It’s soon going to be that time of the year for another edition of the Operational Technology Information Sharing and Analysis Center (OT-ISAC) Summit, where CISOs OT and IT practitioners will come together to collectively shape security best practices and strategies for OT and ICS environments. Come Sept. 8 – 9, stakeholders will get together to adapt and achieve mutual defense in protecting critical assets.
The two-day focused OT-ISAC Virtual Summit 2021 brings together the community to achieve deeper cooperation and enable the stakeholders to strengthen cyber resiliency. The conference will focus on enhancing OT cybersecurity awareness and boosting workforce capability, analyzing ICS/OT risk management, refining OT incident response, and dissecting the vector and impact of recent cybersecurity incidents that have plagued the industrial sector. OT-ISAC Summit will once again provide the industry with an opportunity to intensify collaboration between asset owners, operators, governments, and vendors.
As threat actors look to cause disruptions to critical services and industrial processes in the ICS (industrial control systems) and OT environments, threats to OT networks remain high in 2020. The escalating threat level in OT/ICS environments has given rise to a growing need to redefine OT incident response, as the threat level, nature of attack surface, and attack type evolves.
“Cyberattacks on the OT/ICS environments in the past as well as recently highlight the need for ‘being prepared’ to respond to the security incidents timely and effectively,” Ashish Thapar, vice president and head consulting for the APAC region at NTT’s security division, told Industrial Cyber, a media partner for the event.
“Based on my optics from security maturity assessments, incident investigations and strategic consulting work; the OT/ICS environments in most cases are still at quite low maturity with regards to incident response (IR) readiness,” Thapar said. “IR in OT/ICS also requires a different approach as the threat profile, TTPs as well as level and nature of impact vary significantly from the typical IT environments. Recent attacks have clearly demonstrated a strong need for ensuring deep/wide visibility along with effective automated response across the converged IT-OT-IoT environment,” he added.
“Traditional OT Incident Response (IR) rely on the basis of IR from the IT domain due to the nature of IT-OT convergence,” Thian Chin Lim, Director (CII) Cyber Security Agency of Singapore told Industrial Cyber. “With the dynamics changes in OT threats, there is a need to develop or cross-train a team of skilled defenders comprising both engineers and IT analysts, and to continuously hone their skills in incident response as well as the other domains of cyber protection, such as threat detection and system recovery in the OT domain.”
Focusing on the challenges that affect the APAC region, Thapar outlined what organizations need to be aware of to be better prepared to manage the same. “Lack of a single market regulatory/compliance framework or a common minimum security baseline like that in the EU/US market. This may lead to misaligned priorities and countermeasures as well as higher ‘TCO or Total Cost of Ownership’ implications,” he added.
“Supply chain risks from a matured regime to an im-matured one. Security is as strong as the weakest link in the chain. Geo-political fault lines and fierce competition may hinder much-needed collaboration and cooperation across industry players. The adversaries do it well – its time the defenders get better at it,” Thapar said. “The diversity of economies with conflicting business interests/priorities in specific countries within APAC with reference to principles of data security, data privacy may also hinder the maturity and enforcement of CII protection controls,” he added.
Recent data from industrial cybersecurity firm Claroty outlined a 41 percent rise in ICS vulnerabilities disclosed in the first half of this year, compared to the previous six months, which is particularly significant given that in all of 2020, they increased by 25 percent from 2019 and 33 percent from 2018.
Speaking on the critical lessons that the critical infrastructure sector picked from the first half of the year, as the needle shifts towards the end of 2021, Thapar said that, “Since most of the cyber attacks traverse from the enterprise IT side (level 4-5 of the Purdue reference architecture model); it is critically important the IT and OT teams work collaboratively to implement robust controls to prevent, detect and respond to the threats.”
“Having complete knowledge of IT/OT/IoT assets, usual traffic patterns and protocol usage along with objective visibility on segmentation/micro-segmentation/traffic policies is critically important so that organizations can better manage anomalous events and respond to any early indicators of compromise,” according to NTT security division’s Thapar. “Just like how the OT/ICS sector performs physical safety drills, they must get used to performing cyber incident response drills (or incident simulation exercises) to stay nimble and address any shortcomings in peacetime rather than in wartime,” he added.
“The world has faced a significant increase of sophisticated threats against OT systems due to the rapid digitalisation partly caused by the pandemic and Critical Information Infrastructure (CII) sectors are not immune,” Lim said. “Incidents such as the US’ Colonial Pipelines and Iran’s National Railway system, have shown that we need to shift our mindset and focus to extend our protection not only on the OT system but to also include its interdependent network. While these attacks have not reached Singapore, CII Sectors shall remain vigilant and continue to shore up their defences and enhance our response plans against the evolving OT threats from relevant shared information,” he added.
The COVID-19 pandemic intensified digital transformation adoption, thereby exerting pressure on OT and ICS systems across verticals and industries.
When asked how are the OT/ICS systems coping with the integrated risks and threats, Thapar said that “The answer to this pertinent question depends on how mature the OT/ICS system owners are w.r.t. the notion of cyber resilience and secure by design. Some of the organizations were better prepared than others when this unplanned digital transformation (read disruption) hit their OT/ICS environments,” he added.
“They were hence able to better address the IT/OT convergence risks as well as threats thereof. The key to that maturity lies in the comprehensive and robust adherence to NIST CSF core functions i.e. Identify, Protect, Detect, Respond and Recover. Zero trust approach helps drive a risk-averse mindset before allowing access to any resource from anywhere, anytime and by anything,” he added.
“Other than open-source threat information and performing continuous monitoring, OT/ICS could tap on relevant ISAC (i.e. OT-ISAC) to retrieve relevant threat to assess the level of risks pertaining to its organisation and prioritise the actionable information in a timely manner,” Lim said.
Speaking on recent governmental measures specific to the OT and critical infrastructure environments, Thapar said that some of the government measures have been very helpful in establishing some level of baseline to protect OT/ICS environments. “Efforts from governments such as US, Singapore and Australia to protect Critical Information Infrastructure (CII) are a step in the right direction but as the threat landscape evolves the countermeasures need to evolve as well. Regulations are not complex or vague as such but they need to get industry feedback to continue taking a pragmatic approach while ensuring a balance between security, safety and complexity,” he added.
“The Cyber Security Act has been in force since 2018 and together with the national Cyber Code of Practice (CCoP – specifies the minimum protection policies that a CII owner shall implement to ensure the cybersecurity of its CII), have provided a cybersecurity baseline for the CII owners to enhance their cyber resilience,” Lim said. “Notwithstanding, to keep up with the evolving landscape, we are now working on an enhanced version of the CCoP to improve the odds of defending against sophisticated threats, to be agile in addressing emerging risks in specific domains, and to build coordinated defenses to support national efforts.”
“In 2019, the OT Cybersecurity Masterplan was launched in 2019 to enhance the security and resilience of Singapore’s essential service sectors, to improve cross-OT sector response to mitigate cyber threats in OT environment and to strengthen partnerships with industry and stakeholders,” Lim added.