Cybersecurity – the term’s been around since the 90s. From concerns around information security with the proliferation of personal computers to the emergence of that little thing we once called the “World Wide Web,” cybersecurity has been a constant in our lexicon for decades.
Today, when I hear the term “cybersecurity,” it takes me back to…well…a less sophisticated time in computing – what was known as the beginning of the Information Age. And just as I’m seeing today’s teenagers wearing the very same baggy jeans and Doc Martins I sported in ‘99, so too am I seeing the reemergence of familiar conversations around cybersecurity and data hacking. And they’re becoming especially loud within the critical industry sectors. Why? Is history repeating itself? And what’s new in the information security realm?
TIMES THEY ARE A-CHANGIN’
From the ‘90s & the “Information Highway”...
I think we can all agree that hackers have been hacking since the beginning – that has never really changed. And as we all began to “surf the web,” I’d be willing to bet that each of us has had at least one experience with a digital breach of our personal information. Again, nothing new there. It’s an unfortunate reality that we’ve all learned to live with as individuals.
…to the 2010s & Digitization…
What’s changed from the 90s until now is the quantity, severity, and scale of cyber-attacks. Fast forward to the 2010s. Things have gotten a whole lot more connected as critical industries are well on their way into digital transformation.
In this decade, large critical operations such as utilities, oil & gas companies, and public safety began modernizing at an unprecedented pace, investing in modern technologies and infrastructure that enhance and optimize their operations. And with this modernization, the line between the physical and digital world is beginning to blend.
…and Into Today, the Digital Age.
Today, mission critical infrastructure such as Process Control Systems contain assets that are often digitized through actuators, meters, and sensors that effectively allow the physical parts and processes to be monitored and controlled remotely by engineering and scientific experts from a central office. What were once just physical machines working alone in the middle of some cornfield – in this case I’m picturing an oilfield pumpjack – are now “connected” digital devices producing critical data, and often linked to the company’s core network via secure Operational Technology (OT).
This digitization of the industrial environment is producing huge benefits to companies in the form of operational efficiencies, cost savings, and increased customer satisfaction, but all those benefits do come with a catch…
THE CATCH: INCREASED ATTACK SURFACE AREA
More digitized assets in the field means more digital entry points for bad actors – or what’s known as an “increased attack surface area.”
And the stakes are higher too. When we are talking cyber threats to critical industries, we aren’t only worried about data breaches or financial losses. No, the threat can be much more sophisticated...and perilous. A cyber-attack on these industries can cause catastrophic ripple effects to humanity such as widespread power outages, chemical leaks, water supply shortages, or even loss of life and mass casualties.
And hackers today are not typically the “lone wolves” of times past messing around in their basements. Today, we’re often dealing with much more sophisticated operations. From geopolitical adversaries committing state-sponsored espionage to distributed denial of service (DDoS) attacks with the goal of disrupting the power and electricity sector, the stakes are now much higher.
Types of sophisticated attacks today include:
- AI assisted hacking (TTPs)
- Logic Bombs
- Distributed Denial of Service (DDoS)
- Ransomware
- Advanced Persistent Threats (APTs)
- Phishing
- Malware infiltration
- Supply chain attacks
- Insider threats
- Border Gateway Protocal (BGP) hijacking
- Multi-vector attacks
It’s straightforward, really. When you expand the “surface area” of your network by adding thousands of connected assets, you’ve got to match that growth by putting into action a cutting-edge cybersecurity strategy that is both Secure by Design and contains a layered Defense In Depth architecture.
IT + OT: A UNIFIED REBOOT TO CYBERSECURITY
The overlapping domain of Information Technology (IT) and Operations Technology (OT) necessitates a unified approach to cybersecurity that bridges your IT team's focus on data integrity and confidentiality with your OT team's directives of machine reliability and safety of the physical world. The challenge for mission critical industries is to harmonize the security strategy across this blended environment while maintaining the operational imperatives unique to each.
Finding common ground requires not only technological integration but also a cultural shift. This involves IT and OT teams working cohesively, a task that has proven challenging in the past due to differing priorities and scopes of work. An overarching leadership approach, coupled with a transparent risk management infrastructure, can serve as the point upon which this balance is achieved.
DIAL UP THE SECURITY ON YOUR CRITICAL INFRASTRUCTURE
In this increasingly connected world, mission critical industrial environments must make cybersecurity a foundational element to every product and system they integrate into their operations and network. And securing the critical infrastructure of tomorrow requires a strategic, multi-layered approach. Start down that path with some of the larger cybersecurity frameworks and best practices.
INDUSTRIAL CYBERSECURITY FRAMEWORKS:
- ISA/IEC 62443 (International Society of Automation/International Electrotechnical Commission): Industrial automation and control systems cybersecurity standards
- NIST SP 800-82 Rev. 3 (National Institute of Standards and Technology): Guide to Operational Technology (OT) Security
- NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection): Set of requirements for securing North America’s bulk electric system
- EPCIP NIS2 (European Programme for Critical Infrastructure Protection Network and Information Security Directive): EU-wide legislation and measures for a high common level of cybersecurity across member state
WHAT’S TRENDING IN CYBERSECURITY?
- Zero Trust Architecture (ZTA), a concept that treats all entities as though they originate from an untrusted network, is rapidly gaining traction. For mission critical environments, where the potential impact of a security breach is most acute, the ZTA framework offers a radically secure approach that verifies and secures every access request regardless of the source.
- Quantum-Resistant Cryptography. As quantum computing power looms on the horizon, the encryption schemes that underpin modern cybersecurity are at risk of being cracked. Mission critical industries should begin to consider integrating quantum-resistant cryptography into their security protocols.
- AI and Machine Learning (ML) for Enhanced Security, enabling real-time breach detection and response.
- Automated Threat Hunting, a solution that uses machine learning algorithms to proactively detect advanced adversaries and malicious activities.
- Secure by Design, or the building of security risk mitigation measures at the outset of a project that are built into every component of the architecture before operationalization.
- Defense in Depth, a multi-layered cybersecurity strategy that ensures if one defense fails, others stand ready to thwart cyber threats, much like a fortress with several lines of defense
- Private 5G Networks, giving companies full control over the encryption keys and protocols they use.
A MORE SECURE FUTURE IN TODAY’S CYBERSPACE
With the rise of industry 4.0 and the digitalization of critical industries, there’s no time to look back at the good old days – old trends, methods, or practices. ‘Security by obscurity’ is no longer an option. Keeping your network secure means seizing the moment and implementing end-to-end communications networks and comprehensive cyber security solutions that work hand in hand to protect your critical infrastructure and the people that depend on it.
Want to know more?