The security of operational technology (OT) systems has been under the spotlight in recent years with several high-profile attacks such as the Colonial Pipeline ransomware incident that crippled 45% of the fuel supplies on the US east coast.
While Colonial Pipeline was a US operation, attacks on OT systems can happen anywhere in the world, including in Asia-Pacific (APAC). And despite warnings from officials highlighting how ransomware payments are used to fund future criminal activities, victims are often faced with the difficult decision of whether to pay the ransom as they need to consider the impact to the business if they don’t.
In an interview with Computer Weekly, John Lee, managing director of Singapore-based Operational Technology Information Sharing and Analysis Center (OT-ISAC) and AJ Eserjose, regional director of OT-ISAC, sheds light on the state of OT security in the region and what’s being done to address the skills, competency and organisational challenges in OT security.
What is the state of OT security in APAC today? And what are the challenges that OT operators are facing to secure their systems?
Lee: We’re seeing a persistent trend in ransomware attacks, including the WannaCry attack in 2017 that affected shipping company Maersk and the 2019 attack on aluminium supplier Norsk Hydro. With the recent cyber attacks on Colonial Pipeline, JBS meat packing plant and other organisations, OT security has become a great concern for governments, company boards and senior management. Attacks on critical infrastructure has a ripple effect on the economy. Ransomware operators are also operating ransomware-as-a-service and providing support to each other. The technical aspects will be managed by the operators while the business side is often managed by criminal gangs who have no technical knowledge of ransomware.
We're also seeing more targeted attacks on industrial sectors such as energy facilities and water treatment plants. In many cases, attackers are using spear phishing to compromise enterprise IT systems and gain access to OT equipment and exploiting asset vulnerabilities.
OT systems cannot be patched easily and readily because of the applications that come with them. Sometimes, they may use an outdated operating system (OS), and if you patch or upgrade the OS, the application may not work, and the device may not function safely or at all.
What can be done to address those challenges?
Eserjose: There are some collective efforts to address the issues, especially with the increasing connectivity between OT and IT systems. OT operators often lack visibility over their assets, and if they don’t have that, they will not be able protect those assets. Also, a large number of operating systems within the OT environment are often unsupported and rarely receive patches
Against this backdrop, it’s important for organisations to have good cyber hygiene in both IT and OT environments to reduce their exposure and damages. For example, the Colonial Pipeline attack was an IT attack and not an OT attack. But with security being of utmost priority to OT operators, such attacks can have a huge impact on OT systems.
There’s no silver bullet, and it takes continuous training and collective efforts from our partners and community members to build more resilience into OT security programmes.
Besides having good cyber hygiene and visibility over OT assets, what else can be done from an organisational perspective?
Lee: Some organisations don’t see a need for cyber security for OT systems as they are dealing with tight operating costs and processes. The need for performance, reliability and safety is still their top priority. That said, cyber security has caught the attention of C-suite executives because of the high-profile cases, damage to corporate reputations, and the huge ransoms that were paid by victims like Colonial Pipeline to restore the use of their systems.
Organisational structures also need to change, with OT security being incorporated in the business strategy and enterprise risk framework that includes operational, financial and human capital risks. If it’s not embedded in their strategy, then it’s not a priority. Today, boards may not be as well informed about the governance of OT assets and how they can implement OT security.
On an OT security maturity scale of one to four, we're seeing many companies operate at level two. Financial institutions in countries like Singapore are mature and generally operate at level three because of the push from regulators and strong technology risk management controls.
Amid the pandemic, where remote work has become the norm, remote connections have been put in place by OT companies. This has created a need to re-assess the situation holistically, even though OT security was not a consideration to begin with.
Even though countries like Singapore have mandated minimum baseline security for critical sectors, there are still ways for attackers to get in under the guise of third-party suppliers or by compromising other parts of the supply chain. Cyber security is a continuous process. OT operators should always be prepared to assume that a breach has occurred – which means that they are in response mode and will have to put in the controls that they may not have considered before.
OT security landscape
Could you share more about the work that OT-ISAC is doing to help OT operators and governments better understand the OT security landscape?
Eserjose: We facilitate the sharing of tactical and strategic information related to OT security threats and provide insights into emerging threats, detection techniques, best practices, and containment measures. This information includes vulnerabilities, attacks on OT systems and relevant IT applications affiliated with OT systems.
Read more about cyber security in APAC
- Geopolitics and Covid-19 have been fodder for cyber criminals to advance their motives in Southeast Asia in 2020.
- Microsoft has formed a public sector cyber security council comprising 15 policymakers across the Asia-Pacific region to address cyber threats and share best practices.
- Security experts at Black Hat Asia 2021 discuss the state of ransomware and supply chain attacks, two of the most common attack vectors that offer high returns for threat actors.
- DNS attacks in APAC grew by 15% last year, with Malaysian organisations seeing the sharpest rise in damages among countries in the region.
Are there any particular challenges related to skills, as OT requires very specialised skills, and it may be hard to build and sustain a team over time?
Lee: Traditionally, the engineering discipline is very structured and there's a clear scope in the domain itself. But the interconnectivity of OT and IT systems is recent. Some institutions have highlighted this skills gap and are training students, but those in the workforce don't have that knowledge because OT security was not a requirement before – even though it is clearly required now. Mid-career engineers are more focused on quality-of-service and operational excellence, where performance and reliability of engineering assets are prioritised over cyber security.
In fact, most chief information security officers are fighting fires most of the time. There are issues like systems not working and data breaches. There’s pressure from the CEO and the management team on OT projects and programmes, but as the scope of OT security is big, it takes skills and a mindset change of the whole team to address the challenges.
Just like how financial departments are accountable to the business under the Sarbanes Oxley Act, the accountability of OT teams to the business needs to be at a higher level, with a fiduciary duty to keep OT systems safe.
In terms of addressing the skills gap, there are a lot of discussions in Singapore on building and defining what is required in OT security skills and creating a standards framework. This includes clearly defined roles and responsibilities, as well as an information security governance framework for OT systems. This could become the norm in five years’ time and is akin to standards for the financial industry, such as the International Financial Reporting Standards and the Generally Accepted Accounting Principles in the US.
Eserjose: Our mission is to help our community boost their workforce and get started on addressing the skill gaps. We’ve launched an OT security training and awareness programme last April based on feedback from our members and community. It will provide insights on how organisations and their employees can recognise and reduce cyber risks.
We designed a course for our members to gain basic understanding about the fundamentals of cyber security. The topics have been carefully selected based on real world challenges and pain points that we face collectively as a community.
You mentioned Singapore having mandated minimum baseline security for critical sectors. It seems like regulation is key to addressing the issue, but how are other countries in the region doing in that regard?
Eserjose: Besides Singapore, countries like Thailand, Philippines, Vietnam and Malaysia all recognise the importance of protecting critical infrastructures. Government and organisations within the ecosystem should start by creating a framework for an OT security programme. This will take time especially in countries where critical infrastructures are privately run. They are also looking at how information sharing can improve the defence of critical infrastructure.
There are different frameworks that organisations can choose from to get guidance on securing critical OT systems, but it will require the right skills to secure the assets. When it comes to OT security programmes, most organisations in Asia are getting started and learning from mature countries in Europe, the US and Singapore. If you look at the government's ICT plan in the Philippines, for example, some of the actions and initiatives were adopted based on best practices from other countries.