Bernard Montel , EMEA Technical Director and Security Strategist , Tenable
This significantly increases organisational risk as it effectively expands available attack vectors , while inadvertently making cyber-threats harder to detect , investigate and address . It is also worth remembering that an attack against OT systems can have physical consequences for individuals or company infrastructure on top of the threat to the organisation ’ s data . Complicating matters further is the fact that cyber breaches that occur on one side of the connected , converged infrastructure can migrate to the other – from OT to IT and vice versa .
A key issue , particularly to the OT side of an organisation – given the business criticality of these systems – is the zero-downtime tolerance policy . Another challenge is legacy infrastructure ; OT environments typically feature legacy technology that is built for process functionality and safety , along with static devices and a perimeter protective layer .
Considering modern systems increasingly connect devices , machines , sensors , thermostats and more to the internet – which means the number of vulnerable touchpoints keeps increasing – securing OT systems is of the utmost importance .
When looking at IT and OT systems , it is worth recognising the difference between these systems ’ lifecycles . Whereas IT infrastructure is designed to be updated on a regular basis , OT systems are designed to operate for years or even decades without updates , upgrades .
In some cases , OT infrastructure could be as old as the physical plant it is installed in , which means a full inventory of assets along with maintenance and or change management records may not be up-todate or may not even exist . This makes it difficult for an organisation to protect its industrial operations and should be addressed by maintaining a detailed inventory of all assets and infrastructure .
There has been a marked increase in ransomware attacks , nation-state sponsored threats and zero-day vulnerabilities weaponised within the last 12 months . This has put under-resourced security teams under yet more pressure , and forced them to balance working practices , improvements to security systems and posture , and tight budgets . Though this may seem like an impossible task , going back to the basics with cyber-hygiene can have a dramatic impact on lessening an organisation ’ s cyber exposure .
The impact of cyber incidents can only truly be understood when business and security leaders combine efforts . Business leaders must ensure that security leaders fully understand the organisation ’ s mission and take initiative-taking steps to protect the assets , data , staff , and tools needed for critical activities .
Determining where weaknesses and vulnerabilities exist is only possible when a holistic view of cloud and on-premises , IT and OT environments , and everything in between including the interdependencies that exist for critical functionality , is available to experts .
With this established , the next critical step is to identify what could cause theoretical versus practical damage . Organisations can safely assume that there is a plethora of hidden OT systems that were temporarily installed , forgotten about and so are under-protected . Keeping this in mind , steps can be taken to address risks where possible or monitor assets that could fall prey to attacks .
Vulnerability management in its most traditional sense focused on addressing flaws in software that could be taken advantage of , leveraging common vulnerabilities and exposures , CVEs glossaries . Exposure management goes beyond this as it offers additional context such as how a system is configured , who is using it and what they have access to . It enables cybersecurity teams to operationalise their preventative security programs , which means organisations have a clearer understanding of the effectiveness of their security suites .
The writing is on the wall , renewable energy organisations must step up and stop cybercriminals from infiltrating their infrastructure , and the best way to do this is to anticipate cyber-attacks and communicate those risks for favourable decision support . Organisations that do this well will be able to successfully defend against existing and emerging threats and will be key players in a future based on renewable energy . p
76 INTELLIGENTCIO AFRICA www . intelligentcio . com