Re-thinking cybersecurity for CNI: The critical risks of IT and OT convergence

As IT and OT systems converge, Trevor Dearing, director of critical infrastructure at Illumio, assesses the cyber risks to organisations and the steps they can take to protect those systems.

Posted 16 May 2023 by Christine Horton

Across the world, critical national infrastructure (CNI) such as energy, transport, and healthcare is rapidly digitising. A need for increased efficiency and decreased costs has put automation and connectivity at the top of the agenda, with many companies seeking to connect IT and Operational Technology (OT) for operational gains. 

However, as IT and OT systems converge, this brings greater cyber risk. And if not secured effectively, organisations could soon find this intersection presents an ideal attack point for threat actors. 

Indeed, the European Union Agency for Cybersecurity (ENISA) recently warned that it predicts cybercriminals will increasingly target this overlap to disrupt systems, with the transport sector at particular risk. The agency reports that recorded attacks against aviation, maritime, rail and road sectors across Europe are already increasing. 

So, what are the most significant cyber threats against CNI systems, and what steps must organisations take to boost resilience? 

Why CNI is increasingly targeted by cyberattacks

CNI is particularly vulnerable to disruptive attacks such as ransomware – and the criminal groups know it. For CNI, the pressure for a quick resolution is far greater than most sectors as an attack could cause widespread blackouts, cause national transport to grind to a half, or even put lives directly at risk. Ransomware actors count on their victims caving in and paying up to have their encrypted systems restored quickly. 

Once attackers gained access to the organisation, malware may spread automatically throughout connected systems, encrypting as it goes, or the attacker may manually infiltrate the network to deploy it in the most critical areas first. Either way, a single compromised device can often be enough to facilitate a massive ransomware catastrophe. 

In sectors such as energy, heavy reliance on cyber-physical systems like OT can increase exposure to this tactic. Older legacy systems were typically designed for a pre-digital age and to not be connected to the internet, so cybersecurity was never front-of-mind. This makes it hard to guarantee the safety of any connected systems using normal network controls. Conversely, if the main IT environment is compromised, ransomware will likely be able to spread quickly to all connected cyber-physical systems. The challenge is ensuring that an attack on either the IT or OT side of the operation does not proliferate to the other. 

Shifting from protecting the network to protecting the asset

Historically, Industrial Control Systems (ICS) and OT environments have always been isolated from IT networks. These systems were generally ‘air gapped’, operating without any connection to the wider IT ecosystem.  

However, businesses are increasingly finding reasons not to air gap devices at all. To improve efficiency and flexibility of control, ICS and OT systems are continuously being connected to the company’s wider IT networks, whether it’s through remote applications or by connecting to smart devices. So, security strategies also need to evolve in line with this transition. Rather than the traditional approach of protecting the network, organisations need to shift the focus to protecting each individual asset.  

While more recent OT systems use standard operating systems like Linux and Windows which enable the use of native firewall functionality, these firewalls are usually configured using standard network constructs and usually lack the required granularity to protect assets on an individual basis. A unified asset-centric approach is required for all systems to effectively protect against ransomware and other attacks targeting converging IT and OT systems. 

Understanding the flow of data throughout the extended asset attack surface

To protect both OT and IT devices from ransomware and other types of cyberattacks, business and IT leaders need improved visibility into networks and an understanding of how data flows between devices. 

The first step is to collect connectivity data from all IT and OT devices on the network, and map their interdependencies. IT leaders need to understand how different systems interact, and how a compromise could affect other connected assets. This map can then be enriched with asset and vulnerability scanning data to determine where the risks are and labels applied based on the risk level, and the function of the asset.  

From here, it is possible to enforce a policy based on least privilege to limit connectivity to the bare minimum required. This can be implemented using native firewall functionality on supported OT devices, or network switches for legacy systems.  

This approach makes it possible to connect the dots between all of the systems on the network. With full visibility of how different systems communicate and how data flows between them, it is far easier to contain fast-moving threats like ransomware.   

Breach containment is king

With an accurate map of the interdependencies of all IT and OT systems, the environment can be effectively divided using Zero Trust Segmentation. ZTS is a proactive approach that implements micro-segmentation by continually visualising how workloads and devices are communicating and creating granular policies to only allow necessary communication. This makes it far harder for a threat actor to move from a compromised device to other areas of the network and means disruptive attacks like ransomware will be effectively contained to the initial infection point. While a single device or even network segment may be taken down, the attack will be unable to spread, and delivery of critical services will be maintained.  

Implementing this single-structure security approach as IT and OT continue to converge will greatly boost the cyber resilience of critical infrastructure. Even as the attack surface increases, defending every asset on an individual basis means citizens are protected from having their daily lives disrupted or threatened – and opportunistic criminals are denied their pay-day.