Is the CEO your biggest barrier to improving cybersecurity?
Glenn Murray is CEO of cybersecurity company Sapien Cyber. Founded on Edith Cowan University’s 20 years of world-leading research in cybersecurity, Sapien Cyber is a commercial entity, bringing together a team of academic and industry-experienced practitioners to develop a unique cyber security solution for Operational Technology (OT) environments and the associated IT technology. The team has created a robust and functionality rich cyber security product suite. When supported by an experienced and skilled SOC, it enables businesses to effectively prepare, defend and respond against cyber incursions and their impact on business continuity, reputation, and financial loss.
We spoke to Murray about the impact of cyber threats on today's C-Suite.
Is the C-Suite proactive in its preparation to tackle growing cyber threats?
IT and OT environments are not treated equally by the C-Suite, and our research has shown that to be true. Only 8% of security leaders take physical security like OT more seriously than IT networks, and only 57% see it as equally important.
The problem lies in how the C-Suite views cybersecurity as more of an IT-centric operation. Their conversations are usually centred around email firewalls and viruses because these are most referred to in the media, leaving operational technology behind and without as much investment.
It’s a two-pronged problem: there is a lack of understanding in IT around what OT cybersecurity looks like despite IT usually being given the responsibilities of protecting an organisation’s OT environment, and there are not enough OT professionals within organisations to inform the IT teams of what must be done.
There are so many different operating scenarios that simply don’t exist in an IT environment - one of the most obvious being the OT environment itself being physical rather than virtual - and we haven’t reached the point where the C-Suite recognises or understands how much an OT cybersecurity specialist is needed.
How are organisations leaving themselves vulnerable to attacks?
Attacks to operational technology have the potential to be some of the most damaging, not just to organisations but to real people and society more generally.
Take a chemical plant in the resource sector, for example. The safety controls of these organisations are being targeted currently. In an emergency situation, when you press the ‘red button’, you want the process to stop. These systems are being attacked so that when the red button is triggered, nothing stops, causing a serious accident at best and fatalities at worst.
Another example of this is vessels containing liquid. They are monitored with virtual sensors so when fluid fills the tank, alarms are set off at each level to trigger different scenarios. The highest alarm typically signals the vessel is at capacity, and therefore no more fluid should be added. Cybercriminals can simply access the system to move the virtual sensor to exceed the capacity of the vessel. It will therefore not get activated. In some scenarios, the liquid could be highly flammable, surrounded by hot operating equipment. This highlights how much of a problem an incident like this could cause.
Why is there such a lack of focus on OT from the C-Suite?
The good news is that the focus from the C-Suite in owner operator assets is changing to include OT, there are still many that need to catch up.
Digital transformation has caused the landscape of cybersecurity to change quite dramatically, especially since Covid-19 entered our lives, forcing employees to work from home and possibly enabling situations like the Florida water utilities attack earlier this year.
Organisations need data from all areas of business if they’re to work strategically, including operational technology. To increase the return on investment to shareholders, the head office needs data from multiple sites to make informed decisions, increasing production or reducing overheads for example.
It is well known within the OT environment that one of the biggest overheads on site is routine-based maintenance. This has made the owner operators review their maintenance programs and move to a more predictive-based model, adding sensors to monitor oil temperatures, pressure and so on that feed back into the corporate network, alerting them when something’s about to fail so they only carry out maintenance when it’s needed. In doing so, they’ve exposed these offline technologies to the online world (and therefore, cyber threats).
No one ever thought they would be connected to the internet that links back to corporate IT. This means that overnight organisations are left unprepared because cybercriminals have an entry point for an attack that didn’t previously exist, and one that hasn’t been patched for, leaving the business open to exploitation.
What is the chain of command for cybersecurity in organisations?
Cybersecurity for this kind of equipment generally falls into the risk area, with risk managers treating cyber threats like any other risk to business. It’s their responsibility to mitigate risk; if there was a production shutdown because of a cybersecurity attack, the organisation would lose millions of dollars.
But unfortunately, where cyber threats are concerned, a high level of expertise is necessary. A ‘ticking the box’ mentality applicable to all organisations won’t cut it. This approach leaves gaps for cybercriminals to get through.
The other problem lies with the opposing mindsets of cybersecurity professionals. While IT security is centred around IT equipment such as servers, OT networks contain generators, gas turbines, big machinery that works in an entirely different way. The approaches and the professionals need to be different as a result, which just isn’t currently the case for most owner operators.
The problem here, again, is the way OT cybersecurity is viewed by the company. It’s not an extension of IT security, it’s completely different, and requires just as much attention.
In IT, there are generally three stages to security: managing vulnerabilities, detecting threats, and responding to threats if necessary. In OT, the ‘preparing’ stage is typically missing entirely where organisations have got equipment on site at the original patch installation date. If organisations do have a security plan for this environment, it’s usually just how to respond to an attack if/when one occurs.
What needs to happen is there needs to be a dedicated OT professional responsible for cybersecurity of these complex environments and carrying it out in the same way IT security is (broken down into those three stage). It’s completely doable, but like I’ve said, some companies are there, and others are just not there yet when it comes to understanding the risks of an OT cyberattack. That’s why outsourcing this responsibility to companies like ours will help to bridge the gap.
What examples of significant cyberattacks can C-Suite take learnings from?
There have been several major attacks recently that industries and government need to be looking at. Triton, malware developed in the middle east, is targeting the safety systems of plants. The Florida water utilities attack also received a lot of press, with a cybercriminal increasing the chemicals in the water supply of Florida (fortunately, an employee spotted the error, otherwise the attack would’ve poisoned the drinking water of many Florida homes).
The Colonial Pipeline attack, another recent attack on OT, was unique in that social engineering was involved. Attackers focused on where insurance companies covered ransomware attacks, and the Colonial Pipeline fell into that category. The ransom was paid in just a few hours via bitcoin from the insurance company.
Sadly, hospitals are being targeted heavily at the moment all over the world, putting people’s lives directly at risk. Particularly when you consider that public sector organisations tend to have less investment than their private counterparts, particularly in cyber technology.
What’s important to note is that cybercriminals have no geographical boundaries. A key learning from previous attacks is that it can happen at anytime, anywhere, carried out completely remotely.
How will government regulations help to manage cybersecurity risks within organisations?
While these bills and legislations provide guidelines, it’s important to note that they don’t manage cybersecurity. In my view, they are simply guidelines and should be treated as such; they do not guarantee security.
They create a ‘ticking the box’ mentality. Rather than understanding their unique security issues, organisations just follow legislations and feel confident they’re covered. It just doesn’t promote the right behaviours that are necessary.
It is good that governments are getting more involved, as these attacks affect national infrastructure, but they need to work with industries in a more coordinated approach, in the same way attackers are collaborating. That’s where government involvement is really useful, making defenders better at fixing issues and, importantly, preparing for and preventing them.