How Can Critical Infrastructure Industries Ensure They Have The Right Technology Stack For Ensuring Operational Technology Cybersecurity? With cybersecurity for operational technology becoming extremely vital, a leader in the field discusses how organizations can secure themselves.

Cyber attacks on critical infrastructure industries such as oil and gas, energy and utilities, transportation and semiconductor manufacturing are constantly rising. The cyber-attacks on Ukraine's power grids in 2022, the ransomware attack on a key supplier of Taiwan Semiconductor Manufacturing Company (TSMC) in 2023 and the cyberattacks on Washington State's Department of Transportation (DoT) in 2023, are just some of the recent examples of such widespread attacks. With increasing newer technologies such as manufacturing 4.0, which leverages smart devices and robotics for manufacturing and generative AI, these threats will continue to rise and become more severe in the coming years. These attacks target the operational technology (OT) infrastructure, which are core components of critical infrastructure industries and are responsible for providing critical services to citizens of various nations such as running water, electricity, oil and gas and transportation facilities.

In this article, we discuss with and obtain insights from Krishna Chaitanya Tata, an OT cybersecurity leader based out of McKinney, TX, the various strategies available to organizations to implement the right set of technologies and controls to defend against cyber-attacks on their OT infrastructure. Krishna Chaitanya Tata is an OT cybersecurity leader with IBM, who is at the forefront of designing strategies and creating products for US critical infrastructure organizations, in helping them defend against cyber-threats to their OT infrastructure. Since early 2015, Krishna has been engaged in devising OT cybersecurity strategies for his clients and building cutting-edge cybersecurity products for IBM, including award winning ones such as IBM QRADAR SOAR and QRADAR SIEM. In addition, he has built and trained one of the biggest groups of OT security professionals in the world at IBM. Both his products have brought about groundbreaking innovations such as auto-remediation of security alerts using artificial intelligence and contextual enrichment of OT alerts through threat intelligence for the first time into the OT cybersecurity industry. Over the past decade, he has been consistently at the forefront of the battle for OT cybersecurity by creating products, designing strategies, writing articles, and speaking at events such as RSA and IBM Think.

Operational Technology cybersecurity in a nutshell

"Operational Technology cybersecurity essentially refers to cybersecurity for Operational Technology (OT) Infrastructure. OT infrastructure includes complex automation devices such as programmable logic controllers (PLCs), remote terminal units (RTUs), supervisory control and data acquisition (SCADA) systems, automation robots and Internet-of-things (IoT) sensors. Cyber-attacks on critical infrastructure have become increasingly common in the past decade and have really gathered pace in the last 1-2 years. The goal of these attacks is not to necessarily steal personally identifiable information (PII) or pilfer money such as money laundering, but rather to disrupt critical services for citizens and possibly cause Intellectual Property (IP) theft. So, these cyber-attacks include incidents such as stopping transportation on certain train lines, causing outages to certain power grids or causing certain oil refineries to stop. All of these disrupt essential services to common citizens and are far more dangerous than regular cyber-attacks. They can also cause IP theft, for example, in a recent cyber attack a Chinese semiconductor company achieved the exact same design of a 7nm semiconductor chip from Taiwanese company TSMC, via a cyber-attack. So, OT cybersecurity really deals with the critical infrastructure of a nation, and deals with electronic and automation components which are increasingly more prone to cyber-attacks" explains Krishna

Strategies available to deal with OT cybersecurity

"Creating the right strategy to deal with OT cybersecurity is a critical first step. A complete end-to-end OT cybersecurity program is needed, which starts with the right strategy. The strategy should outline various categories such as hardware security lifecycle, software security lifecycle, vulnerability management, patch management, penetration testing, access control, network security, incident response, and threat intelligence. Also, the defense philosophy is important, such as a layered defense (onion peel model), where there are multiple layers of controls before an attack can reach the target device, or defense-in-depth (DID) which is also similar, but has more intelligence mechanisms built-in to obtain overall information about the attack to thwart similar attacks in future, or zero-trust model which is built on the principle of distrust and verify. Zero-trust emphasizes the need to have every device and every access attempt authenticated and to not trust any connection based on their implicit role or entitlements.

