Cybersecurity has never been more challenging for industrial organizations. Recent attacks on critical safety systems have shown that conventional defenses may not stop sophisticated attackers. And growing political unrest is increasing the likelihood of more sophisticated nation-state breaches against industries that support everyday life, like electric utilities, transportation, and manufacturing. The potential risks to safety, operational performance, and information confidentiality requires constant vigilance.
For critical infrastructure organizations and operators to prevent a catastrophic event, they must first understand the risks facing cyber-physical systems. A recent survey from Nozomi Networks and Newsweek Vantage of 400 C-level executives from critical infrastructure organizations shows that when it comes to security, these companies have not focused enough on taking a holistic approach to the digital and physical realms. Nearly half of respondents struggle with differences in risk tolerances between IT and OT in an environment that has traditionally associated those two areas with very different goals.
Too many organizations think their approach to cyber-physical security is adequate, until they find that it isn’t. Complacency can have disastrous results: more than a third of executives say that an actual cyber breach caused them to develop a holistic approach to their organization’s cyber/physical security.
Three Major Obstacles to a Holistic Approach
It’s clear that more critical infrastructure organizations need take a holistic approach to securing cyber-physical systems. There are three major obstacles that organizations encounter when implementing a holistic approach: organizational, technical, and external. The main organizational obstacle to achieving a holistic approach is the differing opinions of IT and OT on what needs to be secured, which leads to different risk management priorities. IT has traditionally focused on data security, in which a cyber threat could result in the theft of millions of dollars of intellectual property, corporate financials, and employee or customer information. By contrast, OT has focused on operational continuity and safety.
The technical obstacles to a holistic approach include the differences in IT and OT operation environments, the difference in IT and OT skill requirements, and the differences in the security threats faced on both sides.
Finally, the most significant external obstacle to a holistic approach to cyber-physical systems is a lack of adherence to standards. There are not enough appropriate industry yardsticks for assessing the performance claims of complete security products, and there is a lack of established IT standards and a lack of awareness of OT standards.
Make Sure People Aren’t the Problem
Achieving a holistic approach to cyber-physical security can also be culturally difficult. Employees are often resistant to change. It’s difficult to alter habits of thought and traditional business practices. To overcome cultural obstacles to a holistic approach, the most important factor is to build a team that includes skills of IT, OT, and physical security, along with cross-training of the teams from these three areas. The “people factor” is a critical element — making sure you have the right team with the right mindset to work cross-functionally.
Critical Infrastructure Cybersecurity and Physical Safety Go Together
Critical infrastructure organizations are focused on the physical safety of their employees, customers, and the public. If this is jeopardized, they marshal their resources to fight the threat. These organizations need to take the same approach to cybersecurity, especially since a cyber-physical breach could affect public health and safety. A holistic approach to cyber-physical security can be achieved by focusing on these five areas:
Raise and apply cyber-physical standards where possible. There are standards for the cybersecurity of automation and control systems that can be universally adopted. The fact that there are several standards should not be an excuse for failing to apply them. The same goes for certification. Engineers can work on the security of control systems without a relevant certificate. If project managers need a certificate to work on such projects, it makes no sense to ignore this stipulation for cybersecurity.
Do things in the right order. Set up a good structure of governance for cyber-physical security, with clear lines of accountability. Sources, such as the U.S. National Institute of Standards and Technology Cybersecurity Framework, describe a systematic approach with references to applicable standards for each step. Train all personnel thoroughly on their cyber-physical responsibilities. Design the organization’s policies and procedures to align with those pertaining to cybersecurity and vice versa. Only then decide on what technologies to invest in that will support the other elements.
Don’t punish people if they admit to having made a mistake. Organizations tend to penalize those who make errors. Instead they should encourage personnel to own up when a cybersecurity breach occurs or, even better, allow them to recognize and disclose a mistake that might lead to an incident. Failure is only an opportunity to learn how to do things better.
Treat cyber-physical security in the same way as physical safety. The safety of employees and the public is considered of paramount importance at every organization and is regarded as the business of everybody in the organization. There is no reason why cyber-physical security should not be treated in the same way.
Cyber-physical security is not like going on a diet. It’s a change of lifestyle. Organizations should not treat the task as completed after taking all the requisite steps in a holistic implementation program. The job of securing assets and employee behavior needs to be continually updated because threats and vulnerabilities will change constantly.
As organizations’ IT, OT and physical systems become more interconnected, critical infrastructure organizations must implement a holistic approach to securing these cyber-physical systems. It should not take a cyberattack or crisis to spur change. Now is the time to take these steps to achieve a holistic approach.