Protecting Critical Industrial Systems from Cyberattacks

Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on Environmental, Health, Safety, Security, and Sustainability.

October 13, 2022 - As ransomware attacks have become commonplace and increasingly brazen, no sector is immune to these threats. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms.

In Digital Trust’s previous blog, Understanding Cyberattacks, Kristin Demoranville, Global Practice Director of Cyber, Risk, and Advisory, emphasizes the need for organizational cybersecurity initiatives and covered the top five types of cyberattacks businesses should be most concerned about: malware (more commonly known as ransomware), phishing, Man-in-the-Middle (MITM) attacks, Denial-of-Service (DoS) attacks, and Internet of Things (IoT) attacks.

As we become more aware of the various types of cyberattacks, it will become easier for organizations to better protect their networks and systems against them. Ransomware is particularly dangerous, especially on critical industrial systems that impact large areas, in that it holds data hostage and won’t release that data without payment to the attacker.

Critical industrial systems are predominantly found in the industrial sectors, critical infrastructures, and support industries such as electrical, water and wastewater, oil and natural gas, chemical, transportation, telecommunications, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods).

Unlike IT, when these systems are compromised, the ripple effect of their failure is felt at a societal level as disruptions such as power blackouts, transportation blockages, and loss of integrity and security within the supply chain. In 2021, there were 22 reported significant disruptions to critical industrial systems. Some of the most prominent incidents were in May 2021 with disruption seen at Molson Coors, Sierra Wireless, Ardagh Group, Colonial Pipeline, and JBS Meats.

The Colonial Pipeline ransomware incident, for example, incapacitated the largest gasoline pipeline in North America for a week and resulted in widespread gasoline shortages in the southeast region of the U.S., impacting power, utilities, and transportation.

Critical industrial systems are particularly vulnerable to attacks because it is more difficult to deploy traditional cybersecurity tools. This is further compounded as most of these systems are not managed by the IT department, but instead are managed by operational technology (OT) engineers who are oftentimes not aware of the cybersecurity risk or implications. OT engineers are naturally focused on safety and availability of the systems, with a secondary concern for confidentiality and security. This allows for industrial systems to become “easy targets” for cyber-attackers as they know that the standard cybersecurity defenses are highly unlikely to be deployed in protection of these assets. Additionally, when critical industrial systems are compromised the organization will suffer near instantaneous and drastic financial impact. This makes it highly likely that the organization will seek to mitigate the impact by promptly paying any ransom to recover their operational status.

To better protect critical industrial systems from cyberattacks there are a few steps proactive organizations can take:

  1. Create an asset inventory: you simply can’t protect what you don’t know you have.
  2. Bridge the gaps between your IT and OT functions and establish coordination points between the two teams and identify the core controls and policies that apply to both IT and OT.
  3. Clean up your past: most companies seek to run before they walk; take the time to clean up your past and secure legacy systems with vulnerabilities.
  4. Monitor your present: establish a continuous security monitoring capability for your OT assets.
  5. Plan for the future: think about future sector developments and how OT technologies will evolve, embedding principles of security by design.
  6. Leverage specialist software to analyze your OT environment to identify changes to assets, communication links, vulnerabilities, and potential attack vectors.
  7. Do the work: don’t treat this as a project with an end state; it requires ongoing activities to be sustainable.

Organizations managing such systems must realize the societal responsibilities they hold and recognize that unlike IT, failures in this area have much broader impact and need to be addressed both in the short and long term.

This article was originally published in Authority Magazine on September 18, 2022 under the title: Mark Brown on What We Must Do To Protect Critical Industrial Systems From Cyber Attacks. The content has been modified and condensed for this blog. Refer to the full article for Mark Brown’s complete insights on this topic. For more on Digital Trust and Environmental, Health, and Safety topics that should be at the top of your organization’s list, visit BSI’s Experts Corner.