Once the overall strategy is created and all the components are identified, the next step is to create a governance structure to manage OT security across the organization. The governance structure with the right amount of focus and dedication from senior management is how the end-to-end cybersecurity program will become successful. Choosing the right technology step follows afterwards" says Krishna.

Technology stack needed for OT cybersecurity

Once the strategy and governance are in place, next step is to identify the right technologies that will need to be implemented to secure the OT infrastructure. So, each category of the strategy such as access control, network security, incident response and so on, will be mapped to technologies that will assist in implementing controls for those categories. Access control for example, is critical for OT cybersecurity where there are host of organizations dealing with secure remote access and privileged access management for OT networks such as tDI Consoleworks, Claroty SRA, Xage, Cyolo and so on. They provide cutting-edge artificial intelligence-based technologies to enforce right levels of access control to critical OT infrastructure. For network monitoring there are technologies such as industrial intrusion detection systems (IIDS) such as Nozomi Guardian, Claroty Continuous Threat Detection, Armis and Darktrace; which provide the necessary monitoring of OT networks to identify malware and anomalous behavior such as attempts to shut down controllers that could cause a plant shutdown. These technologies combined with OT firewalls and device access control technologies such as Cisco ISE are great technologies to thwart such attempts in the first place. Also, from an incident response standpoint technology such as Splunk Enterprise Security and IBM QRADAR are great tools to collect information from various different sources within the OT environment and provide actionable intelligence for analysts to work on.

Additionally, automated remediation actions within OT are also becoming increasingly common with automation and orchestration technologies from major companies such as Microsoft, IBM and Splunk providing powerful means to auto-resolve security incidents in OT environments with minimal human intervention" explains Krishna.

Trends and newer challenges in OT cybersecurity

"Critical infrastructure industries are going through a massive transformational churn, just as several other industries. The rise of generative AI for example, now has resulted in organizations creating their own AI engines by training them in large code datasets. This is a great innovation, as a lot of code that is reusable and repetitive can now be automated using AI modules. However, this also introduces a major security risk. For example, if AI trained models are responsible for writing code for PLCs, how do we ensure the generative AI doesn't introduce malicious code such as backdoors or logic bombs to either shut down PLCs unexpectedly or to cause PLCs to be reprogrammed to carry out malicious tasks such as shutting down safety valves. So, with the rise of generative AI, the need to embed security within them for OT security becomes very critical. In addition, we have the rise of manufacturing 4.0, which essentially refers to the proliferation of Internet-of-things (IOT) devices and sensors, robotics and private 5g networks across critical infrastructure organizations. It is very common to find IoT devices, robotic controllers and private 5g network across transportation networks such as major rail stations, major manufacturing plants and electrical stations. This is a paradigm shift, since OT networks have been traditionally very isolated and airgapped from the outside world. These newer innovations, because of manufacturing 4.0, now introduce threat vectors that need to be closely monitored. So, as part of the overall strategy, a separate capability needs to be created just for emerging technologies and controls must be defined to handle risks coming from those. For example, monitoring technologies to monitor IoT communication, ensuring encryption of IoT communications and ensuring IOT devices are communicating with servers within the organization's premises only and not in the cloud; are some of the controls that must be considered" cautions Krishna.

Organizational preparedness for near and longer-term

"As I've explained earlier, OT security is extremely important and emerging technologies will only compound the challenge of securing critical infrastructure industries. Budgeting for security is extremely important, as this is not an option for critical infrastructure industries. Critical infrastructure industries are large organizations with plants, refineries, stations and so on spread across vast geographical areas. They are distinct from startups that work primarily online such as FinTech or EdTech organizations, that don't need to maintain their own infrastructure. These online organizations can outsource their entire infrastructure to the cloud and also have the cloud service provider be responsible for security; but critical infrastructure industries don't have that luxury. Owing to their vitality, critical infrastructure organizations cannot move to the cloud for their core OT operations.

The White House emphasis in the form of national cybersecurity strategy, and also from European Union in the form of cyber resiliency act show how critical cybersecurity for critical infrastructure industries is for Operational Technologies. And therefore, the importance of budgeting for cybersecurity is extremely critical. Creating the right vision, strategy, governance structures, program and technologies will ultimately drive them to success in the near and longer term. How successfully organizations can pivot to a proactive security strategy rather being reactive will set them apart from their competitors and also ensure their continued success" concludes Krishna.