Many organizations responsible for critical infrastructures such as electric, gas, and oil have long been practicing resilience in their core operations. I would go so far as to say that those industries are actually quite good at building cyber resilience in critical infrastructure. However, the modernization of our critical infrastructure continues at a rapid pace. The need to obtain more data, control more “stuff”, and operate from anywhere is resulting in once isolated systems becoming being easy attack targets for bad actors, increasing risk of unintended cyber faults, and additional opportunities for misuse.
Cyber systems in operational technology (OT) are often bolt-on solutions or are delivered as part of a turn-key solution purchased outside of traditional IT departments. For example, a generation plant may purchase some “big iron” equipment that comes with several monitors, servers, databases, and perhaps even its own network. However, such systems may show little design consideration with respect to the resiliency of particular components.
More importantly, the included cyber systems often have become critical for the functionality of this “big iron” equipment where previously such equipment was operated manually without the assistance of fancy cyber parts. Why? There are at least two reasons that come to mind:
- Operating staff have become reliant on keyboards and monitors to run these systems and, more often than not, from a distance (even from foreign countries).
- Manual just isn’t fast enough, efficient enough, effective enough in the modern world.
It is upon us as technologists – IT/OT engineers, cyber security consultants, CIOs/CTOs, etc. – to begin evaluating and remediating gaps in cyber resilience capabilities throughout the enterprise. Resilience isn’t an option in critical infrastructure, it is an obligation. In many cases, operational technology modernization efforts have not focused on assuring that this additional connectivity and capability provided by cyber systems has not sacrificed the level of resilience we may have once had, or actually need.
I highly suggest a review of the documentation that can be found at the U.S. Resilience Project. That is a great start to understanding more about the importance of strong resilience program or department within critical infrastructure organizations. Keep in mind, that resilience solutions are not done in a day. Part two of our blog series will discuss what is needed to build an effective resilience program and what type of cyber security tools can help.
Additional Collaborations with Archer Security Group:
- The 6 Areas Where a Centralized Access Management Approach Can Simplify Compliance Coverage
- Supply Chain Security – What can be expected from CIP-013-01?
- The Next Level of Security Compliance: Creating Operational Excellence and Mission Assurance
Stacy Bresler is a Managing Partner for Archer Security Group. He has been supporting critical infrastructure organizations with their cybersecurity needs for over 20 years with a focus on operational technology security practices.
