In late November 2023, a small western Pennsylvania water treatment facility discovered that it had been breached by a nation-state attacker. Other US-based water treatment plants quickly found that they, too, had been breached by a cybercriminal syndicate associated with Iran’s Islamic Revolutionary Guards Corps (IRGC).
In Europe, Denmark suffered breaches of 22 energy companies in May. And the pace quickens. The International Energy Agency reports that cyberattacks against utilities are doubling every week.
Over the past few years, we’ve witnessed cyber attacks against food producers, agricultural businesses, and product manufacturers. Such assaults on industrial processes compromise operational safety and may even put the lives of workers and the general public at risk. They also threaten food security, supply chains, and – for all of our societies that have grown comfortable with running water and in-home electricity – our way of life.
What OT security programs should we expect from the industrial world in 2024 and what trends will impact securing these facilities against cyber breaches?
Government is Getting Involved
The Network and Information Systems Directive 2 (NIS2), the European Union’s latest attempt to boost the cybersecurity resilience of organizations that deliver critical goods and services, will begin to go into effect in October 2024. NIS2 applies to operators of essential services – thousands of manufacturers, food producers and distributors, waste management companies, water distributors, pharmaceuticals, cloud services, and numerous other private enterprises and government agencies.
Companies that fall under the broad NIS2 umbrella must implement risk management measures, which include defining security policies and conducting regular risk analyses, as well as creating effective access-control systems and conducting cybersecurity training for employees. Companies must also develop effective incident-handling and response procedures in addition to overseeing security across their elongating supply chains.
Furthermore, NIS2 requires robust incident reporting that includes early warnings when there may be cross-border impact with intermittent notifications that include the severity and impact of an incident and formal reports to newly established national CSIRTS.
Companies that fail to comply with NIS2 may face significant fines, and their senior managers may even be subject to criminal sanctions. Those penalties alone should motivate organizations to enhance their security posture right away.
America has also become deeply entrenched in cybersecurity protection. New US Security and Exchange Commission (SEC) regulations require any registered company to disclose material cybersecurity incidents, including those involving OT operations. While the SEC’s main motivation is to protect investors, the new rules extend to risk management and disclosure of cyber incidents. Legal measures against early victim, SolarWinds and its CISO, Timothy G. Brown, in which the SEC alleges that SolarWinds did not disclose their poor cybersecurity practices, underscore the seriousness of the recent spate of cybersecurity regulation.
The Economy Will Dictate Cyber Expenditure
The forecast economic slowdown will soon put pressure on OT cybersecurity expenditures. Despite the high level of risk inherent in OT environments, many operators will continue to expend the bare minimum on cybersecurity during the downturn. NIS2 and other regulations will certainly drive some additional spending, pinching organizations to invest in cost-effective solutions and platforms that deliver the necessary suite of cyber capabilities to maximize every dollar/euro allocated to security budgets.
Budget constraints will also benefit third-party managed security services providers (MSSPs), who are poised to emerge as pivotal players in OT cybersecurity. They possess the expertise and specialized security knowledge that OT cyber demands, but is lacking within many organizations. MSSPs and other external experts will help fill the growing cyber skills gap as they deliver comprehensive security services that cater to the cyber needs of critical infrastructure and industry.
Artificial Intelligence is Not Ready for Prime Time
In stark contrast to the IT world, we will continue to see pushback against black-box artificial intelligence (AI) solutions. Security leaders within the OT space require transparency in their solutions. They need to understand how the AI technology is working – how it triages events and how it makes decisions on incident response. Black-box AI fails to provide the necessary transparency.
This should be a cause for concern. Threat actors who already specialize in IT are developing a great deal of menacing artificial intelligence as they build highly sophisticated attack methods. Turning those sinister capabilities toward the OT world that lacks AI-based defenses could exploit a disparity that enables successful – and expensive – attacks.
Look for a Mixed Year Ahead for OT Security
2024 promises to be an interesting year for OT security. Regulatory involvement will certainly force attention to OT security posture, especially among the numerous affected organizations that have not been sufficiently attentive thus far. However, economic concerns may result in these attentions being little more than window-dressing designed to satisfy minimal requirements without substantially leading to a serious improvement in secure posture.
At the same time, the lack of AI-based defensive solutions will compound OT vulnerabilities. Like the proverbial knife in a gunfight, many OT implementations will find themselves overmatched by AI learning and predictive capabilities that make the technology so powerful in the hands of adept threat actors. This imbalance could lead to some serious headlines in the year ahead.
Organizations that are finally taking their OT security seriously will need to invest in threat detection systems that monitor network traffic and identify threats and behavior anomalies. This will give them the best chance to prevent breaches from turning into full-blown attacks. Furthermore, they will need to adopt a continuous process of risk assessment so as to know where to spend their cyber budgets most effectively as the year – and threat landscape – progress.