Say what you want about cybercriminals, but they are certainly opportunistic and all too willing to take advantage of misfortune. Natural disasters are no exception.
The perpetual struggle with operational technology and industrial control systems is that they were designed with one thing in mind: reliability. These systems are meant to run 24/7 with minimal downtime and, unfortunately, maximizing security often comes second to that. On the bright side, there are three problems (or opportunities) on which to focus that will significantly reduce an attack surface while still ensuring that systems are reliable and resilient: Preparation, practice and people.
Preparation
“Lightning doesn’t strike twice,” right? Wrong. This is especially true when there is a large metal target of critical infrastructure involved. Experiencing an attack is not a question of if, but when. Operators have to be prepared to respond to attacks, even in the event of a natural disaster, to get back up and running and lower the mean time to recovery (MTTR).
The preparation and planning phase, also known as the prevention phase, should involve leaders in multiple areas of the business to make sure key factors such as joint communication and collaboration, public safety and the unique aspects of each affected industry aren’t overlooked. Consider the impact to workers, the general public, customers, the environment and all other stakeholders to make a holistic plan.
An attack surface is likely to be higher just after the incident because any restoration activities are going to leverage new or used equipment. While that equipment may match the business’s hardening standards, often it does not. Backup and recovery strategies are a must when trying to ensure resiliency. Automating the process of collecting trusted restore points is one technique to make sure backups are up-to-date and ready to launch.
Practice
In addition to having backup and restore points in place, operators need to know how to act on a plan. Table-top exercises to practice emergency situations need to be constantly drilled and revised to make sure the business is resilient.
Recovery begins immediately after a crisis occurs, but when the alarms are sounding, it’s easy to get overwhelmed and overlook the processes in an emergency management plan. Pre-determined protocols are only useful as long as they are acted on properly. Trained staff and volunteers also need to know whom to contact for support in such events. For example, designating the right people to contact specific government officials, agencies or other personnel that are also trained in emergency response is a must-have in these critical situations.
People
The inconvenient truth is that OT/ICS security teams are typically understaffed and, in a disaster event, it is likely that all hands are on deck to deal with the most glaring issues. Meanwhile, in the background, hackers could be hiding behind the alarms and confusion to slip by unnoticed.
Anytime something out of the ordinary occurs, unexpected weaknesses may be exposed. In this case, it is likely there will also be a significant weakness around personnel and the skills gap. The people responding to these events are dealing with a lot of unknown conditions, thinking and acting on the fly as they execute activities that they aren’t familiar with. This is going to lead to missteps and mistakes along the way, which slow down restoration activities.
Granted, skills and training are not a problem that can be tackled overnight. It’s up to the industry – vendors, operators and the government – to work together to address the needs of workers. As the workforce ages and fresh talent is brought in, there is a balance to strike between making the technology accessible and bringing it up to speed to match modern standards.
While the winter may bring snowstorms and blizzards, natural disasters are present throughout the year. Extreme heat, hurricanes, earthquakes and any number of unexpected events can happen at any time. Constant evaluation of plans, practices and people ensure an organization is not hit with a two-for-one special.
Protecting the business and its people isn’t just good business sense – it’s common sense.