital emergency department, triaging threat levels enables organisations to plan for and mitigate the most critical threats.
Is everyone on the same page?
The best analysis and planning in the world won’t lead you to your destination if no one has a road map.
Aligning internal stakeholders along the journey to improved OT cyber maturity is critical to success. The interconnectedness of businesses today requires a multidisciplinary response, be it the security team, engineering, and the IT team, seamlessly working together to uplift security levels.
The overarching objective must be clearly understood by all departments, with clear lines of communications and an understanding of responsibilities and required resources, both staffing and financial.
While these considerations may seem straightforward on paper, many organisations will lack the maturity and OT expertise to undertake such tasks. Additionally, experience has shown that internal reviews are often not successful in detecting system vulnerabilities, and organisations understandably lack awareness of the many and varied threat actors in the space.
Consulting an OT specialist cyber security firm will assist in identifying security gaps and help to prioritise areas of need, as well as providing an understanding of budgetary requirements.
Article originally written for the Risk Management Institute Magazine.