Protecting critical infrastructure from cyber threats has never been more important. With Fortinet reporting that 9 out of 10 organizations experienced some sort of cyber incident within the past year, the problem is not going away.
Attacks like the one against the Oldsmar water treatment plant in 2021 have laid bare the susceptibility of operational technology (OT) to those looking to disrupt the economy, earn a ransom, or cause chaos. Government regulators have taken steps to regulate cybersecurity for critical infrastructure operators, but that will not be enough to protect against the growing threat of compromised OT environments. Unfortunately, government-imposed regulations lead to a compliance-based approach to security — and mere compliance will not cut it against the highly motivated and technologically advanced adversaries the industry now faces.
The fact that government agencies are addressing the need for cybersecurity standards is positive, however the regulations that have been introduced often fall short in the marketplace. Many of these regulations are created without input from industry and focus on encouraging only the most basic cyber hygiene standards. It’s not without reason. These regulations encourage the practices with the fewest barriers to entry, allowing the widest possible range of organizations to get up to speed.
The July 2021 TSA requirements for pipeline owners are a perfect example of the problem with this approach. The Transportation Security Administration (TSA) developed a set of cybersecurity requirements for pipeline operators along with input from industry and federal partners. These regulations, which some believe created more confusion than security, didn’t fully account for the distinction between information technology (IT) and OT environments. In practice, these standards may be more likely to disrupt the industry than protect it from an attack.
What’s wrong with compliance?
Compliance is all about ticking boxes. Once the basic guidelines are met, there is little motivation to go beyond that standard — after all, if a company complies with the regulations, then they are protected from an attack, right? Not so much. There is no one-size-fits-all approach to cyber hygiene practices. What works for one company may not work for another, and compliance-based regulations can often miss that nuance. The compliance-based approach can create a false sense of security. It allows operators to believe that being compliant means they don’t need to look for the holes that may be exploited by threat actors, but that couldn’t be further from the truth.
Hackers are quickly evolving. When attacks like the one on Oldsmar are successful, they can serve as a beacon to attackers looking for new ways to disrupt operations. The best way to combat this kind of advanced threat is for the industry to come together to demonstrate its commitment to cyber resilience by building adherence to cybersecurity best practices into the very core of their business. There should be a market-driven motivation to keep up with attackers’ progress and safeguard our critical infrastructure.
Maturity models: A way to benchmark cybersecurity
A rating system — where those that have invested in and committed to sound cybersecurity practices are prioritized over those that do not — could offer companies financial motivation to improve their cybersecurity processes. The rating could help organizations accurately assess the risk of partnering with manufacturers, contractors or suppliers. Instead of ticking off regulatory boxes, this approach encourages companies to go above and beyond to show their commitment to security. If they don’t, their contracts could be on the line. As a result, cyber programs would have to move at the speed of business — not government — when addressing cyber issues. That’s a very different pace.
A successful rating system should be created by an independent organization with a deep knowledge of cyber practices in OT. As opposed to an external checklist, ratings should be based on in-depth internal assessments conducted alongside operators. The idea is to take a more nuanced view, looking beyond whether a company has a specific policy in place to how effectively that policy is being implemented.
Companies that demonstrate their commitment to good cyber hygiene will be rewarded with better ratings, which can make them more competitive when bidding on contracts. It could be used by organizations when choosing suppliers and to help insurance companies set cybersecurity insurance rates. Organizations committed to good cyber practices would have a way to show off their ability to keep themselves and their partners in the supply chain safe — and they’d show that they are helping to safeguard communities from the catastrophic events that can result from flaws in OT systems.
A rating system that scores companies on their cybersecurity efforts could usher in a new era of security and accountability within critical infrastructure. By taking a built-in, market-driven approach, a rating system could drive companies beyond compliance. Integrating a cyber maturity rating system into the day-to-day business of industrial organizations would create a competitive landscape for those looking to secure our critical infrastructure and motivate companies to step up their cybersecurity practices.
With attackers advancing their operations by the day, it’s time that critical infrastructure operators do the same. The industry should come together to create a market-driven solution that can push organizations to move at the speed of cyber, rather than compliance.