Building a critical infrastructure security dream team

The term ‘cyber-physical environment’ may sound like something straight out of a futuristic sci-fi film. In reality, it refers to the integration between our critical infrastructure and the digital systems we rely on daily — whether for communication, transportation, or in the way we live and work.

In the last three decades, what were previously mechanical processes have become automated. This has driven major growth for essential industries such as energy, telcos, water and now data centres.

However, automating critical infrastructure also exposes these services to heightened risks of cybercrime. That is why it’s essential to have a strong cyber strategy, as all corners of the business must be aware of safety practices and leaders must be across the high-level strategy.

The Security of Critical Infrastructure (SOCI) Act is a cornerstone of the government’s planned Cyber Security Act to keep potential risks at the forefront for Australian businesses. This puts new requirements on our most critical sectors to identify and protect assets and report vulnerabilities. To adhere to the SOCI Act and the new expectations surrounding critical infrastructure, organisations need to start building an operational technology (OT) security dream team. This can be done by incorporating myriad skills and strengths, while figuring out who leads, who buys and who follows.

Let’s take one of Australia’s favourite dream teams as an example: the women’s swimming quartet of Mollie O'Callaghan, Shayna Jack, Emma McKeon and Meg Harris, who won four consecutive relay gold medals at this year’s Paris Olympic Games. Individually, the team is impressive. But collectively, they are unstoppable — despite being fierce rivals in their individual events.

You certainly don’t need world-class athletes to launch your security program. However, you do need a team with complementary skills who work well together.

For operational technology — somewhat different to traditional IT security requirements — this would include plant managers, engineers and operators who understand industrial control systems inside and out, even if they might not be experts in, and could even be sceptical of cybersecurity.

Ideally, these people would also be able to interpret the consequences of possible actions and quantify that in terms of business disruption.

On the cyber side, you’ll want to recruit security and network managers, analysts and administrators, even if several of them have never set foot on the plant floor. You need someone that can interpret context and relate cyber health conditions, while being able to communicate in plain terms to non-technical staff.

To adhere to cybersecurity regulations, a compliance expert is an important team member. To ensure the solutions you install cover key requirements including mandated reporting.

In order for the team to gel, each personnel should understand their role ahead of time. Like the women’s relay team, Mollie O'Callaghan, Shayna Jack, Emma McKeon and Meg Harris all know what order they are racing in, their strategy, and what role this placement plays for the overall relay plan.

Ideally, the team would also have an understanding of what third-party supplier relationships are in place, what skills they can provide, and have an ability to bring these third parties in when needed.

Now let’s assume your team successfully selects a cybersecurity solution and gets it implemented, with finely tuned controls backed by well-documented policies. Now it’s time to ensure all those hours of practice — in this case, learning how to devise joint strategies and work together — pay off with long-term product and process ownership.

To have successful enterprise risk management in place, data from your OT environment must be fed into your existing IT security platforms so the security operations centre (SOC) or managed security services provider (MSSP) can identify issues.

It is essential that OT specialists — those with OT security expertise — are on the team. They’re needed to educate and continuously advocate OT network sensitivity to other skilled workers and explain why remediation efforts should include personnel who understand your industrial processes and network intricacies. This way your team can front-foot potential threats and draw on the complementary expertise within the team, in turn gaining greater confidence in the organisation’s security resilience.

In the end, it is the variety of skills that make up the team that will keep our critical infrastructure secure, alongside their advocacy for OT security. From the floor manager or line worker to the experts in cybersecurity, encouraging and sharing knowledge among all team members will create immeasurable value and instil confidence in a secure network. Although the creation of a dream team may seem like a daunting investment, at the end of the day, when hacks, outages, ransomware and other potential impacts can cost millions of dollars, cyber resilience is good business, and can help to keep people safe and essential services running in the world of critical infrastructure. *Dean Frye is Solutions Architect for Nozomi Networks, based in Sydney.

Top image credit: iStock.com/Blue Planet Studio