Impact of OT vulnerabilities in securing critical infrastructures
The term critical infrastructure relates to a group of systems and networks that are essential for the continued operation of a nation. Financial services, energy, communication, food and agriculture, healthcare, and emergency services are among the sixteen critical infrastructures identified in India. Needless to say, they play a vital role in helping a country function smoothly and must be protected from both internal and external intrusions.
In the last few years, India’s CERT-In (Computer Emergency Response Team) and National Critical Infrastructure Protection Centre (NCIIPC) have noted several attacks on India’s critical infrastructure. There are rising instances of attacks looking to exploit OT systems – the ransomware attack on a US pipeline company, blackouts in Mumbai in October 2020, the outage at the National Stock Exchange (NSE) in 2021, attacks the power grid systems in Ladakh and more recently, a cyberattack in IT systems of Oil India Limited (OIL) in April 2022.
Cyberattacks on critical infrastructure may have a material impact on operations spanning beyond information leakage to equipment damage, safety concerns for employees, or have the potential to cause a major environmental incident. Therefore, the collaboration between public and private sectors on security is critical; and efforts to improve cybersecurity must be based on effective risk management of a dynamic and ever-evolving set of threats. Industry collaboration will help in delivering effective security solutions as businesses across all verticals continue to face unprecedented challenges particularly as cyberattacks continue to increase in numbers and sophistication.
CrowdStrike’s Falcon OverWatch Threat Hunting report 2022 highlights how threat hunters identified more than 77,000 potential intrusions or approximately one every seven minutes in the year to the end of June 2022. The report also showed that technology was the top industry targeted for interactive intrusions. The frequency, scale, and impact of recent incidents have demonstrated just how important cybersecurity is in protecting business of all sizes but in particular critical assets.
Critical infrastructure, such as government services and defence, are appealing targets for state-based cyber attackers as both an opportunity to gather intelligence, operational information as well as to cause disruption to a nation given the geo-political tensions that exist today.
In fact, according to media reports, NCIIPC is looking to create a CSIRT team at the Central Electricity Authority in a bid to avert cyberattacks on the country’s power grid. With a high level of dependency and real-time connectivity, critical infrastructure assets are vulnerable to threats. One attack on a single point of failure could result in the disruption of multiple vital systems in the country.
For example, the attack on Colonial Pipeline occurred in 2021 interrupted operations widely until the ransom was paid. For the target company, the attack led to uncertainty about the security of its operational technology (OT) systems, given concerns of having adequate network segmentation and security controls in place. This type of collateral damage not only impacts the availability of the process control environment but can also compromise the safety of personnel and citizens.
CrowdStrike’s Global Threat Report 2022 highlighted how state-sponsored adversaries weaponized vulnerabilities to evade detection and gain access to critical applications and infrastructure. As per the report, in 2021, China-nexus actors emerged as the leader in vulnerability exploitation and shifted tactics to increasingly target internet-facing devices and services like Microsoft Exchange. Similar strategies, techniques, and processes that have been utilised against IT systems are now being used against OT systems highlighting the need for an organisation-wide strategy for cyber resilience that provides IT and OT security.
India is one of the fastest-growing economies in the world. With a large population of tech-savvy youth and a big governmental push towards digitalization, India has seen exponential growth in digital data. Organisations across India have been grappling with cyber threats brought about by the growing adoption of the internet of things (IoT), cloud applications and digital supply chains with huge volumes of data.
The increasing convergence of IT, OT and IoT also rapidly expanded the attack surface and number of threat vectors. PWC listed the convergence of IT and OT as one of the emerging cyber risks in their 2023 Global Digital Trust Insights report. In fact, 29% of large organisations expect an OT attack.
As OT and IT become increasingly interconnected, organizations must adopt wider capabilities able to secure the two environments’ people, processes and systems; they need to build visibility and detection and response capabilities across both environments.
As organisations evolve through digital transformation projects or new working environments, it’s critical to have visibility into all assets related to the organisation. As such, having robust external attack surface management (EASM) will be essential to the strength of the broader enterprise security posture. What it means is to have an outside-in perspective of an organization’s global external risk, understanding where shadow IT, legacy systems, and vulnerable and unknown assets expose enterprises to additional risk before attackers can exploit them.
As cybersecurity moves up the corporate agenda, CISOs should focus on security transformation. They should work with CIO, CTO and other C-Suite executives to separate IT from OT, develop secure landing zones that protect OT from direct access, and train employees on proper access and incident response roles.
A report by Gartner predicted that by 2025, a single, centralised cybersecurity function will not be agile enough to meet the needs of digital organisations. There would be an emphasis on CISOs reconceptualising their responsibility matrix to empower the board of directors and CEOs. CISOs should be responsible for ensuring a security-first approach is adopted across the business, and that employees are educated and prepared to play their part in protecting the organization from vulnerabilities. They should identify and address the security risk associated with a shift in digital approaches and adoption.
They should look to the future to identify how the business maintains a robust cybersecurity posture by scaling its cybersecurity solutions as the threat landscape evolves and adversaries further develop their tools, techniques and procedures (TTP). Incident Response (IR) teams should play a significant role in establishing the right processes as they help conduct red/blue team and tabletop exercises to test the sturdiness of a company’s security structure. Simulations are usually most effective when they include third parties such as law enforcement, public-sector industry groups, key customers and suppliers.
Organisations should adopt ML-based solutions, along with identity-based Zero Trust architectures and extended detection and response (XDR) capabilities to properly defend against modern threats across a new and increasingly complex IT architecture. XDR is an effective approach to threat detection and response that provides holistic protection. Mapping IT-OT interdependencies will also enable organisations to grasp quickly the full resulting implications of a ransomware attack against any one part of the organisation.
Today’s security landscape is challenging, evolving with myriad threats and technology solutions. Organisations can have significant blind spots and limited visibility to assets such as legacy systems or unknown infrastructure. This exposure to the threat landscape has the potential to be incredibly damaging for the organisation which may be unaware and struggle to understand the risk involved.
Organisations cannot secure and defend the assets they do not know exist, and without visibility, there is no threat detection or protection against adversaries. This creates a race between adversaries and companies’ teams to locate these blind spots.
To address this challenge, CrowdStrike recently announced it is extending security hygiene across ICS, IT and OT environments with Falcon Discover for IoT. It helps to:
● Accelerate the IT/OT convergence with a centralized and up-to-date inventory of all IT, OT and IoT assets, combined with advanced behavioural analytics that helps identify and mitigate potential risks associated with connected devices and networks
● Eliminate blind spots associated with unmanaged or unsupported legacy systems and quickly uncover hidden threats with deep, contextual visibility and analysis across IT and OT environments
● Integrate seamlessly with third-party IoT security vendors to enrich asset and network visibility and achieve a comprehensive understanding of all IT and OT managed and unmanaged devices, sessions and processes across ICS/OT environments.
It leverages CrowdStrike Asset Graph to provide contextual endpoint and network asset data to pinpoint unsupported and unmanaged devices that could lead to a breach. We believe this will be an area of utmost importance for security teams moving forward.
In addition, CrowdStrike provides threat intelligence, threat hunting and incident response service along with a unified platform of cybersecurity solutions providing comprehensive visibility and protection across an organization’s critical areas of risk: endpoints, workloads, data, and identity.