The need for critical infrastructure specialists
It’s becoming very important for those needing to protect refineries, power grids, healthcare institutions, traffic systems and other solutions that are run by automated controls to use specialized security researchers to perform site assessments and, later, certifications.
Those needing to protect critical infrastructures using operation technology (OT) cannot rely on information technology (IT) security specialists. Both use computers, but they work in very different environments.
Just as someone would not ask the plant manager to fix the flaw in a Microsoft Windows system, the IT director can’t be expected to have all the answers to protecting the OT system. IT specialists strive to protect data; OT environments work to keep machines producing. Therefore, the byproducts of IT versus OT attacks are also different.
During the 2015 RSA security conference, Wurldtech’s Frank Marcus, director of technology, led a peer discussion that underscored the heightened profile of cyber security in the age of the Industrial Internet. Addressing the audience of global critical infrastructure experts, Marcus spoke about the evolution of threats against critical infrastructure. While enterprise cyber attacks may grab bigger headlines, cyber attacks on physical infrastructures can have greater consequences, including environmental damage and human safety.
Protecting these types of attacks are not the focus of IT departments. While the primary goal in IT is to protect data, OT security strives to keep processes running. Whether from outside threats, like hackers or state sponsored actors, or inside threats, like human error, in an environment where companies are operating drills, electric grids, MRI’s or locomotives, unplanned downtime is simply not acceptable. This is especially true for industries such as oil and gas, energy producers, health facilities and transportation systems in which even a couple minutes of downtime can yield tens of thousands of dollars lost.
Developing OT specialists
In the real world, Wurldtech began with "white hat" hackers who recognized there is an incredible amount of risk in our critical infrastructure. In-house hackers tested all the possible ways these machine-to-machine (M2M) networks could be infiltrated to identify where vulnerabilities exist and determine how to protect against them.
Once there was enough data, the team was able to create a comprehensive cyber security solution to help provide critical infrastructure protection against the persistent and dynamic cyber threats that challenge production environments, transportation systems and healthcare operations. If a system is successfully hacked, it is possible to help stop that attack from getting to the internal Internet where it can wreck havoc on the factory, grid or drilling station.
Once the solution is installed, a security and quality testing service that simulates attackers challenging the system is needed to make sure that the user is controlling who is talking to whom. Such a service imitates attackers challenging the company’s system.
Also, be sure to ask the mission critical device manufacturers if they have been tested to repel cyber attacks. Have they had their products monitored to both network and operational parameters, allowing vulnerabilities to be discovered and faults to be reproduced, isolated, identified and resolved before these products are introduced to the market? Are they certified to be secure?
In addition, management needs assurance the security experts they hire are not only highly certified and trained to carefully assess, design and implement OT security but to do so in their industry environments. For instance, oil management needs to assure that the security experts they hire are certified and trained to carefully assess, design, and implement OT security in offshore and onshore environments. If the goal is to help secure operational assets, reduce compliance penalties, and enforce supplier security, specialized expertise is absolutely needed.
Nate Kube founded Wurldtech Security Technologies in 2006 and, as the company’s chief technology officer, is responsible for strategic alliances, technology, and thought leadership. This content originally appeared on ISSSource. Edited by Chris Vavra, production editor, CFE Media, firstname.lastname@example.org.
– See additional stories from Kube and from ISSSource linked below.