Cyber-Resilience within Critical National Infrastructure Enviroments

Written By Ian McGowan

Ian McGowan

Managing Director

In the first six months of 2023, two of the most powerful countries in cyber-space issued guidance related to the need for Critical National Infrastructure (CNI) organisations to improve their resilience against cyber-attacks.

 

The UK and US issued these recommendations in response to a surge in attacks against CNI that have resulted in cyber-physical impacts. In recent times we’ve witnessed fuel shortages due to cyber-criminals infiltrating Colonial Pipeline, a close-call civilian catastrophe after attackers poisoned the Oldsmar Water facility in Florida, and the cancellation of multiple medical procedures across the globe when attackers held hospital systems to ransom.

 

The first piece of guidance came from the Biden administration when it released its 2023 National Cybersecurity Strategy to help improve the cyber-security of CNI for all Americans. The 39-page framework focused on five key pillars: to defend critical infrastructure, dismantle threat actors, drive cyber-resilience, invest in a resilient future, and forge international relationships, all with the aim of improving the country’s protection of critical infrastructure against cyber-threats. 

 

Shortly after its release, the UK’s NCSC announced its guidance, much of which echoed the recommendations in the Biden Strategy, focusing on the need for global relationships, cyber-resilience, and the importance of cyber-hygiene within critical industrial organisations. The guidance from two of the world’s most powerful cyber-security leaders has been met with a positive response. Security professionals and citizens have now come face-to-face with the realities of cyber-attacks on CNI, so anything to drive resilience is a positive step. The UK and US governments have reiterated the high chance of attacks and the importance of keeping CNI secure.  Organisations should be acting on these warnings and improving their cyber-resilience, but with many organisations having weak cyber-security within operational technology (OT) and control system deployments, putting the recommendations into action could be challenging.

 

Within industrial environments, many organisations are still at the early stages of their cyber-security journeys. Modernisation within plants has taken place to improve operational efficiency and employee safety, but much of this has occurred without security in mind. 

 

This has resulted in critical security control weaknesses which are increasing cyber-risk.

 

Understanding the modern industrial environment 

Historically, within industrial and control system environments, digital security was predominantly focused on IT assets. OT and SCADA systems were mostly managed manually, so external access to sensitive industrial processes was not possible. This enabled industrial operators to overly rely on air-gapping as their means of keeping their systems secure.

 

Today, however, many industrial processes are automated and rely on networked computers to perform complex system decision making within industrial and OT environments; often requiring internet connectivity to achieve this. This has offered significant benefits by improving the efficiency of operational process and improving the effectiveness of safety critical systems.

 

However, the adoption of technology that facilitates the digitisation of legacy OT systems has inadvertently introduced another type of cyber-risk which incorporates a physical, rather than digital, concern.  Unfortunately, the increased connectivity has resulted in unauthorised access to CNI & OT systems, and in some cases system exploitation with very damaging consequences.  Unlike IT environments, where security breaches tend to result in the loss of data and money, attacks on CNI can have a direct impact on society. This could be water shortages, fuel shortages, or more hazardous situations where attackers attempt to compromise CNI, such as energy facilities or the grid.

 

Given these risks, it’s not surprising the UK and US governments are placing such prominence on industrial cyber-resilience.

 

Securing connected industrial systems

The first step in understanding your risk within OT and CNI that I always recommend is a cyber-risk and maturity assessment. For organisations that have modernised their OT, the focus must be around initial assessment so that the severity and quantity of risks can be discovered and managed as part of a strategic cyber-risk reduction plan.  

 

There are multiple control domains to be considered when attempting to gain a better understanding of cyber-risk but understanding the system architecture and operational context is a great first step.  The architecture and system components provide a technology framework to define the scope of technology risk management to be conducted.

 

Understanding the business value of the systems being assessed and the stakeholders involved provides a richer data set to inform risk management decisions.

 

The system segmentation strategy is also a key aspect of an OT or industrial control system scope of connectivity because it is easier to secure a simpler control system infrastructure. A policy of ensuring OT systems are only connected where necessary will provide a good starting point for managing risk by ensuring the risk debt that organisations need to manage isn’t added to from new systems brought into production.



The security boundaries between segmented systems need to be transparent in organisations where availability is the priority, which is often the case in OT and CNI. It is therefore of the upmost importance that authorised system communications are not disrupted and that access to systems from remote locations can be facilitated securely when required.   

 

Legacy and outdated software can significantly challenge managing cyber-risk in many operational systems in use today, increasing the complexity of vulnerability management by requiring compensating controls that protect and monitor the exposure.

 

Augmenting resource with industry expertise

Building cyber-resilience has never been more important because the threat of attack on CNI has never been as high. The new guidance from the UK and US will provide organisations with a good point of reference when dealing with early-stage risk management.

 

The recommendations made above will also help organisations meet cyber-resilience goals, but for those that are limited in resources or don’t the resources to build out programs effectively, they can rely on industry OT service providers.

 

These service providers that specialise in CNI and industrial cyber-security can also help organisations manage their risk, secure their environments, and implement the new guidance from the UK and US governments.

Ian McGowan
Previous

Empowering Women in Cybersecurity: Shattering Stereotypes and Breaking Barriers
Next

Incident Response for Critical Industrial Organisations