5 minute read 31 Oct 2023
Colleagues working together in server control room

In an evolving cyber threat landscape, how do you develop Operational Technology (OT) resilience?

Roman Haltinner
By Roman Haltinner

Partner, Cybersecurity Competency Leader | EY Switzerland

Focusing on all aspects of information cybersecurity and business resilience. Passionate about experiencing nature with his family. Likes reading new scientific books while having glass of wine.

5 minute read 31 Oct 2023
Related topics Cybersecurity
Upvote

Show resources

As cyber risks at the intersection of IT and Operational Technology (OT) grow, organizations should focus on ways to build resilience now.

In brief

  • In light of the evolving cyberthreat landscape, companies need to build resilience against cyber attacks.
  • Besides IT, cybersecurity must also cover OT processes, activities and assets and work with relevant stakeholders to align goals and expectations.
  • Building resilience involves addressing weaknesses, fostering a culture of cybersecurity and applying appropriate cybersecurity rules.

In today’s rapidly changing cybersecurity landscape, embarking on a business resilience journey is essential. The evolving nature of cyber threats demands proactive measures to assess vulnerabilities, implement robust security measures and adapt swiftly. Neglecting the intricacies between IT and Operational Technology (OT), resilience and essential security measures, can lead to financial losses, reputational damage and loss of customer trust.

Over the past decade, the evolving OT attack landscape has seen an expansion of common attacks originating from IT networks. At the intersection of OT and IT, these attacks have an escalating impact that goes beyond temporary downtime, triggering a cascade of significant financial and further consequences.

In May 2021, a major pipeline system for refined oil products in the US was hit by a ransomware attack. It suffered six days of downtime, triggering widespread gasoline shortages in the Northeast USA.

Swiss attacks

54

Cyber incident reports received in the second half of 2022

Ransomware attacks have witnessed a significant surge in both quantity and impact, establishing themselves as a major cause of concern in the cybersecurity landscape. In its report for the second half of 2022, the Swiss National Cybersecurity Centre (NCSC) recorded 54 incident reports related to ransomware attacks. Disruptive attacks such as these have had a significant impact on vital sectors such as food and beverages, healthcare, transportation and energy.

Cyberattacks on OT highlight the critical importance of business continuity and resilience in safeguarding critical systems and ensuring the continued operation of vital services. Organizations must prioritize these aspects to minimize the impact of cyber threats and maintain the stability and functionality of their operations. 

By understanding and acknowledging the weaknesses within your organization, you can proactively assess potential threats and vulnerabilities
Iuliia Simonova
Senior Consultant OT Security

Building resilience in the OT world requires more than just supporting IT. It is crucial to consider various interconnected pillars that collectively contribute to effective business resilience. While IT is important, other pillars such as infrastructure, people, suppliers, premises, legal & compliance, finance and communications also play vital roles.

In our work with clients, we observe common obstacles on the journey toward building resilience, such as:

  • Unclear understanding of potential risks
  • Unidentified key processes and procedures
  • Unclear understanding of business needs regarding the recovery of IT/OT applications
  • Unawareness of risks and interdependencies with third parties
  • Unpreparedness for a disruptive event
  • Lack of threat intelligence

Knowing your vulnerabilities, identifying risks and being prepared before an attack occurs are key elements on any business resilience journey. By understanding and acknowledging the weaknesses within your organization, you can proactively assess potential threats and vulnerabilities.

As each organization is different, it is important to establish a customized business resilience program that meets your specific needs. Based on our experience, these are some key steps you can take to work out your focus areas and improve resilience: 

  • Start with the basics.

    Identify all your key underlying processes, activities and assets for a full overview of your situation.

  • Identify key gaps

    Look for areas with deficiencies, including discrepancies between existing recovery time objectives (RTOs) and recovery point objectives (RPOs) versus the expectations of business stakeholders. Conduct a gap analysis – with the support of an external provider if there is insufficient in-house expertise – to identify areas where the current recovery objectives do not align with the needs and expectations of the business. This helps in prioritizing improvements and adjustments.

  • Collaborate and coordinate with stakeholders

    Working with different departments and stakeholders is vital to achieve comprehensive resilience. This includes fostering strong relationships with suppliers and partners, establishing communication channels and conducting regular assessments to ensure that all parties are aligned in terms of resilience goals and strategies.

  • Keep up to date with the threat landscape

    Stay informed about emerging threats, technological advancements and industry best practices is critical. Keeping up to date with relevant regulations and compliance requirements also helps organizations stay proactive in addressing potential vulnerabilities and ensuring that their resilience measures remain effective and in line with changing landscapes.

  • Foster a culture of resilience

    This involves creating awareness and training programs to educate employees about the significance of resilience, their roles in maintaining it and the procedures to follow during disruptions, for example conduct crisis simulations on a regular basis. It can be helpful to get an external view and support for this step.

By considering these aspects and fostering a holistic approach to resilience, organizations can strengthen their ability to withstand disruptions, recover quickly and maintain operational continuity in the dynamic IT/OT environment.

Of course, it’s also important to keep in mind general cybersecurity rules for OT to protect your organization from cyberattack, such as:

  • Network separation and segmentation: implementing network segmentation helps isolate critical OT systems from other networks, reducing the attack surface and limiting the potential spread of threats.
  • Regular system updates and patching: this helps to protect against known vulnerabilities and reduces the risk of successful attacks. For obsolete systems still in use, it is necessary to implement some alternative measures, such as isolation.
  • Secure remote access: implement secure remote access solutions for OT systems, ensuring that remote connections are encrypted and authenticated. Good practice is to establish a secure method of remote access for OT vendors including installing a VPN connection, filtering the traffic by an IT/OT firewall and using a jump station located in the IT/OT DMZ with multifactor authentication, separate from other production networks.
  • Implementation of a network security monitoring system based on industrial intrusion detection system (IDS) inside the OT network to monitor the OT network traffic: architecture of the IDS solution should ensure the monitoring of the network’s most critical traffic (e.g., between OT and external networks, OT VLANs and within OT VLANs). 

How EY can help

Cybersecurity Architecture, Engineering & Emerging Technologies

EY services are designed to help organizations protect their enterprises from adversaries that seek to exploit weaknesses in the design and operation of their technical security controls, including disruptive technologies such as cloud computing, blockchain, and Internet of Things (IoT).

Read more

Summary

Understanding and addressing potential risks across key OT processes, activities and assets is a vital first step in building resilience. At the same time, fostering a culture and communication with stakeholders is important to align expectations and enable an ongoing journey in a shifting risk landscape.

Acknowledgements

We thank Iuliia Simonova, Natalia Studer, Maxine Moleman and Tsiory Razafindrazaka for their valuable contribution to this article.

 

 

About this article

Roman Haltinner
By Roman Haltinner

Partner, Cybersecurity Competency Leader | EY Switzerland

Focusing on all aspects of information cybersecurity and business resilience. Passionate about experiencing nature with his family. Likes reading new scientific books while having glass of wine.

Related topics Cybersecurity
Upvote