Steven Sim worked for more than 25 years in cybersecurity with large end-user enterprises and critical infrastructures, undertaken global CISO role, driven award-winning CSO50 security governance and management initiatives. He also volunteered as Chair, OT-ISAC Executive Committee, President (2021-22), ISACA Singapore Chapter (ISACA Global Outstanding Chapter Achievement in 2022), and a member of Geneva Dialogue Technical Community. He is recognised as #1 CSO30 ASEAN Award (2021), ISACA Outstanding Chapter Leader Achievement Award (2022), #7 Global Cyber Security Thought Leaders (IFSEC Global Top Influencers 2022), Top 100 Global CISOs (Cyber Defense Magazine), ISACA Global Outstanding Chapter Leader (2022), Singapore SkillsFuture Fellow.
OT is used in our Everyday Lives
Operational Technology (OT) has been with us for the longest time, deeply rooted in our everyday lives. As you sleep and work, whether at home or in the office, the heating, ventilation, and air-conditioning are OT. The elevators and escalators you use to ascend or descend buildings and train platforms are OT. Your automobile, the bus you took, the train you took is OT. The traffic lights and signaling systems, the power that generates almost every equipment around us operates using OT.
So, WHY are we concerned now? WHAT has changed?
OT equipment wasn’t built with the intent to operate in industry 4.0. It was insecure by design because security relies heavily on such legacy equipment operating in enclosed networks, without exposing themselves to hacking from the outside world.
Our industry revolution towards industrialization 4.0. The digital transformation that leads this revolution into increased inter-connectivity and the convergence of IT and OT. As we mature in this journey up the maturity levels from better computerization, connectivity, visibility, transparency, predictive capacity until adaptability, phygital risks correspondingly also elevates.
At the peak of the maturity index, we will have autonomous systems which act independently using analytical and predictive abilities. The actions they take to adapt to changing conditions are often dependent on interconnected sensors and equipment to handle both routine operations as well as emergencies and developing problems, to the extent of becoming self-healing systems.
The risks are wide-ranging and entire economies can be crippled. Already, even now at the foot of the industry 4.0 maturity index, the impact can be felt. We read about the power plant hacks in many cities, resulting in unavailability of electricity, the cascading impact with the unavailability of operational heating systems in freezing cold weather.
We read about the ransomware and wiper-worm breaches disrupting major logistic shipping giants and pharmaceuticals to the tune of US10 billion losses, and delaying the delivery of life-saving drugs. We also read about emergency telephone lines and hospitals brought down, sometimes through self-induced frantic and inadequate testing due to bugfixes being themselves buggy in specific configurations. State of Emergencies have been declared when entire city networks have been crippled.
Supply chain attacks further complicates the attack surface. We have seen that in NotPetya, SolarWinds, Log4Jattacks. Supply chain attacks are not new and have occurred in IT for the longest time such as in multiple OpenSSL (an opensource component relied heavily by commercial software and platforms for encryption) attacks. However, with the advent of Supply Chain 4.0, the convergence of IT and OT has and will made it worse.
Hacker tactics have also turn increasingly sophisticated. Ransomware has evolved from just a single extortion attack (i.e. demand payment to decrypt the harddrive), to worm-like behavior and with double-extortion (i.e. demand payment also not to leak stolen sensitive information), to triple-extortion (i.e. demand payment not to disrupt internet websites with DDoS attacks), to quadruple-extortion (i.e. demand payment not to leak news about the breach to public media) and ransom cartels.
Performing penetration testing on OT in the earlier days of my career some ten years ago, I was able to hack into autonomous vehicles to freeze them on their tracks. Therefore, I cannot imagine the impact to the economy if autonomous vehicles, cranes and ships were halted in their tracks altogether at once. The convergence of critical infrastructure to the Internet in smart cities through IoT and smart sensors increasingly inter-twines cybersecurity and safety to be mentioned in the same breath.
In the World Economic Forum Global Risks Report 2023, widespread cybercrime and cyber insecurity were among the top ten risks in both the two years and ten years horizon. With emerging technologies used in industrialization 4.0, and this includes but not limited to, the use of quantum, artificial intelligence, the “limited protocols governing their use poses its own set of risks”. The report sums the risk impact nicely with the following statement: “The ever-increasing intertwining of technologies with the critical functioning of societies is exposing populations to direct domestic threats, including those that seek to shatter societal functioning.”
Now this is definitely worrisome, WHAT can WE do NOW?
We are leaving in a New Cyber World Order. In this new cybersecurity normal, breaches are inevitable. No vendor will guarantee you a security solution that can secure your company and guarantee zero breaches.
While breaches are inevitable, disrupting the attacks to mitigate down the impact to the business, to critical infrastructure and to entire economies is not. We can prevent the loss of livelihood and lives.
Within the enterprise and across your supply chain, adopt a Zero Trust Mindset and Approach, shore up Active Defenses and focus not just on security-by-design, default and deployment but also on the ability to ingest threat intelligence timely, detect fast, contain fast and recover fast in a cyber resilient manner.
Cybersecurity teams and OT engineering teams must work together now to align their fight and defense against perpetrators.
Tipping the scale of asymmetry by our Collective Defense
For the longest time, hackers are helping out one another in strongly-knitted communities. They created ransomware-as-a-service (RaaS) and have quality control processes and code-sharing schemes.
Therefore, at the macro level, defending enterprises need to work with other enterprises, communities and regulators in a public-private partnership to synergise efforts through a multi-pronged approach, deploy and execute best practices, share threat intelligence and through force multiplication, tip the current imbalance in the scale of asymmetry against them.
For hackers, they just need to develop one new tactic on one new vulnerability and then re-use the same tactic repeatedly against all digitally connected entities. As defenders, we have to scour through all systems for this vulnerability and tactic by checking across all defenses and all signals.
However, when defenders come together and share best practice and threat intelligence on that new tactic and new vulnerability with the rest of community, everyone else gets to shore up their defenses, fix the vulnerability and render this tactic useless. Enterprises need to look outwards by standing up collectively as a community (e.g. ISACs such as OT-ISAC, ISACA, ISC2, Geneva Dialogue, etc), to share best practices and threat intelligence. You are not alone in this fight. And this is how the asymmetry can be tipped over.
Ultimately, what’s key to future-proofing against OT phygital risks in Industrialization 4.0 is elevating maturity in both risk governance and security governance as well as having an ecosystem thinking and level everyone up together by tapping on the collective mind-share. Ultimately, we are only as strong as our ecosystem.