A network is only as strong as its weakest link. Unfortunately, operational technology (OT) environments can sometimes be that unprotected weak link that hackers can use to take down critical infrastructure. The Colonial Pipeline Company found that out the hard way in May 2021, when hackers used a compromised password to gain access to the network. The incident forced the company to cease all pipeline operations for six days and wreaked havoc across the southern and eastern US, which rely on the pipeline for gas, diesel fuel, and jet fuel.
The very technologies that enable network access, visibility, and management can be used nefariously by bad actors. It’s a trade-off: more connected devices means more potential points of access. With the growth of IoT, there are now a lot of connected devices.
In 2010, 12.5 billion devices—approximately 1.8 devices per person—were connected to the Internet, says Nicole Newmeyer, technical director for IoT Integration at the Department of Defense’s National Security Agency. In 2021, that number was expected to break 46 billion, and it will continue to climb, she says.
“IoT is already changing how we exist as humans and how we interact with the world,” Newmeyer says. It’s changing how our foes interact with us, as well. The use of IoT is reducing barriers to entry, “growing the attack surface for our national adversaries,” Newmeyer says.
Governments, recognizing this threat, are introducing legislation to protect against malicious activities. Companies have begun to ramp up their OT cybersecurity efforts to be compliant, but it’s a daunting task with new and changing regulations. Plus, many cybersecurity systems are designed for IT systems and don’t translate well in the OT world. As a result, companies are looking for new ways to better secure their OT environments.
A recent survey of 200 chief information security officers (CISOs) found 57 percent lack the skills needed to maintain an OT cybersecurity system, and 49 percent agreed that mitigation steps—often requiring a work stoppage—simply are not feasible in OT environments.
Some companies are using intrusion detection systems, but that’s not enough, says Nick Donaldson, vice president of alliances at Otorio. “That would get you a lot of information, but it doesn’t tell you what to do with it,” he says.
Otorio, an Israeli-based industrial cybersecurity company, developed RAM2, which addresses these issues. RAM2 looks at the entire network topology, considering all assets and management systems and builds a map of the client’s operations. It then assesses the severity of the threat.
Image credit: Otorio
Using a digital twin of the OT network, the RAM2 software runs virtual attacks on the network. It generates a report identifying and prioritizing the vulnerabilities, and it includes the steps needed to mitigate those risks. The discovery and assessment is automatic, but the mitigation is performed by a systems integrator or consultant, providing a high value-added service opportunity for integrators. Otorio’s goal of 10x growth over last year will be realized through channel partnerships, like the one it has with Arrow.
The High Cost of Cyber Attacks
While no lives were lost in the Colonial Pipeline or other OT attacks, it’s just a matter of time. Gartner research indicates that by 2025, cyberattackers will use OT environments to cause physical harm to humans. Cybersecurity strategies should do more than protect against information theft; they need to focus on the threat to human life and environmental disruption.
“The C-suite has to stand up and take ownership of that,” Donaldson says.
Aside from the incalculable cost of human life, the financial impact of cyber-physical attacks will surpass $50 billion in just two years, when you factor in compensation, litigation, fines, and sullied brand reputation. According to a Gartner report, 75 percent of CEOs will be held personally liable for cyber-physical security incidents by 2024.
With Otorio’s OT security solution, Donaldson says, “They have the ability to assess, in advance, where the holes are and how to manage those holes. Having this information will allow them to manage the vulnerability of their network.”
- Learn more about Otorio.
- Find out more about Arrow.
- See what security experts from Intel and others recommend, watch our on-demand Webinar: Driving Edge-to-Cloud Security for IoT.