Operational Technology (OT) is at a growing risk of cyberattack, bringing with it the danger of far-reaching and costly impacts. But OT in most traditional heavy industries and infrastructure facilities have been run in silos behind ‘air gaps’ for so long that the Board assumes they are safe from attack.
“Traditional approaches are no longer enough to secure heavy industry and infrastructure from cyberattacks,” warns Mike Bergen of GECI International, which specialises in advanced cybersecurity solutions for both administrative (IT) and industrial environments.
“The traditional ‘air gap’ between IT and OT is closing amid new business requirements associated with digitalisation, and this is increasing the potential attack surface and hence the cyber risk,” he says. “We see a growing trend for ransomware and crippling attacks launched against key systems that keep infrastructure and societies functioning worldwide.”
But motivating for additional spend on top of existing, traditional cybersecurity budgets can be challenging.
Bergen recommends outlining the significant risks the organisation could face in the event of an attack, including costly production outages leading to financial losses, catastrophic safety failures and environmental damage leading to potential liability issues, or theft of corporate IP resulting in a loss of competitive advantage.
GECI partner CyberX notes that the discussion with the Board around OT security should be framed as a strategic one, rather than a technology issue. Key factors to be considered are risk management and regulatory and compliance requirements – particularly in those organisations providing essential services such as energy, water, health care, banking and financial services and digital infrastructure.
Key metrics on system maturity and risk should be presented to the Board in an unambiguous, comprehensive and understandable way. These metrics should be directly linked to enterprise goals and strategies and clearly measure the consequences of alternatives. Importantly, potential financial losses should be modelled to present a financially based position statement on the importance of securing industrial and OT assets.
CyberX advises presenting to the Board with a focus on facts, risks, the future, and actionable plans; including a mapping of the current cybersecurity framework to an accepted maturity model. The Board should also be alerted to any known threats and the potential business risk of each.
“Given the potential implications to the health and safety of human lives, environmental damage, financial losses, and in a worst-case scenario the very ability of a society to function, it’s important that OT network security is addressed in a manner like IT network security – including having board-level visibility,” CyberX notes.
Bergen said, “Thousands of attacks are getting through even the best organisational defences. The South African Banking Risk Information Centre (SABRIC) states that South Africa has the third-highest number of cybercrime victims worldwide, losing about R2.2 billion a year to cyberattacks.
In the U.S. for example, 53 cities were hit last year by ransomware attacks, usually demanding hundreds of thousands of dollars to reinstate the victim’s systems. In the first 6 months of this year, 25 to 30 more U.S. cities were attacked, and in August 23 cities in Texas alone were hit by ransomware. Dozens of large and small companies worldwide have also suffered costly attacks recently. In this country, a much-publicised attack on Johannesburg’s City Power was met with shock, particularly by electricity clients in that city. More than a month after the attack, they are still dealing with the damage caused. But that is just the beginning. South Africa is a wide-open cybersecurity target market. And as the doors close for cybercriminals overseas, they will be heading to our shores. It’s no longer a matter of “IF”, but “WHEN” you will be attacked.”