In its 2022 Year in Review, The Cybersecurity and Infrastructure Security Agency (CISA) stated, “Over the course of FY22, we accomplished much to advance our vision of secure and resilient infrastructure, while laying the groundwork for ever deeper and increasingly substantial efforts in the coming years.” A significant part of that was developing resources for protecting Operational Technology (OT) security. While OT is the backbone of the systems that support critical infrastructure, it is also a growing source of cyber risk. Therefore, it is likely to remain a worthy share of the attention being paid to cybersecurity in 2023.
Port Crane Cybersecurity and Substation Attacks
Two recent stories reflect the ongoing OT focus. The first is the passing of the 2023 National Defense Authorization Act (NDAA), which President Biden signed in December. As Cynthia Brumfield reports for CSO Online, the Act emphasizes “military-related cybersecurity provisions.” Of them is a call to study the state of risk associated with manufactured cranes. One reason behind this is that cranes represent the growing issues connected to the merging of the internet and OT.
Another signifier of OT cybersecurity’s rise in importance was a series of substation attacks that occurred at the end of 2022. According to Utility Dive, damages from physical disruptions caused substations in Washington and North Carolina to experience power outages. While not cyber cases, these incidents do demonstrate the type of widespread impacts that a cyberattack could also create, which has alerts ringing. That’s why the Federal Energy Regulatory Commission and the U.S. Department of Energy are reportedly working on cybersecurity rules and programs.
Can Zero-Trust Help OT Cybersecurity?
With awareness builds around OT cybersecurity and what it means for the protection of critical infrastructure such as port cranes and substations, there is an obvious need for effective solutions. One likely to remain on the table is zero-trust. Research shows that many operators either are or intend to adopt zero-trust models. However, this approach is still hotly debated in OT settings. A piece published by SC Media argues, though, that this simply comes down to misconceptions.
A recurring misunderstanding is that zero-trust cannot be paired with other existing security measures such as defense-in-depth (DiD). On the contrary, combining the two can actually establish an even stronger shield. In addition to that, many believe that implementing zero-trust requires a lengthy and burdensome re-structuring of legacy tech. Zero-trust models can instead be put in place over systems already in place. This forms what is known as “cyber mesh,” as explained at SC Media.
Learn more about Net-Optix, an excellent first step in deploying zero trust OT networks.
Sources:
- “CISA Reflects on Past Year, Upcoming Critical Infrastructure Security Priorities” – Jill McKeon, Health IT Security
https://healthitsecurity.com/news/cisa-reflects-on-past-year-upcoming-critical-infrastructure-security-priorities - “US Maritime Administrator to study port crane cybersecurity concerns” – Cynthia Brumfield, CSO Online
https://www.csoonline.com/article/3685378/us-maritime-administrator-to-study-port-crane-cybersecurity-concerns.html - “Substation attacks may lead to new energy security rules in 2023, experts say” – Robert Walton, Utility Dive
https://www.utilitydive.com/news/substation-attacks-may-lead-to-new-energy-security-rules-in-2023-experts-s/640138/ - “Making it easier to deploy zero-trust for operational technology systems” – Roman Arutyunov, SC Media
https://www.scmagazine.com/perspective/critical-infrastructure/making-it-easier-to-deploy-zero-trust-for-operational-technology-systems
