Sunday, January 29, 2023

Securing IT/OT convergence for a greener, safer world

Record-breaking heat waves, excessive rainfall, and flash floods – these extreme weather events that could once be thought rare or unusual are no longer the exception. Instead, they have become “the new norm”.

In Asia, the impact of this growing reality is affecting more people and businesses than ever before. According to the World Meteorological Organization, economic losses from such weather events – which have resulted in thousands of lives lost, millions of households displaced, and billions of dollars in economic costs – have rocketed in the region.

But there’s more. As part of the United Nation’s COP 27 Summit that just wrapped up in November, leading climate scientists also estimate that if global warming is not contained, nearly 92 million people could be driven from their homes by these events.

In response to this growing threat, governments across the region have stepped up their efforts to combat climate change. With politicians strengthening both regulations and incentives for businesses to reduce carbon emissions and improve their energy usage, Asian organisations have more reasons than ever to invest in the energy transition.

In fact, not only are more businesses prioritising sustainability goals and the adoption of renewables, many are looking to invest in new power management technologies to do so. Eaton’s Future of Power Management in Asia-Pacific report found that sustainability is a top business priority for two in three (62%) APAC organisations, with 55% looking to increase the use of renewables in their operations. The regional study also found that three in five businesses are keen to invest in new technologies to digitalise power management, be it to optimise energy usage and cost or to align with government regulations.

However, even as organisations build their defences against climate change through digitalising their power management processes, another global threat looms in the background – cyberattacks.

Industry 4.0’s sustainability opportunities and cybersecurity risks

Across all industrial settings, organisations have been integrating a growing array of sensors, machine learning and analytics across their industrial control systems (ICS) and processes to optimise operational performance and meet new sustainability targets. Such new technologies that aid businesses’ energy transition include smart uninterruptible power supply (UPS) that boosts facilities’ efficiency, as well as facility optimisation software that enables efficient resource utilisation.

These latest advancements in power management and ICS technologies open many new possibilities for the ongoing energy transition. We’re talking about businesses that can increase their adoption of renewables, enabled by smart UPS that can control multiple energy sources at once and decide which source is the best to use at any given moment. But at the same time, this convergence of information technology (IT) and operational technology (OT) also brings risk.

More interconnected devices in a facility inevitably results in a bigger attack surface and greater exposure to cybersecurity threat actors. Cybersecurity vulnerabilities are also often compounded when AI-based solutions are implemented on legacy, obsolete infrastructure without accounting for security considerations. Commonly developed to have longer lifespans of 10 to 15 years, such legacy infrastructure is often not designed with adequate defences against rapidly evolving cybersecurity risks.

The rise of operational technology cyberattacks

In recent years, cybersecurity has become an urgent concern for many companies.  There has also been a salient spike in ransomware attacks — one industry study says that the number of cyberattacks rose by a whopping 28% in the third quarter of 2022, as compared to the same period in 2021. These attacks can be very costly — IBM estimates that the average cost of a cybercrime on a company is US$4.35 million, which climbed 12.7% from US$3.86 million back in 2020. If these are signs of things to come, companies will have to brace for impact as threat actors find new, more sophisticated ways to exploit their vulnerabilities.

Unfortunately, OT cybersecurity is not always as talked about as its IT equivalent. But it doesn’t mean that it is any less of a concern. In fact, it is more of a priority now than ever before.

OT infrastructure can consist of something as innocuous as the systems that control a facility’s lighting, to the UPS that provides backup power to facilities. Its role is central and critical to any organisation’s operations. It’s paramount for organisations to safeguard their OT infrastructure, in view of potentially costly downtime that can result from poor protection and maintenance.

Research agency Gartner predicts that OT environments can be weaponized to harm or kill humans by the year 2025, and that impending cyberattacks will cause such critical damage to infrastructure that it may trigger kinetic, even militaristic, retaliations. Though Gartner’s predictions take a dramatic tone, these point to the growing recognition of OT cybersecurity as an area that needs greater awareness and defences. After all, it is a fact that the consequences of OT cyberattacks can be far-reaching and catastrophic, especially in critical infrastructure or industrial settings.

OT cyberattacks can happen in a myriad of ways, some as straightforward as causing disruptions to fixed processes, and others as sophisticated as compromising the integrity of industrial environments, with an intent to cause physical harm. One example of a costly OT incident is the 2021 Colonial Pipeline attack in Texas, which saw attackers compromise the IT systems of the organisation with a ransomware attack. The attack led to a complete halt in the pipeline’s operations as the company worked to fend off its attackers, resulting in costly financial losses and fuel shortages in numerous states.

Recent research from industrial automation giant Honeywell also revealed that the number of cyberthreats involving external removable media — which are often used in industrial systems that are not connected to the Internet — has risen prominently to 52%, and 81% of those cyberthreats could be used to disrupt OT systems.

Building defences against the cybersecurity risks

Of course, as costly as OT attacks can prove to be, it is not a dead end where solutions and strategies are concerned. Organisations are in a prime position to act preemptively and proactively to strengthen their infrastructure, reduce their vulnerabilities, and prevent such attacks from happening at all.

When it comes to OT cybersecurity, it is never a simple one-off approach because attacks can come anytime — usually when they are least expected — and often in more sophisticated ways than before. Implementing a full security life-cycle management approach enables organisations to ensure that there is a continuous program of auditing and assessing their network, devices and facilities.

Businesses’ approach to address OT cybersecurity should also be holistic and comprehensive, beginning with the adoption of security frameworks, policies, procedures and best practices that are tailored to an organisation’s operations. This will require leadership to do away with traditional perceptions of IT and OT security as siloed functions, and encourage IT and facilities management teams to work in tandem, to ensure that their cyber-physical environments are well-protected.

Another pillar of the holistic OT cybersecurity approach is asset management. At the most fundamental level, organisations must have a comprehensive understanding of the many devices that sit on their network — particularly those that are connected to the Internet. Organisations should also have a vulnerability management system (i.e. hardening the systems and regular patching of system vulnerabilities) as well as continuous threat detection capabilities in place.

Beyond technology and processes, businesses need to address OT cybersecurity from a people/personnel standpoint. Employees need to be equipped with an adequate understanding of IT/OT cybersecurity. This can begin with weeding out common misconceptions, such as cybersecurity being the sole responsibility of IT staff, or cybersecurity breaches not affecting facility networks that are not connected to the Internet. Addressing misconceptions, educating staff and implementing appropriate technical training thereafter can go a long way in helping organisations improve their OT cybersecurity.

Last but not least, organisations should consider implementing advanced security features on top of essential fundamentals. These advanced features include zero trust network access, monitoring OT-specific threats through the Security Operations Centre, leveraging from regional and global threat intelligence, building Cyber Emergency Response Teams to mitigate cyber incidents, addressing cybersecurity risks in the supply chain, and more.

By ensuring that OT cybersecurity is well taken care of, organisations are free to explore the different possibilities that IT/OT convergence can unlock for them, especially in terms of what it means for their energy transition. With the pressing climate crisis looming overhead, IT/OT convergence can prove to be a game-changer for many organisations, and OT cyberattacks shouldn’t stand in the way as they continue to address this crisis in new, innovative ways.