The Modernization Double-edged Sword: A Look at OT Cybersecurity in the Maritime Industry
BY ABBY CASSELL, Abby Cassell is a business development specialist at ABSG Consulting Inc., ("ABS Consulting").
March 11, 2024 (Investorideas.com Newswire) Most people have encountered some form of Operational Technology (OT) without even realizing it. OT is the hardware or software that monitors or controls how physical devices perform, such as cranes at ports or a ship's dynamic positioning system.
A recent surge in unprecedented cyber-attacks has placed cybersecurity higher up the critical process agenda than ever before. While adversaries have previously concentrated their efforts on infiltrating IT networks, they are now turning their attention to scouting OT networks, expanding cyber risk beyond the threat of stolen data to also include losing control over systems. Threat actors are now looking for direct control over operations in physical environments. This can see successfully targeted organizations literally being brought to a halt, or in more extreme circumstances seeing a direct threat to physical safety - a recent example being Volt Typhoon (https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a). Officials believe that this activity is in preparation for future conflicts where US adversaries wish to cripple critical infrastructure.
As an example, vulnerabilities were disclosed by US Officials during recent congressional testimony where Chinese manufactured ship to shore (STS) cranes used across the marine transportation system (MTS) have the potential for remote exploitation. If exploited - it could prevent cranes from operating and leading to port and vessel disruptions. OT risk is a real and present danger that organizations in the maritime industry should be aware of and seek to mitigate against.
The MTS is one of the largest of the 16 critical infrastructure sectors in the United States which includes waterways, ports, and land-side connections, which facilitates the movement of people and goods to and from waterways.
With over 900 ports and countless terminals and facilities, the MTS includes vessels within the commercial, civilian, government, and military sectors. As a result, it contains thousands of OT systems that control anything from port cranes to a ship's engine or navigation system.
Additionally, each port will have different OT systems due to its particular purpose—a cargo port will have more OT systems supporting the movement of shipping containers, whereas a cruise port will be focused on supporting the movement of people.
As new technologies are developed, they are often added as enhanced 'bolt-on' functionality to legacy OT systems built in the late 1990s or early 2000s, the beginning stages of automation.
In more recent years, these legacy OT systems have been connected to the internet to provide stakeholders with remote access to control the systems worldwide. And while the increasing digitalization and automation of systems and processes may deliver the prospect of greater efficiency and competitiveness within organizations, it can also create the opportunity for greater cyber risk exposure through the growth of potential 'attack surfaces' - the ways in which cyber-attackers can penetrate systems.
More than ever, maritime organizations should ensure they are 'Cyber Resilient' by being prepared, ready, and able to defend and recover from any cyber incident that could threaten its safety, security, and productivity.
The IT/OT convergence can cause boundaries to blur between IT network functions and OT critical control functions, making it more challenging for operators to fully understand how their systems interact with one another.
In a worst-case scenario, this misunderstanding could prevent operators from quickly restoring operations in the event of a cyber incident within a ship's network.
To identify vulnerabilities at the IT/OT convergence, OT cybersecurity specialists have been known to perform security assessments using enterprise IT tools and approaches, which can be a problem.
Specifically, these assessments often cause more harm than good within OT environments, given that the assessments used were created with IT systems in mind. The reality is that OT systems will need to interact with the network differently compared to their IT counterparts.
Additionally, OT systems can contain hardware unable to withstand some types of IT assessments, which can themselves cause a negative interaction leading to shut down, particularly on legacy systems.
This all points to the fact that modernization can be a double-edged sword; increased connectivity allows for immediate access control, with real-time operational data and adjustments, while at the same time increasing risk exposure to a potential adversary who could use that same connectivity to debilitate MTS operations such as port functions or vessel movements.
The Steps to Improved Cyber Resilience
So how do you develop a resilient Cybersecurity Asset Management Plan? There are four key areas an organization should consider - asset management, configuration management, vulnerability management, and detection and response management, through:
- Securing what you know
- Assessing Criticality
- Committing to the Process
- Evaluating Manual v Automated Options
But before we jump in to the detail, it is important to highlight a key critical success factor across all four steps: OT and IT operations working together to ensure that any gaps between the two are identified and bridged.
