Speech by Gaurav KEERTHI, DCE(Dev) at OTCEP Forum 2021 on 30 September 2021

30 Sep 2021

Speech by Gaurav KEERTHI, DCE(Dev) at OTCEP Forum 2021 on 30 September 2021
The Impact of Threats against our OT system

Distinguished Panellists and Guests
Ladies and Gentlemen

Introduction

  1. Good morning and thank you for joining us both virtually and in person on the 2nd day of the inaugural Operational Technology Cybersecurity Expert Panel Forum. I hope that you found the conversations yesterday useful and enriching.

    Disruption of Sectoral OT Operations

  2. CSA has initiated this because we recognise that cyber-attacks have crossed from the digital to the physical realm more aggressively in recent years. Cyber-physical attacks are not new, but they have grown, in number and in impact. As more industries adopt operational technology to manage their systems and meet the growing demand, the attack surface increases.  And as cybercrime becomes increasingly lucrative and easier to conceal using cryptocurrencies, the attacks will increase. These two trends are distressing.

  3. The Colonial Pipeline incident was a ransomware attack which had impact on 45% of the fuel supplies on the east coast of US.  What was interesting was that the ransomware attack was on an IT system, not the OT system, but the OT service was affected. Because the company assessed the IT system was a critical dependency for the OT system. Basically, the attackers found the soft underbelly to cripple Colonial’s OT system without directly attacking it. 

  4. The Oldsmar water plant hack in Florida was a more direct and frightening attack on the OT system. The hacker gained entry through a public facing remote access system and tried to poison people. It is horrifying to imagine that that there are people out there who think that this sort of attack is acceptable, with the tremendous loss of life that might have resulted. We cannot allow such an attack to succeed, ever.

    New paradigm shift in Operation, Technology and Cyber Risk Management for OT environment

  5. I think this trend is a wake-up call for all of us in the critical infrastructure space. The COVID-19 pandemic has driven the early adoption of industrial technologies like remote access and maintenance and these technologies are not without their risks.  They have rapidly exposed the traditionally isolated OT systems. 

  6. We need to keep abreast with the evolving OT cybersecurity landscape and take proactive actions. A paradigm shift in the security culture of our organisations and the cybersecurity approach has to be made.

    Strategic Investment in Cybersecurity (People, Process, Technology)

  7. We must invest in and prioritise OT cybersecurity. Fortunately, some of our investments in IT cybersecurity can be adapted to fit the OT context, but there are some areas where the old concepts or technologies may not work as well. Nevertheless, the basic trinity of people, processes, and technology still applies.  

  8. First, and always first, we start with people. The need for OT cybersecurity talent has never been greater. To address risks in local context, we need to grow our own pool of cybersecurity professionals and cultivate a local community. In some cases, we will need to train IT cybersecurity professionals how to deal with OT systems. In other cases, we may need to train OT operators how to think about cybersecurity. Business owners should develop a hybrid team of skilled defenders to approach the inherent differences between IT and OT security policies. 

  9. Next, processes. I believe a change in process and our mindset from preventing threats to assuming our systems are breached is critical. Organisations should leverage on established global OT cybersecurity standards and proven sound practices. They bring transparency and real-time risk management to your environment.  

  10. Finally, technology. Industrial cybersecurity technology is a strategic investment, not a sunk cost. And it is not just an insurance policy to protect us against disruptions of OT operations. It unleashes the potential benefits to improve safety and lives through the use of technology securely.  

    Conclusion

  11. I want to conclude with one point, which – even if you don’t remember the rest of this speech – I hope you remember this part. We have not paid enough attention in the past few years to the cybersecurity of Operational Technology, and I’m very happy that this is changing now. However, I have one challenge for all of us: I urge you to think of cybersecurity for Operational Technology as providing three things for your organisation. 

    a. Firstly, see it as a necessity. If you are operating physical systems controlled by Operational Technology, there are real safety and health implications if things go wrong. So cybersecurity is a necessity, to protect the well-being of people.

    b. Secondly, see it as an enabler. If your organisation wants to scale up or accelerate their digitisation journey, you should do so securely. Investing in cybersecurity is an enabler, to allow your organisation to digitise with confidence.

    c. Thirdly and finally, see it as an opportunity. There are many companies who will still not take this OT threat seriously and they will underinvest, be attacked, and lose customers and reputation – or suffer much worse consequences. You can stand out from the rest. You can show that your company is a leader, and cybersecurity is an opportunity for you to differentiate yourself. 

  12. We have an exciting and diverse line-up of speakers today and I wish everyone a productive day ahead.