The complex nature of operational technology (OT) networks and large-scale adoption of digital transformation technologies have primarily led to the convergence of IT and OT environments. Adoption of digital transformation has led to the collection of reliable and timely data, which in a data-driven world can transform the way business decisions are carried out in industrial enterprises. Regularly conducted, routine processes can lead to a data trove, which, when leveraged, can deliver agile practices and mindset changes to help adjust risk priorities in the industrial environment.
While these advancements have modernized legacy processes, advanced efficient workflows, bolstered cybersecurity stance, and enhanced profitability, it has also led to a re-evaluation of cyber risk management within these environments and the ability to assess the organization’s cyber risk posture.
Organizations typically carry out cybersecurity risk management to ensure the most critical threats are handled appropriately and in a timely manner, causing minimal organizational disruption. Traditionally, “risk assessment” throws light on the organization’s weak points, possible consequences of manipulating those vulnerabilities, and the viable ways to prevent such events from occurring, while delivering a snapshot at a particular point in time.
However, the process is largely carried out manually across vast industrial installations over expansive periods of time. Apart from being time-consuming, the manual approach is outdated at the very onset, as it relies on offline databases and tends to be carried out in a manual, error-prone manner, with limited scope and time. As a result, the results generated from such preliminary data may be flawed and unreliable, leading to erroneous conclusions and decisions.
Cyber-attacks have some direct business impact, such as production operations abruptly coming to a halt, massive financial losses, ransom payments, leakage of corporate or customer-related confidential information, in addition to safety and environmental hazards. Depending upon the size and duration of the outage, productivity losses will vary according to the nature and scope of the attack.
Additionally, businesses recovering from cyber-attacks face increased costs associated with repairing the systems that have been affected along with the networks and devices, carrying out technical investigation, attorney fees, and associated litigation costs. Reputational damages also must be computed, often including loss of customer trust, brand loyalty, shareholder trust, and overall reputation. They may also have to bear insurance premium increases, increased costs to raise debt, loss of goodwill, and lost value of customer relationships.
A “next-generation” risk-based approach delivers a continuous, comprehensive, accurate, and contextual data mechanism that enables immediate actions and appropriate decisions using intelligence gathered from the industrial environments in real-time. Using a continuous, systematic approach to industrial risk assessment provides contextual and actionable data-driven results. These outputs can be further enhanced with external data, such as threat intelligence, to deliver more granular and explicit insights into the organization’s cybersecurity posture.
When accurate data collection is carried out in real-time and appropriately sorted for anomalies and aberrations, the organization can better understand risks and vulnerabilities.
Cyber risk management can and should evolve into a continuous process that covers detecting potential risks, assessing the probable impact of those risks, and planning how to respond if those risks crystallize. The process necessitates identifying industrial risks and vulnerabilities, prioritizing threats, adopting organizational actions to deal with the weaknesses, as well as arriving at comprehensive solutions to mitigate critical risks and vulnerabilities.
Cybersecurity attacks that target industrial environments and critical infrastructure sectors can give rise to dangerous repercussions, as system and asset integrity are paramount, hence, failures or downtime can be costly and potentially catastrophic. The tangible real-world impact of such strikes can endanger lives, disrupt day-to-day life and business operations, and impose financial damages on industrial firms. A recent example is the ransomware attack on Colonial Pipeline, which forced the company to cease operations while the incident was investigated. The measure caused fuel shortages across the U.S. east coast, apart from millions of dollars in losses.
Given the critical nature of OT systems, there is a critical need to move away from merely ‘guesstimating’ risk to a data-driven approach using more intelligence insights for a better and more informed decision-making process. Such benchmarks would decrease input variance on threat actor capabilities and resistance strength. It will also reduce the range of risk generated as an output value and focus defenders and resources on activities that will reduce the company’s inherent cyber risk.
The shift to a risk-based approach involves identifying and defining value tailored to the needs and parameters of the enterprise, based on the ‘crown jewels’ of the organization having a priority level assigned and a list of vulnerabilities to which it is susceptible. In addition, it maps with the enterprise-risk ecosystem that creates a virtual model or “digital image” of the organization’s network and applies relevant risk factors, in order to obtain a clear and complete picture of the risk landscape and provide insights into the strategies for mitigating problems.
The risk approach takes organizational security risks into consideration, as well as the needs and budgetary constraints of the company so that a clear strategy can be developed. Once there is clarity as to the security measures that are needed and the prioritization of those measures, it is essential to implement solutions efficiently and effectively. Ongoing monitoring brings about an efficient cyber security risk management platform that provides continuous mapping and tracking to ensure the organization’s long-term health.
In the ever-changing OT environment, an annual risk assessment is no longer sufficient – in fact, it may be totally irrelevant. Gathering necessary information and intelligence, through mitigation planning and implementation, and enabling continuous risk assessment and management has
become indispensable for industrial environments. Based on the evolving threat landscape, these installations need actionable intelligence from within structure to zero in and act on the anomalies and deviations. Continuous mapping and monitoring also help build strong cybersecurity posture for the organization.
