Building cyber resilience in operational technology

As the digital era continues to evolve, operational technology (OT) environments, including professional radio communication systems used by public safety professionals, are rapidly integrating with information technology (IT) systems to improve efficiency and productivity. As a result, they have increasingly become prime targets for cybercriminals. The transition from isolated, air-gapped systems to internet-enabled ones exposes OT environments to a myriad of cyberthreats previously targeted at IT systems.

Among these threats, radio-based cyber attacks are of particular concern. Notably, the Terrestrial Trunked Radio (TETRA) standard, a system used by crucial infrastructure sectors, recently experienced the disclosure of five security vulnerabilities, known as TETRA:BURST. These vulnerabilities pose a significant risk to OT systems and operations as they allow real-time decryption, message injection and user de-anonymisation. Two of the most severe, CVE-2022-24401 and CVE-2022-24402, can respectively disclose encrypted communications and allow data injection into industrial monitoring and control traffic.

These attacks involve a threat actor intercepting or emitting radio signals for malicious purposes. They often target wireless communications that are not encrypted or have weak authentication protocols. This means OT operators must move beyond merely safeguarding their systems to prioritise building resilience more proactively within their OT environments.

Sophisticated threat actors targeting OT environments can cause extensive damage, creating health and safety hazards, tarnishing reputations, and leading to significant financial and intellectual property (IP) losses. This is especially impactful for public safety professionals whose radio systems are critical for coordinating responses to emergencies. Unlike threats to IT systems, which are often financially motivated, the motives behind OT attacks vary. From geopolitical conflict and disruption to ego-driven subgroups and IP theft, the reasons are as diverse as they are destructive.

Additionally, OT cyber attacks tend to have more negative effects than IT threats as they can also have physical consequences. For example, cyber attacks focused on OT can trigger facility shutdowns and equipment malfunctions, and even cause plant explosions.

In 2022, a series of near-miss cyber attacks on OT systems occurred as threat actors attempted to disrupt various critical infrastructure (CI) providers globally. In Moscow, cybercriminals tried to spoil 40,000 tons of frozen meat at Seliatino Agrohub by manipulating temperatures, while multiple Indian State Load Despatch Centres weathered an eight-month-long, state-sponsored attack from China. Meanwhile, Ukraine faced targeted assaults on its high-voltage substations and power plants by Russia, and Mexico’s Secretariat of Infrastructure, Communications and Transportation (SICT) experienced an attack threatening to disrupt international trade and truck operations.

Building resilience in OT environments

As threat actors shift their focus towards disrupting OT environments, it’s important that OT operators, including those maintaining professional radio systems, strengthen their resilience strategies. Building cyber resilience within the OT sphere is not just about defending against cyber attacks; it’s about enduring them and maintaining operations even when they occur. To build resilience, it’s important to achieve a level of cybersecurity maturity on par with IT networks. This means shifting from responding reactively to threats and adopting a proactive, anticipatory posture. Several best practices to enhance OT resilience include:

1. Centralised visibility. A lack of centralised visibility increases risk and weakens an organisation’s security posture. To bridge the gap between OT and IT security, a centralised system that offers comprehensive, real-time visibility into all communication assets, networks and operational processes is crucial.

2. Automated asset management. For greater cybersecurity resiliency, organisations must consider automating their asset inventory. Automated asset management provides a consolidated view of all communication assets, including both known and unknown devices. With this information, threats can be identified and countered before they escalate.

3. OT network segmentation. Without deliberate division of control systems and data networks, like industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems, cyberthreats may freely infiltrate operational systems. By segmenting these networks, vulnerabilities are reduced, monitoring of data traffic is simplified, access is limited to authorised personnel, and the lateral spread of threats is prevented.

4. Regular security evaluations. Building resilience requires regular security assessments. Tactics such as red teaming and penetration testing simulate real-world attacks, checking the organisation’s ability to detect and respond to threats, and evaluating the risk against crucial communication assets.

5. Measuring cyber resilience. For OT operators, it’s essential to keep track of their cyber resilience. This involves analysing the current threat landscape, tracking how risks change based on proactive steps taken, and then using that information to strengthen defences to ensure ongoing operations and business continuity.

6. Vulnerability management. Creating a risk-based inventory and developing risk management frameworks to proactively identify, assess and mitigate incidents is vital. Alignment with IT systems and ongoing evaluation can enhance security considerably.

7. Security controls. Implementing robust processes and technologies can shield OT environments from internal and external cyber attacks. Secure authentication, authorisation and data encryption practices, alongside active system monitoring, are key to this effort.

Raising the awareness of cyberthreats through education

To effectively build cyber resilience, OT operators must also invest in employee awareness and training programs, equipping their workforce with the knowledge and skills to identify and respond to potential threats. By fostering a culture of cybersecurity awareness, employees become the first line of defence against attacks. Training sessions should cover topics such as recognising phishing attempts, practising secure authentication and password management, and understanding the importance of regular software updates.

Additionally, OT operators should invest in specialised training that addresses the unique cybersecurity challenges specific to OT systems. This includes understanding the risks associated with integrating OT and IT systems, identifying vulnerabilities in legacy systems and implementing secure configuration practices.

The path to operational resilience

In this ever-evolving digital landscape, there’s a heightened, global susceptibility to ransomware attacks that will continue to shape the OT cyberthreat scenario. Unfortunately, many communication systems used in emergencies aren’t secure enough, making them easily accessible without permission. While the systems used by the military or government are usually the main targets, others, including those used by emergency services, hospitals, airports and data storage centres, are also at risk.

Threat actors targeting the OT space are patient, well-funded and highly motivated. There will continue to be an upswing in ransomware attacks directly disrupting operations by targeting industrial control systems (ICS) across a range of industries, organisations, vendors and subsidiaries. The intensification of these attacks is driven by several factors, such as rising geopolitical tensions, the debut of the LockBit Builder, and the persistent expansion of the ransomware-as-a-service (RaaS) model. These elements contribute to the increase in ransomware activity, substantially impacting industrial organisations and reshaping the threat environment.

As the OT sector continues to connect with the cloud and the internet, its exposure to cyberthreats continues to grow. OT operators must understand the changing landscape and secure their operations accordingly. Recognising the risks, the motives behind attacks, and the strategies of different threat groups is critical to developing and maintaining a resilient OT environment. It’s time to shift perspective on OT security, from simply defending against threats to actively building resilience that anticipates, withstands and mitigates these steps. The move to a more resilient OT environment can be complex, but the journey is not just necessary, it’s inevitable.

*Michael Murphy is the Head of Operational Technology and Critical Infrastructure at Fortinet. Michael has more than a decade of real-world experience in CI, with a background in critical incident response and digital forensics. He has held various roles as a cybersecurity practitioner and has built OT incident response teams for events with real-world ramifications using a broad range of structured knowledge and pre-existing frameworks and standards. Michael’s experience has taught him that adaptability and agility in these scenarios are just as valuable if not more so than any playbook. Michael’s role with Fortinet focuses on assisting organisations to build cyber resilience for OT while helping them understand how to achieve strong outcomes for OT security.

Top image credit: iStock.com/Ignatiev