40 Years Deploying Cyber Targets
Current indications are that OT cyber risks to industrial operations will become much worse before they get any better. Why? Well, consider mega-trends. For forty years now, we have automated physical operations with computers in the name of increased operating efficiencies – deploying ever more targets for cyber attacks.
Andrew Ginter
All computers run software after all, and pretty much all software can be manipulated by cyber attacks, by exploiting defects in the software, by stealing credentials for the software, or by other means. For those same 40 years, we have connected our computers, because data in motion is the lifeblood of modern automation. But – all cyber sabotage attacks are information, and every flow of information can encode cyber attacks. Thus, for forty years we have steadily increased the number opportunities to attack our ever-increasing pool of targets. Neither of these trends will reverse any time soon. The OT cybersecurity problem will get much worse before it gets better.
“…all cyber sabotage attacks are information, and every flow of information can encode cyber attacks.”
Another big problem with OT cyber risk is that while we were automating and increasing the sophistication of our operations, our enemies were automating as well and increasing the sophistication of their attacks and attack tools. A recent report showed that before 2019, it was rare to have more than one or two cyber attacks per year that caused physical consequences in manufacturing or critical industrial infrastructures. Since the turn of the decade however, ransomware attacks with physical consequences have more than doubled every year. It will take only another few doublings for cyber attacks to become a serious, widespread impediment to correct, continuous and efficient industrial operations. Today, no expert believes that we will ever return to a state where we suffer only one or two cyber attacks per year with physical consequences.
A second data point for attack automation – both Microsoft and Sentinel Labs are reporting that the high end of ransomware groups are buying and selling sophisticated attack tools and technologies from and to nation states. The high end of ransomware attacks have become effectively indistinguishable from nation state attacks. In decades past, many of us might have thought “oh, I don’t know – is this facility really important enough to be the target of a nation state to attack?” Today, ransomware attacks everyone with money. Do we have money? Yes? Then we’re likely to be a target of nation-state-style attacks, either from true nation states or from the high end of ransomware.
The same is true in IT networks. In those networks, cybersecurity attacks, monitoring and other defenses are in constant change, as defenders seek to invest optimally and minimally to stay one step ahead of their attackers. This constant change, however, is a poor fit for many industrial environments where engineers must strictly manage change, to control risks to safe and reliable operations. An extreme example – in Germany, it is illegal to apply patches and security updates to automation systems in passenger trains without submitting a safety case for the change to the regulator. Looking even deeper, in the most consequential systems and industries, staying one step ahead of our attackers is a poor fit for our need to assure correct and reliable operations over the entire decades-long expected lifetime of our investments in physical infrastructures.
All this means that today, board members and executives may have a very hard time discharging their obligations to manage exposures to cyber risks. When a CISO reports to the board that they invest steadily in reducing OT cyber risk, how is the board to know if that executive is talking about investments in slow-moving government initiatives, in “constant change” initiatives that may be difficult to apply to the most consequential industrial operations, or in engineering-centric mechanisms that take some, but never all, cyber risk entirely off the table. Board members need to stop asking “have we got this covered?” and start asking more specific questions.
To read further on OT cyber threats, remediations and the tough “how much is enough” question that boards, executives and managers must all answer, click here to request a free copy of the author’s latest book: Engineering-Grade OT Security: A manager’s guide.
About the author
Andrew Ginter
Share
Trending posts
The 2024 Threat Report: Prioritizing Cyber Security Spending
How Likely Is That To Kill Anyone?
Hitting Tens of Thousands of Vehicles At Once | Episode 131
Stay up to date
Subscribe to our blog and receive insights straight to your inbox