All too often in the past, OT and IT have worked in silo; hardware on one side and software the other. If your goal is to create a robust cybersecurity asset management plan, there should be harmony between these two critical areas and they should thus be looked at holistically.
Step 1 - Visibility and control - securing what you know
It's impossible to secure what you don't know, which is why it's critical to know your assets and protect the work you put into defining them and the risk associated with them by documenting changes effectively.
Undertaking a full audit of your IT and OT network is the first fundamental step in the plan, providing the opportunity to identify all hardware and software, and by doing so have a greater understanding of the possible points of attack. How do these assets interact across the organizational network? As an example, consider assets that could be updated via a supplier USB port or easily accessed during third party vendor maintenance.
Step 2 - Criticality
Criticality looks at which assets within an organization you really need to focus on - which operations are fundamental, and how both systems and components work together to support the performance of those operations.
When both have high criticality then they become a priority, and you should consider putting your focus here.
Step 3 - The Process
The process step needs to be considered as a living, continual process, with criticality at its heart.
What we are looking at here is fundamentally a Management of Change (MOC) process. The key to success is to ensure that the risks and critical processes have been carefully evaluated, identified, and managed prior to implementing any significant changes. This baseline enables the MOC process to continually assess, change, monitor, and update, identifying any potential new hazards that could result from these changes.
Change management processes are designed to ensure that any required/identified updates or modifications are properly documented, tested, and implemented without causing disruptions to the operations. Rather than rushing any identified changes - with the inherent risks this can bring - the MOC process enables effective and appropriate changes to be properly implemented.
This step in the process is all about traceability, accountability, and risk mitigation.
Organizations really should be open to change on a cultural level for this approach to fully integrate. As an example, software updates are not often seen as part of the change management process, but they should be considered equally as important as hardware updates and replacements.
Through this approach, processes and procedures are built into an effective MOC that can enable an organization to bridge the gap between hardware and software silos.
Step 4 - Manual v Automated
Whether you opt for manual or automated methods, the key is to use the best approaches for your organization. It's not OT v IT - it's the two working together for the most effective cyber resilience and cyber management outcomes.
Getting data driven decisions ideally should become part of the organizational culture when it comes to cyber security asset management. Completing Step 4 is not the end of the story, however. It should be seen as a continual, living, evolving process.
Ongoing Continual Development is critical and looks at four key areas:
- Network monitoring and alerts
- Asset management
- Vulnerability management
- Configuration management
Conclusion
OT systems often serve as the backbone for many processes in the maritime industry and other critical infrastructure sectors. While technology modernization creates an environment with increased collaboration, communication, and connectivity, it usually doesn't consider securing legacy systems.
OT cybersecurity, as a practice, should find a balance between being innovative enough to keep up with ongoing threats, while also maintaining tools and practices capable of communicating with legacy systems to better maintain operational security.
Additionally, OT systems are inherently different from their IT counterparts; these differences should be considered when developing cyber policies and systems, rather than tapping into existing enterprise IT risk management frameworks and approaches, which ultimately can create a "square peg in a round hole" scenario.
More Info:
Disclaimer/Disclosure: Investorideas.com is a digital publisher of third party sourced news, articles and equity research as well as creates original content, including video, interviews and articles. Original content created by investorideas is protected by copyright laws other than syndication rights. Our site does not make recommendations for purchases or sale of stocks, services or products. Nothing on our sites should be construed as an offer or solicitation to buy or sell products or securities. All investing involves risk and possible losses. This site is currently compensated for news publication and distribution, social media and marketing, content creation and more. Disclosure is posted for each compensated news release, content published /created if required but otherwise the news was not compensated for and was published for the sole interest of our readers and followers. Contact management and IR of each company directly regarding specific questions.
More disclaimer info: https://www.investorideas.com/About/Disclaimer.asp Learn more about publishing your news release and our other news services on the Investorideas.com newswire https://www.investorideas.com/News-Upload/
Global investors must adhere to regulations of each country. Please read Investorideas.com privacy policy: https://www.investorideas.com/About/Private_Policy.asp