Is human life under cyberattack?
The risk of killware
In the first four months of 2023, there were 430 publicly disclosed security incidents and more than 3.5 million breached records, based on data collected by IT Governance.
Last year, ransomware attacks surged 13% — the same amount they rose over the past five years combined, according to the 2022 Verizon Data Breach Investigations Report. And more than 80% of organizations experienced multiple data breaches.
Most of the ransomware attacks reported in 2022 targeted the IT environment. However, attacks on operational technology (OT) and cyber-physical systems (CPS) are rising.
Gartner defines OT as the hardware and software that monitors or controls industrial equipment, assets, processes or events. That includes heavy equipment, robotics, chemical and oil pipelines, and public utility systems.
The risks associated with those systems are more severe. They include relative annoyances, such as shutting down a plant, to physical harm. For example, in Florida in 2021, a hacker tried to change the chemical composition of a city’s water supply — increasing PH levels to harmful levels.
By 2025, Gartner predicts that cyberattackers will have weaponized OT environments to harm or kill humans. That's a potential risk CIOs can't ignore.
How to protect OT
To protect critical assets — and human life — organizations need to broaden their cybersecurity programs to include CPS and OT environments. And they require a separate, and sometimes different, approach than traditional IT security.
Take these six proactive and defensive actions to lower the risk of an OT attack.
1. Separate OT and IT networks
Your organization should appoint an OT security manager, in addition to an IT security manager. Ideally, OT security will be managed at the facility level.
Keep networks and systems separate, too. If it's not possible to completely segregate IT and OT networks, then create a secure gateway and monitor traffic between the two environments. Architect the IT and OT environments so they can be isolated or unplugged with minimal disruption.
2. Inventory assets and access points
Keep and continuously update an inventory of all OT equipment and software, as well as the staff, executives and third-party contractors that have access to OT.
The OT security team should also create policies and plans to oversee portable media, such as USB drives, laptops and tablets. There should also be a protocol for validating that devices are free from malware before they are connected to an OT network.
3. Limit admin access
Limit the number of administrator accounts and regularly assess admin rights. Make sure staff have the right access levels for their job roles, defaulting to the principle of least privilege.
4. Train against attacks
Earlier this year, Samsung employees leaked sensitive data to ChatGPT. The company wasn't attacked; it fell victim to errors in human judgement and culture. Employees that have access to OT need to recognize security risks and how to respond. Train to prevent OT attacks, identify them and quickly mitigate the impact of an event. Look for safe opportunities to test OT security and to drill response plans.
5. Monitor activity in real time
Collect and log activity on OT networks and use tools for 24/7 monitoring and incident escalation. You also need a retention policy for saving security logs, and tools to limit access and prevent tampering.
6. Create a response plan
Unfortunately, organizations must plan for the worst. In most organizations, there's no question of if a security event will happen. The question is when.
Know exactly how you would isolate an OT security breach and create site-specific response plans. Understand when you should shut down operations and the consequences of inaction. Plan ahead to ensure proper backup and data restoration when systems are ready to bring back online.
How Wipfli can help
It only takes one security incident to compromise your operations, credibility, customer data — or worse. Wipfli can help you manage and minimize risk to your OT systems. We start by assessing your cybersecurity strategy, then develop a detection and response plan that's matched to your vulnerabilities and risk. To learn more, visit our cybersecurity services page.
