Cyberattacks with weaponised OT environments will pose risk to human life by 2025 ─Report

*Experts note that in operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft

*Gartner Incorporated highlights 10-step Security Controls for Operational Technology in organisations

Gbenga Kayode | ConsumerConnect

As ransomware threats and attacks continue to disrupt cyber activities of individuals, businesses, organisations and governments in the virtual world with devastating consequences, a new report says there is an imminent scenario that will turn cyberpunk into cyberreality.

According to Gartner Incorporated, a global research and advisory firm, cyber attackers will have weaponised Operational Technology (OT) environments to successfully harm or kill humans by 2025.

Information Technology (IT) and Operational Technology (OT)

ConsumerConnect reports Operational Technology is has been described as the “hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events.”

These OTs were said to have evolved from immediate process disruption, such as shutting down a plant, to compromising the integrity of industrial environments with intent to create physical harm.

Cybersecurity experts have suggested that other recent events like the Colonial Pipeline ransomware attack in the United States (US) also highlighted the need to have properly segmented networks for Information Technology (IT) and OT.

It was learnt the rise of the robots has long been a fear presented in Hollywood blockbusters that show runaway technology damaging all that goes before it.

However, the reality appears to be catching up to what was previously thought of as science fiction or a cyberpunk future, CyberNews report said.

Gartner further noted the risk is so prevalent and present as it advises that the looming future potential is more of a worry than information breaches and thefts for large organisations concerned about their place in the world. It’s the attacks of tomorrow that we need to prepare for today.

In respect of this future development, Wam Voster, Senior Research Director at Gartner, said: “In operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft.

“Inquiries with Gartner clients reveal that organisations in asset-intensive industries like manufacturing, resources and utilities struggle to define appropriate control frameworks.”

Targeted cyberweapons

Report indicates Gartner says it already calls the tools used to launch present-day attacks on infrastructure “cyberweapons”, and incidents like the Pegasus breach by NSO Group have been highlighted as an example of Israel’s Uzi diplomacy for the modern era.

ConsumerConnect reports a cyberweapon is a malware agent employed for military, paramilitary, or intelligence objectives as part of a cyberattack.

It referenced how Israel managed to build its presence on the global stage in decades past by selling its new type of machine gun to competing powers, and there are those who believe it is doing the same in the 21st century with cyberwarfare weapons.

Cyberweapons in the 21st Century can wreak havoc  Photo: iStock

So far, such offensive cyberattacks have had – at best – tangential connections to real world ramifications, Gartner stated.

It was also gathered that relations of murdered journalist Jamal Khashoggi were found on databases of those victims of the Pegasus attacks, with the implication that the two things may have been connected.

Similarly, attacks against physical infrastructure that were launched through cyberattacks, such as the taking offline of Iranian nuclear enrichment facilities by the Stuxnet worm, have perhaps taken offline key sources of power that have disrupted people’s lives, but not likely ended them, report said.

Gartner’s pessimistic and fearful forecast for the future estimates something different is happening after all.

The company noted that there is a step change in cyber offensives that could have real world ramifications and end people’s lives directly as a result.

What is the goal of such cyberattacks?

Security incidents in OT and other cyber-physical systems (CPS) have three main motivations, according to Gartner.

The report stated that the first is “actual harm” to people or organisations, and the second is what they term “commercial vandalism” (reduced output), while the third is an attempt to wreak “reputational vandalism”: that is, making a manufacturer untrusted or unreliable so that they are unable to do future business.

The first such approach, which is actual harm, could be a highly costly exercise, Gartner forecast noted.

The financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023, Gartner said.

They stated: “Even without taking the value of human life into account, the costs for organisations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant.”

That’s before even getting into the idea of attribution and apportionment of blame for letting such an attack happen.

Gartner has said it believes that Chief Executive Officers (CEOs) in businesses and organisations will be personally liable for each and every death.

Consequently, Gartner discloses that organisations and their leaders need to take off the rose-tinted glasses and wake up to the reality of the world in which they are living.

The company urged them to ensure that they are adequately prepared to tackle any issues should they arise, and to head off cyber incursions that result in real-life death and destruction ahead of the 2025 deadline the company forecasts is likely for such incidents to become commonplace around the world.

10 Security controls for Operational Technology, by Gartner

Gartner’s OT Security Control Framework contains a 10-step plan for people to avoid the pitfalls likely to befall those who do not prepare adequately.

The firm recommends that organisations adopt this framework of 10 security controls to improve security posture across their facilities and prevent incidents in the digital world from having an adverse effect in the physical world. These are:

1. Define roles and responsibilities: Appoint an OT security manager for each facility, who is responsible for assigning and documenting roles and responsibilities related to security for all workers, senior managers and any third parties.
2. Ensure appropriate training and awareness: All OT staff must have the required skills for their roles.

Employees at each facility must be trained to recognise security risks, the most common attack vectors and what to do in case of a security incident.

3. Implement and test incident response: Ensure each facility implements and maintains an OT specific security incident management process that includes four phases: preparation; detection and analysis; containment, eradication and recovery; and post-incident activity.
4. Backup, restore and disaster recovery: Ensure proper backup, restore and disaster recovery procedures are in place.

To limit the impact of physical events such as a fire, do not store backup media in the same location as the backed up system.

The backup media must also be protected from unauthorised disclosure or misuse. To cope with high severity incidents, it must be possible to restore the backup on a new system or virtual machine.

5. Manage portable media: Create a policy to ensure all portable data storage media such as USB sticks and portable computers are scanned, regardless whether a device belongs to an internal employee or external parties such as subcontractors or equipment manufacturer representatives.

Only media found to be free from malicious code or software can be connected to the OT.

6. Have an up-to-date asset inventory: The security manager must keep a continuously updated inventory of all OT equipment and software.
7. Establish proper network segregation: OT networks must be physically or/and logically separated from any other network both internally and externally.

All network traffic between an OT and any other part of the network must go through a secure gateway solution like a ‘demilitarised zone’ (DMZ).

Interactive sessions to OT must use multi-factor authentication to authenticate at the gateway.

8. Collect logs and implement real-time detection: Appropriate policies or procedures must be in place for automated logging and reviewing of potential and actual security events.

These should include clear retention times for the security logs to be retained and protection against tampering or unwanted modification.

9. Implement a secure configuration process: Secure configurations must be developed, standardised and deployed for all applicable systems, such as endpoints, servers, network devices and field devices.

Endpoint security software like anti-malware must be installed and enabled on all components in the OT environment that support it.

10. Formal patching process: Implement a process to have patches qualified by the equipment manufacturers before deploying.

Once qualified, the patches can only be deployed on appropriate systems with a pre-specified frequency.

Gartner IT practice provides CIOs and IT leaders with the insights and tools to drive the organisation through digital transformation to lead business growth.

Kindly Share This Story