Rising Industrial Attacks Require Suppliers With OT SmartsRockwell Automation's Mark Cristiano on Why IT, OT Remediation Are So Different
More threat actors are dedicated to attacking industrial organizations, and that increasing volume and sophistication of attacks has left organizations clamoring for suppliers with expertise in safeguarding OT infrastructure.
The number of U.S.-based threat actors dedicated to attacking industrial organizations has grown by 35% over the past year, driving an 87% increase in breaches over the same period, said Mark Cristiano, commercial director for Rockwell Automation's global cyber services business. To make matters worse, attacks often launch automatically without the user having to click a link or open an attachment.
"These are very sophisticated teams that are very well-versed in being able to get into the infrastructure of industrial customers," Cristiano told Information Security Media Group. "The number of groups getting into the business of trying to hurt production and make money off industrial customers is really dramatic, and I think the customer base is starting to really pay attention to that."
Cristiano said Rockwell Automation has a booth at RSA Conference 2023 later this month where the company will educate industrial organizations on the differences between IT and OT environments. The company has experience in hundreds of plants across North America, Latin America, Europe and the Asia-Pacific region with both cybersecurity remediation and ongoing managed services opportunities, Cristiano said (see: Responding to Federal Directives on Critical Infrastructure).
Bringing Security to Aging Infrastructure
Adversaries have ramped up their attacks against critical infrastructure given the broad impact of a successful compromise, which Cristiano said allows threat actors to pursue higher ransom payments. The age of critical assets such as power plants and pipelines makes protection a challenge since much of the supporting infrastructure was put in place more than two decades ago, according to Cristiano.
Older critical infrastructure technology tends to rely on traditional communication protocols that aren't Ethernet-based and weren't designed with security in mind, he said. Legacy PLC and ICS equipment was designed with a singular purpose in mind. The digital transformation requirement to “open up” those legacy systems to provide data to and from the ERP layer has introduced an additional element of cyber risk to industrial customers.
Cristiano said Rockwell Automation has therefore needed to come up with strategies that allow data to move bidirectionally between the control layer and ERP layer, while overlaying the aging assets with security controls.
In addition to older control systems with proprietary communication protocols, Cristiano said the geographically dispersed nature of critical infrastructure assets makes protection a challenge. Customers often struggle to keep tabs on a 1,000-mile-long pipeline or a large power plant, which is typically the first step in devising an effective security strategy (see: Protecting Industrial Security When Uptime Is Essential).
Why OT Expertise Wins the Day
Industrial organizations looking to secure their OT environment often start by turning to their internal IT team or hiring a third-party provider that's focused on IT infrastructure, Cristiano said. But Cristiano said companies quickly learn that OT remediation and IT remediation are two very different things since only a supplier well-versed in OT knows how to tie into and protect a 20-year-old control system.
Too many industrial vendors have attempted to team up with IT organizations for their OT cybersecurity program despite a lack of experience with the differentiated technology, which Cristiano said has led to major struggles. He said CISOs at industrial companies have taken a more active role in learning about the differences between IT and OT security and outsourcing to a supplier such as Rockwell where gaps exist.
"Organizations are maturing rapidly in understanding the differences in those environments and then taking proactive measures to try to bring the right resources in and to help mitigate that cybersecurity risk on the OT side of the infrastructure," Cristiano said.
IT infrastructure tends to be very sterile, he said. Pretty much all servers and switches look the same. But Cristiano said it's a different story on the OT side of the house since operational technology assets vary both in age as well as the protocols they communicate with. He urged critical infrastructure providers to begin their security journey by identifying the OT assets they have in their enterprise.
From there, Cristiano said, industrial organizations should create a vulnerability profile for each of the more than 1,000 OT assets in their environment to determine which should be prioritized. Super-critical OT assets are protected very differently than their noncritical counterparts, so Cristiano said companies must generate an accurate priority list.
"It's that combination of asset identification, vulnerability scoring and then prioritization that's really, really different on the OT side of the infrastructure," Cristiano said.