Industrial control systems (ICS) have become more of a target for malicious threat actors, but the strategies used to defend that environment do not easily translate from the information technology space to the operational technology environment, according to a panel of cybersecurity experts at the Hack the Capitol event last week.
After operating in an almost isolated state for years, ICS have become more interconnected within the OT environment and connected to the IT environment, making them highly vulnerable to cyberattacks, according to David Weinstein, associate partner at McKinsey & Co.
Government needs to do a better job of understanding the risk/reward ratio of any action they take to deter malicious activity, panelists said. This requires the government to speak the language of business so ICS owners and operators better understand how they will lower their risk profile through more proactive engagement.
For decades, malicious cyber actors have targeted the industrial sector worldwide, research from Idaho National Laboratory shows. However the U.S. has become more vulnerable to attacks against industrial targets, particularly since the shift of operations to a more remote environment during the pandemic.
"The level of sophistication needed to access and potentially attack these networks is decreasing and no longer do nation-states monopolize the ICS threat," Weinstein, a former chief information security officer for the state of New Jersey, said during the panel.
One of the major risks in the ICS environment is that about 40% of industrial sites have at least one public facing internet connection and 84% of those have some remote outlet, according to Vishaal Hariprasad, co-founder and CEO of Resilience, a cyber insurance specialist.
The heightened threat to ICS follows the historic supply chain attack on SolarWinds and comes amid an effort by the Biden administration to become more proactive in how it responds to cyberthreat activity, and also increase cooperation with the private sector.
However panelists warned that part of that more aggressive strategy, which includes taking the battle forward to the adversary as outlined in the Defend Forward strategy, carries some risk that may not always translate into the OT space.
"Be careful what you decide to do, because it comes back at you," said Marie O'Neill Sciarrone, CEO at Tribal Tech. "This isn't traditional warfare where you shoot a bullet and you know where it's gone."
Hariprasad warned that ICS and OT are converging, referencing an attack on Atlanta-based WestRock in a January ransomware effort that forced the packaging company to reduce production schedules. The company lost millions of dollars in sales as a result.
The company last week announced during its fiscal second-quarter earnings it incurred $20 million in ransomware recovery costs.
"The most sophisticated kind of organizations from an IT perspective, are still very early on in their OT security journey," according to Weinstein. "They're thinking about, not maturity in terms of how they measure themselves from an IT perspective, but around how do we reduce risk in the most efficient way possible."