RSA 2022: Cyber-Physical War: When the Cyber and Physical Environments Collide

In eight minutes, a bad actor can take control of an offshore oil drilling facility.

Take that factoid in for a moment. Because that’s what’s at stake when the worlds of information technology (IT) and operational technology (OT) converge. This is a trend that’s been underway for several years – as per this Broadcom Software blog from back in 2018 – but according to Ian Bramson, global head for industrial cybersecurity at the ABS Group, we’re now at an inflection point.

“Attacks are increasing and the bad guys know how to attack the industrial environment,” said Bramson, during a presentation he gave at the 2022 RSA Conference this week.

Clearly, we’re watching an increase in the size and scope of attacks against physical infrastructure – most notably the audacious takedown of Colonial Pipeline. At the same time, malicious hackers, cybercriminals, and rogue nation-states have become increasingly emboldened, carrying out copycat attacks. In the last year alone, Bramson said, “90% of organizations that use OT systems have experienced some sort of cyber incident.”

To fight back requires crossing a chasm of misunderstanding that divides OT professionals from their IT counterparts and resolving the internal conflicts between the widely different worlds of IT and OT, he asserted.

“People are frustrated,” said Bramson. “You’re either on the IT side, and you don’t know OT things, or you’re in operations, and you don’t want people to touch your stuff. You have to bridge that. It’s not convergence, it’s a fight right now,” said Bramson.

Mars and Venus: IT and OT

The first step to understanding involves recognition of differences. OT, used to run steel mills, oil refineries, and assembly lines, is vital for industrial companies to function, but is in many cases decades old and was never designed to be connected to networks. IT however, changes quickly and is typically designed with networking built in. And while IT systems can be taken offline for upgrades, a power plant could cost a million dollars per day if it were to be taken offline. Above all, IT and OT were not designed to work together. “You can’t put IT stuff on an OT network. It will bring it down,” said Bramson.

Even though the technologies and mindsets are different, the two realms are merging in the form of new inventions like autonomous oil tankers. The only way to protect such emerging environments from falling into the hands of bad actors is for OT and IT to work together. Along that path, there are many hurdles to overcome, according to Bramson.

The Supply Chain is Vulnerable

Industrial companies build their machinery with components that arrive via a supply chain. But an attacker can slip malware into the components and subcomponents as they make their way to a factory or power station. “If you’re not checking stuff, … it’s like running a relay race with a stick of dynamite,” said Bramson. “You have to understand security by design,” he advised. That means choosing vendors carefully, and developing a cyber map of supply chain operations, including manufacturing, delivery, contracts, incident response, and forensics, said Bramson.

And while creating a resilient supply chain that includes alternate suppliers and shipping methods has many benefits, the same resiliency can open cybersecurity vulnerabilities because alternate routes and contingencies can be exploited by attackers, Bramson asserted.

Insure This?

One area that is languishing in misunderstanding is insurance. While vital to protect against catastrophic losses, industrial insurance against adverse cybersecurity events is in a poorly developed state, according to Bramson. “Insurers don’t have any idea how to underwrite this stuff,” he said. For example, he explained, an insurer might consider an attack on critical infrastructure an act of war, and therefore not covered under a conventional policy. The only hope of communicating effectively with insurers is to express policy needs in terms of risk and compliance, which insurers typically understand, Bramson recommended.

The Future Belongs to OT

To acquire and deploy cybersecurity technology, funding is needed. To that end, IT leaders should adopt the strategy of learning about OT to increase their chances of gaining funding for security initiatives, Bramson said. Because OT is usually vital to a company’s identity and profitability, corporate leaders are more likely to approve OT budgets rather than IT budgets that include security provisions. “Get closer to the operational side. That’s your revenue base,” Bramson advised. Then at budget time, he continued, don’t express the need for funds in terms of technology. “Don’t talk tech. They don’t understand it…. Communicate in business terms to the board of directors.” 

As for the future, OT cybersecurity will overtake IT cybersecurity as the priority for industrial companies, Bramson predicted, because OT is where risk is tied directly to revenue. He said companies are asking OT cybersecurity managed services to also provide their IT cybersecurity.

That means for IT professionals working at industrial organizations, learning all about OT is critical, Bramson said. “If you don’t know about it, find a partner that knows their stuff.”

To learn more on how Broadcom Software can help you modernize, optimize and protect your enterprise, contact us here.