Cyber attacks of the future: weaponising OT environments to kill

By 2025, cyber attackers could be capable of weaponising operational technology (OT) environments to successfully harm or kill humans, according to a report by Gartner, Inc. Security incidents in OT and other cyber-physical systems (CPS) have three motivations: actual harm, commercial vandalism (reduced output) and reputational vandalism (making a manufacturer untrusted or unreliable). Gartner predicts that the financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023. Even without considering the value of human life, the costs for organisations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant. Gartner also predicts that most CEOs will be personally liable for such incidents.

Wam Voster, senior research director at Gartner, noted that in operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft. “Inquiries with Gartner clients reveal that organisations in asset-intensive industries like manufacturing, resources and utilities struggle to define appropriate control frameworks,” said Voster.

Gartner recommends adopting a framework of 10 security controls to improve security posture and prevent incidents in the digital world from having an adverse effect in the physical world. Gartner urges organisations to define roles and responsibilities, by appointing an OT security manager for each facility, who is responsible for assigning and documenting roles and responsibilities related to security for all workers, senior managers and any third parties.

Organisations must also ensure that all OT staff have the required skills for their roles, with employees at each facility trained to recognise security risks, the most common attack vectors and what to do in case of a security incident. Gartner also recommends ensuring that each facility implements and maintains an OT-specific security incident management process that includes four phases: preparation; detection and analysis; containment, eradication and recovery; and post-incident activity.

Organisations should ensure proper backup, restore and disaster recovery procedures are in place. To limit the impact of physical events such as a fire, backup media should not be stored in the same location as the backed up system. The backup media must also be protected from unauthorised disclosure or misuse. To cope with high severity incidents, it must be possible to restore the backup on a new system or virtual machine.

A policy should be created to ensure all portable data storage media such as USB sticks and portable computers are scanned, regardless of whether a device belongs to an internal employee or external parties such as subcontractors or equipment manufacturer representatives. Only media found to be free from malicious code or software should be connected to the OT. To support this process, security managers must keep an up-to-date inventory of all OT equipment and software.

OT networks must be physically and/or logically separated from any other network, both internally and externally. All network traffic between an OT and any other part of the network must go through a secure gateway solution like a demilitarised zone (DMZ). Interactive sessions to OT must use multi-factor authentication to authenticate at the gateway.

Gartner recommends implementing policies and procedures for automated logging and reviewing of potential and actual security events. These should include clear retention times for the security logs to be retained and protection against tampering or unwanted modification. Secure configurations should also be developed, standardised and deployed for all systems like endpoints, servers, network devices and field devices. All components in the OT environment should also install and enable endpoint security software like anti-malware. A formal patching process should also be implemented, to qualify patches by the equipment manufacturers before deploying. Once qualified, the patches can only be deployed on appropriate systems with a pre-specified frequency.

Image credit: ©stock.adobe.com/au/cendhika