Companies in heavy industrial industries such as mining, oil and gas, electricity and chemicals have become a major target for cybercrime. But securing these companies is complicated as they must not only protect their IT infrastructure but also their OT (operational technology) assets.
Cybersecurity solutions and tools that work in IT environments do not transfer well to the OT side, potentially harming industrial devices. “Even merely scanning these devices for vulnerabilities has led to major process disruptions,” according to a recent McKinsey article.
But even though the same tools aren’t effective for both environments, links between OT and IT are creating vulnerabilities that need to be addressed. Industrial cybersecurity vendor CyberX has found that 40% of industrial sites have at least one direct public internet connection, and 84% have at least one device that is remotely accessible.
Breaches have already occurred. In 2018, nearly 60% of heavy industrial organizations in a Forrester poll reported that they had experienced an OT breach. Documented cases of breaches include the 2015 and 2016 attacks on an Eastern Europe power grid that caused a blackout for 230,000 people. In 2017, a Middle Eastern petrochemical plant’s industrial control system (ICS) was attacked in an attempt to cause an explosion.
Unique Security Challenges
The McKinsey article addresses unique security challenges that heavy industrials are facing, including their drive toward digital transformation. “When building the business case for these transformations, leaders often overlook the cost of managing the associated security risks. Security is not often a central part of the transformation, and security architects are brought in only after a new digital product or system has been developed.”
As a result, security tools are bolted on and less effective. Sometimes users circumvent them because they can be cumbersome.
Other unique challenges are the difficulty of securing highly customized, geographically distributed industrial infrastructures and exposure to third-party risks. Heavy industrials rely on OEMs to maintain and update their equipment, creating security blind spots. Contracts with OEMs typically don’t include cybersecurity reviews and buyers aren’t diligent about changing those contracts or adopting extra security measures when available.
“Several heavy industrials have reported that third parties frequently connect laptops and removable storage devices directly into the OT network without any prior cybersecurity checks, despite the obvious dangers of infection,” the article says.
Beyond technology, heavy industrials are facing a challenge that affects every other industry – a cybersecurity skills shortage. (ISC)2 estimates the current gap between skilled professionals and a fully staffed global cybersecurity workforce is nearly 3 million worldwide. “The problem is worse for heavy industrials, which need to staff both IT and OT security teams, and to attract talent to remote operational locations,” the McKinsey article says.
McKinsey says heavy industrials, with the exception of U.S. electric production and distribution companies, have been slow to invest in cybersecurity for both IT and OT. That may be changing as OEMs and some startups introduce OT security technologies. Some of the solutions coming to market include:
- Unified identity and access management
- OT network monitoring and anomaly detection
- Asset inventory and device authorization
- Firewalls that block network access to attackers after one section is compromised
As these technologies are introduced, heavy industrials will be able to bridge the gap between OT and IT security. For more information on industrial security systems, check out (ISC)2’s ICS Lexicon.