Though cyber security experts have long warned of the threats to nations’ critical infrastructure, recent incidents are now opening the eyes of business and political leaders to the ecosystem risks of the world’s connected utility networks, power grids and other essential services.
Plugging these security gaps will require collaborative strategies — both ‘inside’ and ‘beyond the box’ — among business, governments and the tech sector, to try to remedy ecosystem weaknesses that could cause massive disruption, financial damage or loss of life.
Overlooked ecosystem risks
While industry and governments have invested heavily in cyber security — building cyber ‘walls’ around internal company networks and legislating national security guidelines for domestic industries — less attention is paid to the risks posed ‘outside the box’, by the growing web of interconnected infrastructure.
Recent headlines are jarring, including images of shuttered gas stations and grounded airliners after a ransomware attack on a major U.S. pipeline company. Similarly, news bulletins described how patient treatments were suspended in Irish hospitals after a crippling hack on the national health system. Suddenly, it’s clear how a single attack on a seemingly isolated computer system can spill across an entire supply chain or disrupt vital public services.
For business or political leaders who are now asking, ‘How could this happen? part of the answer lies in the adoption of IT functionality across industry’s operational environments. Many infrastructure operators have embraced IT innovation to better manage their operations and reduce costs, including remote operating capability so a company production asset can be managed from central location or even remote (anywhere, anytime).
Such innovation can bring significant benefits; however, it has often challenged Operations Technology teams, who were focused on physical protection of assets, rather than emerging, external cyber risks. Although many business systems are vigilantly guarded against cyber threats, operational systems haven’t always enjoyed the same security scrutiny. And, with the rise of interconnectivity between a company, its customers, suppliers, and even government partners, cyber threats can arrive from many sources — and spark unexpected consequences, near and far.
More effort, inside the box:
Despite efforts by leading companies to protect their systems, there is still much work to be done by many organizations. In my view, many high-profile ransomware attacks could have been avoided or at least reduced. And, many companies are still not meeting a minimum level of cyber security to fend off such attacks.
Segmentation of a company’s distributed network would reduce the risks, since firewall separations between key areas would make it easy to shut down and isolate a cyber hack. We must also ask whether companies are investing enough to keep their operational environments up to date and address the costs of replacing legacy systems; whether the avoidance of scheduled maintenance shutdowns that could impact production has led to issues; or if companies should do more to ‘push’ their technology vendors to deliver adequate updates to aging industrial systems. Whatever the answer is to these questions, it seems that many operational systems languish with outdated functionality and lack much-needed security upgrades.
Also, an enduring ‘people culture’ within many organizations can stall their cyber security efforts. While operations teams may lack cyber-savvy, the issue may originate at the supervisory and executive board level, where leaders are not familiar with their own operational assets, nor understand their ecosystem dependencies. This culture may extend to front-line employees who aren’t adequately trained on basic “Don’t click the link” cyber-safe practices, nor are they encouraged to report operational issues or glitches that create vulnerabilities to future cyber-attacks.
The excerpt was taken from KPMG in the Netherlands Partner Ronald Heil’s blog post entitled Cyber Security Gaps in Infrastructure.