In addition to traditional businesses, such as retail and services, the industrial control systems (ICS) that underpin our critical national infrastructure are facing increasing and immediate risks that can be seen in the growing incidence of ransomware, among other cyber threats.

The impact of these types of attacks means that an immediate response is required to recover operational resources in many different market segments.

A disturbing trend, particularly with regard to critical infrastructure, is the way ransomware is evolving, with some versions targeting industrial control systems specifically, making it easier to hold critical infrastructure operators to ransom.

Changes in connectivity to operational technology is another factor that is increasing risk to control systems. Changes include the increasing adoption of cloud technology to support or process operational technology data which results in data residing outside traditional boundaries.

An additional vulnerability arises from the closer integration of IT and OT infrastructures, usually for valid business or productivity reasons, but which creates a greater number of access paths to operational technology.

In addition, the increasing use of commercial off-the-shelf (COTS) technology means that operational technology is at greater risk from common attack techniques and tools that would previously have been limited by technology to IT infrastructure. Then there is the risk of the growth of remote working caused by the current travel and distance restrictions as a result of the current health crisis, which means more use of remote access.

Increased interest in critical infrastructure to carry out attacks

The recent attack on pipeline company Colonial Pipeline in the US, is a clear example of a ransomware attack aimed at compromising operational technology. The attack itself was first detected on May 7, when the company alerted that it had been hit by a cyber attack, known as DarkSide.

DarkSide is a relatively new strain of human-operated ransomware first observed in 2020. The group behind it operates dual extortion attacks in a ransomware-as-a-service model with multiple affiliated groups and is highly active online.

This scenario shows that operational technology is also receiving increased attention because more information is available to attackers. Dedicated Internet search tools such as Shodan help discover industrial devices that are connected to the Internet, and dedicated operational technology hacking tools such as "Industroyer" reduce the level of knowledge required to attempt an attack.

In parallel, there is increasing knowledge about industrial systems and operational technology, partly as a result of changing connectivity and technology fusion, but also due to the increasing disclosure of vulnerabilities.

So, taking into consideration these immediate risks, what can be done?

Understand your systems

This first piece of advice is as old as some of the technology in use. It is essential to know what assets you have in your operating technology and understand how they relate to what you do.

If a vulnerability is disclosed for a component, the potential impact of the vulnerability can only be properly assessed if the proliferation of the component within the infrastructure is known. The response will be very different for a component in limited use in an isolated system compared to a common component across multiple critical systems.

Understand the risks

Risk assessments should be completed for all critical systems and reviewed annually or in response to a significant change in the threat or system configuration. Risk assessments should be based on credible threat scenarios for the organisation and should develop into risk mitigation plans.

Ensure critical infrastructure is 'Secure by Design

It is widely recognised that it is easier and more cost-effective to design something safe from the outset, rather than trying to incorporate safety features at a later stage. While this approach may only be adopted for new systems, the guiding principles of "safe by design" should be incorporated wherever possible.

Moreover, the approach must be broad enough to look beyond technology and make people and processes "safe by design" as well.

Actively monitor critical systems

It is essential to understand what is happening on your network and at the boundaries, as well as having an established baseline of normal behaviour for your infrastructure and systems. This can be much easier to achieve with the increased availability of mature, OT-specific monitoring solutions.

Be ready to respond to incidents

Finally, there should be a tried and tested incident response plan that adequately considers the cyber causes of failures and directs appropriate responses to recover systems to restore operations in line with business objectives.

Using threat intelligence to determine the actual risk faced by the organisation, combined with an understanding of the way potential attackers strike, is key to applying appropriate and cost-effective controls that don't alienate the very people who help make things secure.