Cyber threats are a growing concern to critical infrastructure operators. With the increasing connectivity of sectors, such as utilities, transport systems, and healthcare facilities, the implications of an attack go beyond cyber space. There is little doubt that the disruption of critical infrastructure assets can not only impact national security but also potentially lead to life-threatening situations.
In large part, these threats are possible because the risk profile has broadened with the increasing use of digital, connected, smart IoT. This Internet of Things encompasses a range of technologies, including operational technologies (OT), cyber-physical systems, control systems, ranging from small lightweight sensors to large, complex machinery and cross-platform deployments. The devices are tied in with systems and servers talking to each other via numerous legacy and emerging communication protocols. This mash-up exposes new threat vectors that critical infrastructure operators need to address.
The digital transition requires a different mindset in terms of secure OT management. Critical infrastructure stakeholders will have to leave behind static, checklist-based maintenance to adopt dynamic and proactive methods that focus on real-time intelligence. Many emerging IoT tools will facilitate this, and cybersecurity must be considered as one of the core components of managing smart systems. The advantages of modernizing infrastructures will be lost if security is regarded as anything less than critical.
What is clear is that the convergence of digital technologies with operational ones faces significant shortcomings in cybersecurity because efforts in digital protection of legacy systems is severely limited. Critical infrastructure operators generally place heavy reliance on functional safety and physical security, but the cyber protection of connected OT is largely inadequate. There are concerns with IP and other connectivity, problems with access control and subsequent issues around identity, authorization and authentication.
The issues of connectivity and access control become ever more critical as operators increasingly rely on subscribed systems to access and manage external sources and data, including financial transactions, payroll, customer and employee data, support system maintenance, among other systems. Manufacturers and third-party vendors are increasingly part of a connected supply chain, meaning greater risks for operators due to a much larger attack surface beyond their control.
Vulnerabilities can be found in both control and information systems, in policy and procedure, architecture and design, in the configuration and maintenance, among many other sources. The lack of training and awareness compounds this, and the interconnection of systems creates a large attack surface that can be exploited maliciously or degraded by accident. The imperative for adopting and implementing common cybersecurity standards and practices is critical because the efficiencies and cost savings delivered by OT will be significant.
Critical infrastructure operators are aware of the risks and the threats that these new technologies present, even if they are not all well-equipped to deal with them yet. The general level of cyber preparedness is still sub-par, and this is due to several obstacles: lack of resources, skills and expertise, prioritization of availability and safety rather than security, unfavorable cost-benefit analysis, poor awareness or understanding of the risks, etc. The state of security in critical infrastructures is on average inadequate.
However, operators are increasingly benefitting from growing support in their endeavors to tackle insecurity. At the highest level, nation states are concerned with ensuring that security and safety are addressed as a priority. The development of policy, law, and standards is high on the cybersecurity agenda of not just nation states but also international and regional organizations, standards bodies, industry consortia and academia. Together, these efforts are providing best practices, guidelines and recommendations on minimizing risk through the efficient design, implementation, and management of cybersecurity. Not least, the cybersecurity industry itself is providing maturing solutions specifically for critical infrastructures. While the ecosystem is still relatively nascent, there are myriad efforts and solutions on all fronts that are supporting operators in deploying proportionate and practical cybersecurity. The effort however must be sustained and continuous, and all stakeholders need to participate actively if the risks are to be effectively minimized and managed long term.
About Michela Menting:
Michela Menting, Research Director at ABI Research, delivers analyses and forecasts focusing on digital security. Through this service, she studies the latest solutions in cybersecurity technologies, IoT and critical infrastructure protection, risk management and strategies, and opportunities for growth. She then delivers end-to-end security research, from the silicon to cyber-based applications, closely analyzing technology trends and industry-specific implementations.
About ABI Research:
ABI Research provides strategic guidance for visionaries needing market foresight on the most compelling transformative technologies, which reshape workforces, identify holes in a market, create new business models and drive new revenue streams. ABI’s own research visionaries take stances early on those technologies, publishing groundbreaking studies often years ahead of other technology advisory firms. ABI analysts deliver their conclusions and recommendations in easily and quickly absorbed formats to ensure proper context. Our analysts strategically guide visionaries to take action now and inspire their business to realize a bigger picture.
For more information about ABI Research’s forecasting, consulting and teardown services, visionaries can contact us at +1.516.624.2500 in the Americas, +44.203.326.0140 in Europe, +65.6592.0290 in Asia-Pacific or visit www.abiresearch.com.
The topic of Cyber Physical/IoT will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Cyber Physical/IoT here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.