As we continually seek increased connectivity to support the digitialisation of infrastructure services, legacy infrastructure and an escalating series of interlinked cyber threats, all with different motives and threat vectors are placing significant demands on large-scale industrial and business networks. At the same time, attack surfaces are increasingly vast, with most organisations now making operational technology (OT) systems accessible remotely, over the internet, and in the cloud, further exacerbating the potential threat.
Understanding the risks
We need only look at recent news headlines to recognise the threats security teams are confronting. Rising risk from human-operated ransomware and nation-state attacks, ongoing digitalisation and cloud migration, coupled with growing integration between information technology (IT) and OT, is forcing organisations to be hyper-vigilant to an ever-widening range of cyber-risks.
According to new Bridewell research, cyber attacks against CNI have increased significantly in UK since the start of the Ukraine war with over seven in ten cyber security decision-makers reporting a rise in cyber attacks since the start of the conflict.
Ransomware is another ever-present risk factor. Data breaches resulting from ransomware attacks jumped by 13% from last year — equal to the last five years’ increase combined according to the Verizon Business 2022 Data Breach Investigations Report. No organisation is immune, yet many still do not have critical measures to help prevent, detect and deal with ransomware, according to the Bridewell research. And supply chain risks are also escalating, with attacks providing a foothold in and allowing criminals to compromise large sections of an organisation.
The cost of connectivity
Levels are concern are likely being exacerbated by the increasingly complex IT and networking infrastructures which act as the backbone of these businesses. Traditionally CNI organisations have managed industrial control systems (ICS) and critical applications on their own closed private networks, with limited connectivity back to central management systems and data custodians. However, this basic, air-gapped requirement, meant that cyber security was never a clear focus as physical security was a greater risk.
To support digital transformation and the drive to use automation to boost efficiency, many SCADA-based systems are now being connected with wider IT infrastructure and the internet. This means that cyber security issues that affect IT now impact operations; making it a common attack vector into the OT environment.
At the same time with the drive to embrace data and automation in ICS, many are turning to the cloud as an enabler but without sufficient skills to manage cyber security in a cloud environment. Indeed, the Bridewell research reveals that many are struggling to manage cloud security with 4 in 10 admitting to not having the skills to monitor threats in the cloud.
But cloud risks are growing and organisations cannot afford any gaps. We are continuing to see cloud based systems, services and data being targeted by ransomcloud – attacks that target or take advantage of weaknesses or legitimate functionality in cloud resources to deploy malware, encrypt data and extort money from businesses. No organisation is immune but those that lack maturity in architecting secure cloud services are particularly vulnerable. Facing this complex web of risks, it is incumbent on industrial organisations today to review their own security posture and put in place measures to boost cyber maturity and resilience.
Building cyber resilience
The government has already taken some important steps to improve the cyber resilience of the UK’s critical national infrastructure, However, there is still further opportunity for operators to strengthen defences. Regulations will only ever go so far in tackling the issue, organisations must also develop a holistic view of cyber security that ensures visibility into site level OT traffic and vulnerabilities, protection and understanding of cloud and SaaS assets, and comprehensive analysis of user and identity behaviour.
Traditional preventative methods lack the sophistication and agility needed in today’s complex cyber landscape, instead organisations must adopt a more proactive approach, based on intelligence and develop a holistic view of cyber security across, IT, OT, cloud and end user devices. This means shifting from pure security monitoring and notification to managed detection and response (MDR) that leverage multiple detection and response technologies, including those sensitive to OT environments.
By combining human analysis, artificial intelligence (AI) and automation, MDR enables organisations to rapidly detect, analyse, investigate, and proactively respond to the earliest signs of a potential breach. Importantly, an MDR solution also allows organisations to develop a reference security architecture that facilitates the safeguarding of on-premise and legacy systems, SaaS solutions and cloud-based infrastructure applications. It also helps security teams to protect against and respond effectively to emerging security and user identity threats while reducing the dwell time of any breaches.
The best forms of MDR utilise Extended Detection and Response (XDR) technologies which allow detection and response across endpoint, network, web and email, cloud and – importantly – identity, alongside a service wrap that goes above and beyond the capabilities of the technology. This means all users, assets and data remain protected, regardless of where the attack comes from.
Seizing the cloud opportunity
The cloud presents an opportunity and a risk to operators of CNI. However, it will be those organisations that use it as an opportunity to make cyber security investments to reduce risk and support transformation will be better placed in the long-term than those that just add new technology as a new risk to a larger risk register for the board.
Basic cyber-security hygiene practices, such as regular testing and patching of any systems connected to the internet and segmentation of networks, still have a critically important role to play. However, the nature of current threats also necessitates a strategic change in cyber security that focuses on enabling operators to detect and respond to active threats. With the right strategy, based on threat intelligence linked to MDR, and supported by ethical hacking techniques to test defences, organisations can reduce the time from intrusion to discovery and limiting damage from attackers.
It’s an exciting period of change for the industry, as new technologies are woven into operations to streamline services and enhance the customer experience. However, steps must be taken to ensure transformation does not come at the expense of cyber security. With the right strategy, and the support and guidance of a trusted security partner, operators can reduce cyber risks, even as the possibility for cyber attacks increases, and reap the benefits of a stronger, structured system for managing, isolating, and reducing threats.
Martin Riley, Director of Managed Security Services
Martin joined Bridewell in 2021 as Director of Managed Security Services. A Board Director, he is responsible for leading the continued growth and scaling of Bridewell’s Managed Security Service portfolio, including the Security Operations Centre (SOC) and Managed Detection and Response (MDR) service.
Martin has nearly 20 years’ experience in designing, implementing and leading on secure networking solutions across on premise, public, private and hybrid cloud services. Prior to joining Bridewell, he was CTO of Timico where he was responsible for the strategic direction and digital transformation of the business as well as service development. Before this he was Head of Infrastructure at Adapt.
Martin is passionate about the role cyber security plays in infrastructure and cloud services. He is Azure certified and is an AWS Architect, with accreditations in Cisco and Juniper Networks.