The shift from static to continuous monitoring provides organizational set-up with continually reviewing the threat landscape and risk impact on the business processes for adherence to, and deviations from their calculated effectiveness and performance levels. If networks are continually monitored for threats and risks, more hands-on and data-driven decisions can be made, as regards which risks should be mitigated and in what order of priority.
To calculate the risk to assets in the OT network, two factors must be considered – the likelihood of a successful cyber-attack and the impact of the attack. When analyzing OT networks, a cyber-attack can have both a business impact and a real-world impact, as OT networks control physical assets.
The likelihood of an impact considers the threat and adversary characteristics, the organization’s locale and its sector, the network vulnerabilities detected, and the mitigation controls installed by the organization. The sum of these components is multiplied by the impact or an assessment of the damage caused by a cyber-attack, per zone and network-overall. The resultant consequence is the potential risk, which can be used by CISOs or stakeholders to assess the state of the OT network and the effectiveness of security measures.
Using the resulting risk scores, decision-makers can create a long-term network security plan which accounts for both cyber and business considerations and prioritize mitigation measures based on criticality, impact on overall security, and available resources.
The data-driven approach significantly reduces the inherent industrial cyber risk while keeping tabs on threat evolution. It ensures that the process of gathering intelligence is carried out methodically, producing actionable insights for management and operations. If the input data is not complete, accurate, and timely, then the resulting output is unreliable and irrelevant.
Reliable threat intelligence can be used to augment internally collected data. Threat intelligence can provide credible contextual data on who might attack, what their capabilities are, and what indicators of compromise are likely to be. This data can be absorbed into the continuous risk model to create even more robust, real-time insights.
For enterprise OT risk management, it is crucial to deploy operational threat intelligence that offers a continuous assessment of risk posture and medium-term prioritization of security mitigations, while strategic threat intelligence plays a role in more long-term planning. These estimations help to accurately identify where threat intelligence fits within an organization’s risk management and equip the industrial environment framework with more risk-driven standards.
The overarching view creates a self-learned network model, or digital network image, covering devices and device properties, device-specific vulnerabilities, connections and ports, communication protocols, and any other network characteristic. This “Digital image” delivers an offline map of the network based on analysis of a representative amount of mirrored data traffic from across the network, making the process non-destructive and non-intrusive, as it does not affect actual network operations.
The digital image, being a true representation of the network, can be used by security teams to assess potential attack vectors and test appropriate mitigations needed to fend off these attacks. The digital image may be used within the industrial environment to look for potential risks and vulnerabilities. These inputs can be further processed to gauge the likely impact of these hazards.
Calculating an OT network exposure to risk and producing an overall network risk score is based on multiple datasets used to simulate numerous breach and attack scenarios – not something that can be achieved manually to any level of success.
A digital image enables industrial asset and network owners to employ sophisticated and “aggressive” techniques that they would not otherwise be able to utilize for fear of adversely impacting their production networks.
Having created a virtual map, industrial operators can test the system’s resilience using advanced OT breach attack simulation (OT-BAS). This will assess the capability of an organization’s cybersecurity system against known threat methods without affecting the actual network. Using a cyberthreat TTP (tactics, techniques and procedures) database, such as MITRE ATT&CK for ICS, security providers will be able to test the network against the latest known threats and provide prioritized recommendations for security upgrades where necessary.
Combining OT-BAS with statistical simulation techniques enables organizations to concentrate on obtaining data points on system vulnerability instead of merely stockpiling generic information. This pushes a data-driven approach of entering values into statistical simulation tools, eliminating guesswork and estimation out of OT environments, and allowing teams to anticipate the impact of potential threats through simulations of known attacks from a continuously updated global database. It can be further extended to simulate ‘What-if’ scenarios of mitigations to decide which course of action would be most suitable in light of the changes in the threat landscape.
Too many industrial enterprises and critical infrastructure networks are being threatened and compromised. There is an urgent need for a fundamental change in the approach to industrial cyber risk management. Given the critical nature of these environments and dangers fueling the existing data models, one must focus on data-driven, contextual data metrics obtained in real-time from within the operating environment, to ascertain the cybersecurity attitude of the industrial operations.
To change the outcome, a new paradigm is required. OT and IT cybersecurity teams need new tools that will shift the balance back in their favor and management to require accurate, reliable insights to make crucial decisions faster. A data-driven approach to cyber risk management along with the “digital image” and “OT-BAS” concepts outlined in this chapter will empower industrial organizations to bolster their cybersecurity posture by systematically identifying and reducing inherent cyber risk.
The article was published as part of Industrial Cyber eBook on Cyber Risk Management, to download the eBook please click here
Harmonizing risk and consequence strategies across IT and OT environments for greater cyber resilience
Strengthening OT Resilience: Protecting Critical Systems in a Rapidly Evolving Threat Environment
Quarterly ICS Security Report 2024 Q3