Winning the Cyber-Physical Battle in OT Security

Winning the Cyber-Physical Battle in OT Security
Winning the Cyber-Physical Battle in OT Security

As the last couple of years have made clear, critical infrastructure is under attack. As discussed in the 2H 2022 FortiGuard Labs Threat Report, criminals are going after everything from power grids to public transportation. Although these targets aren’t necessarily new for bad actors, what is new is that the attacks stopped being just a physical security problem and became a major cybersecurity problem too.  
The good news is that there’s now much wider recognition of this fact and that even at the national level, action is being taken. To truly tackle this challenge head on, cyber and physical security will need to be addressed together in ways the two functions previously haven’t been.

Why cyberattacks on OT are easier than ever

It’s easy to understand why operational technology (OT) and critical infrastructure has become a major target for bad actors. Business and production rely on OT to produce goods for critical infrastructure and attacks on these systems can have great impact. In other words, it’s a little bang for the buck.
The variety of targets that represent OT and critical infrastructure have expanded over the past few years. As work from anywhere has progressed, some attacks have even been able to reach OT systems through infiltrated home networks and the devices used by remote workers.
For cybercriminals, attacking these systems has also been made much easier thanks to the convergence of IT and OT networks. The advent of cybercrime-as-a-service (CaaS), and ransomware-as-a-service (RaaS) have made it so that bad actors can buy attack tools like phishing kits, DDoS attacks, and ransomware on the dark web. RaaS programs eliminate the need for attackers to write their own malicious code, which means even inexperienced cybercriminals can successfully target people, businesses, and other organizations for a quick payday.

Taking action on the cyber front

The key is to be proactive. The upfront cost of investment, security, and proactive incident response planning is always significantly less than the damage that results, based on every time the costs of security readiness have been calculated. The average cost of a data breach in enterprise environments is more than $4 million, but in operational technology, that cost can be significantly greater since manufacturing and supply chain issues come into play.

Organizations must consider “what if” scenarios. For example, how much will it cost if a production line is down for eight hours as opposed to two days? It helps to put such risks into perspective and recognize that paying for security up front nearly always results in significantly lower costs.

A zero-trust security approach is a good initial step to take. Enterprises can no longer assume that a device should have access to everything just because it is linked to the network. By “never trusting, always verifying,” a zero-trust solution makes sure that users have access to only the resources that are essential for their role. Limiting access is crucial, especially as OT personnel become increasingly dispersed and remote and as IT and OT convergence continues.

Bringing physical security into the fold

While most of the current conversations are dominated by cybersecurity concerns around critical infrastructure, we can’t lose sight of how physical security also fits into this picture. By the very nature of most critical infrastructure, there’s a physical security component in addition to the cyber one. For instance, a power grid is a physical structure that needs to be protected; intruders need to be kept out. Cybercriminals don’t necessarily need to visit a site to gain access now that everything is connected. But that doesn’t mean they couldn’t. An intruder who gains access to a physical location can easily become a cybersecurity risk as well. So, it’s necessary to take both components seriously.

Those tasked with physically securing a plant or other structure are also collecting valuable information, via smart cards, door readers and such, that can and should be shared with those overseeing the cybersecurity. All physical assets require physical security. Imagine that there’s a generator outside a building that is secured with a lock on a chain, which is watched by a security camera. Who’s watching that video? It’s not the cybersecurity team.
Why is that significant? Consider another scenario. An employee goes through a secured facility with his ID badge and security cameras capture him in every room. At the same time, the cybersecurity team notices suspicious things going on in the network. The team will start investigating the issue, but they’ll have no idea that the employee could be the problem. And the physical security team doesn’t know anything about the network anomalies, so they’ll see no reason to stop and question the employee. Tighter correlation of information must occur in today’s cyber-physical environments.
Although it’s unlikely that physical and cybersecurity teams are going to fully converge, a closer coordination will be key to protecting critical infrastructure holistically.

A collaborative approach

As criminals continue to target critical infrastructure, water supplies, hospitals, police stations, and more are at risk. All indicators suggest this risk is only increasing. OT security has never been more important – but securing critical infrastructure will require a partnership between physical security and cybersecurity. Use the information above to bring these two functions together for the greater good.

About The Author

Willi Nelson joined Fortinet as the CISO for Operational Technology in August 2022. He brings more than 25 years of experience in information security working across industry verticals such as healthcare, telecom, financials, manufacturing and life Sciences.

Most recently with GlaxoSmithKline (GSK), he established and directed the Global OT Infrastructure Security team charged with monitoring and protecting the OT assets for GSK. Globally, the team deployed 43 additional controls across the OT landscape assessed against NIST CSF and aligned business units to embrace a unified model for security, incident response and risk reporting. During Willi’s tenure, he also oversaw the creation of the Security Organization and the Global Cyber Defense team for GSK’s Consumer Health startup (now called Haleon). Beyond building and leading the OT and Consumer Health security teams, he led the security team responsible for Cloud transformation for both IT and OT. Willi relies on a pragmatic and systematic approach to achieve company goals while also maturing the organizations and teams he leads.

Willi is a graduate of Rockhurst University in Kansas City, MO, USA and holds a CISSP (Certified Information Security Professional) certification in good standing. Willi lives in NW Arkansas with his family. He’s an avid outdoorsman, cyclist, woodworker and veteran.

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..