By Dick Bussiere, Technical Director for APAC, Tenable
Over the last few years, digital transformation in critical infrastructure has expanded the threat landscape, making critical Indian infrastructure systems like gas, water supply and government services more vulnerable to cyberattacks. In fact, India tops the list of 20 countries with critical infrastructure installations using default authentication credentials, making it extremely vulnerable. With the digitization of over 80% of government services, and remote access being enabled for employees, the attack surface is constantly expanding and evolving. It’s perhaps why nearly 360,000 cyberattacks were recorded between October 2021 and April 2022 on Indian Critical Information Infrastructure. Considering the heightened threat to critical systems, a new National Cybersecurity Policy is in the works in India, which aims to address strategies to secure India’s critical systems.
At present, all critical infrastructure organizations face the same pressure to pursue digital transformation in their quest for efficiency and to accommodate the needs of a remote workforce. This transformation is forcing cooperation between entities that used to operate independently of each other, resulting in increased interconnectivity and an increased likelihood that malicious activities could pivot from one organization to another very quickly. Additionally, this enhanced interconnectivity may lead to an indirect or direct impact on critical operational technology (OT) environments.
Interconnectivity between the cloud, IT networks and OT networks is accelerating. We are seeing additional intelligent devices penetrating the formerly insulated OT world, improving productivity, connectivity and cooperation between different entities with common interests. Remote access for workers and vendors is also being provided to enhance productivity and speed in reacting to issues that may occur within critical segments. However, such IT/OT convergence is rapidly increasing the threat surface in new and often unanticipated ways.
The risk of doing nothing is costly and the damage so profound that it may take years to recover from a major incident. Let’s consider some of the risks that these trends are leading to.
Risk to reputation: Nobody wants their organization to be in the headlines for the wrong reason. On May 7, 2021, Colonial Pipeline in the United States was hit with a ransomware attack that caused the company to shut its operations for six days. The compromise affected business systems located in the organization’s IT environment. The OT systems that control the pipeline itself were not directly accessed in the attack, but management was not aware of possible connections between the OT and IT environments. This lack of knowledge of interconnectivity contributed to Colonial Pipeline’s decision to shut down pipeline operations.
Also, there is the personal reputation of the individual who has fiduciary responsibility for the organization, in this case, CISOs are like the captain of a ship. Even though Captain Smith was in bed when the Titanic hit the iceberg, he was still accountable for the sinking. The same would be true of any ‘C’ level executive who were to be responsible for an organization’s security when it gets attacked. Trust lost is almost impossible to regain.
Financial Risk: A good example of the financial impact of a compromise comes from the automotive industry. In this vertical, one hour of downtime costs $1.3M – that is $22,000 for every single minute. It’s crucial for organizations to work out the cost of downtime in production to understand the total lost revenue if the operational systems were shut down due to an attack. The cost is magnified if an organization is part of a larger supply chain which could have a ripple effect on customers and trigger financial penalties in the form of contractual service level agreement (SLA) violations.
Risk to safety: As IT and OT systems become increasingly interconnected, even some well managed critical infrastructure sectors remain at risk. For example, some industries, such as mining, chemical plants and fuel pipelines, already have safety systems to prevent the destruction of physical infrastructure and bodily harm or loss of life. However, as organizations increasingly interconnect their IT and OT systems in the pursuit of improved efficiency, more control settings become digitized. This is one of the most important things that must be understood: the network infrastructure and computerized devices are intrinsic to maintaining safety.
Regulatory Issues: Often organizations must comply with minimal safety regulations and these are beginning to include cybersecurity considerations. The integrity of computer and network devices, along with the integrity of the OT devices, is essential to how safe a workplace is. Organizations must comply with minimum cybersecurity standards within their critical infrastructures, which equates to a requirement to adequately monitor these infrastructures. This will provide a provable record that minimal standards are being enforced.
Prompt action is required
According to Tenable’s vulnerability data, it takes a median of 12 days for organizations in the financial services and energy sectors to remediate a critical vulnerability. Contrast that with organizations in the healthcare and manufacturing sectors, which average twice as many critical vulnerabilities per device as their financial services and energy counterparts. Vulnerability remediation takes a median of 29 days for manufacturing organizations and 32 days for healthcare organizations, respectively. The more time a vulnerability is left unpatched, the greater the advantage it presents to attackers.
While there cannot be a one-size-fits-all approach to securing critical infrastructure, CISOs need to take a more proactive approach to cybersecurity. In several cases organizations do not give much credence to cyber risk. So, they haven’t asked themselves the question: What cyber vulnerabilities pose the greatest risk to critical business operations? But there are also organizations that go through the process of analyzing risks but choose to react in case of an attack instead as they assume that the chances of a cyberattack are minimal. Given the increasing number of attacks, it has been proven multiple times in the industry that it will cost more to clean something up or to recover from an attack than it would to invest in a defensive posture.