In today’s rapidly evolving threat landscape, cybersecurity incidents are rising at an alarming rate. The convergence of information technology (IT) and operational technology (OT) environments has created new opportunities for attackers. And as the demand for more open interconnections, the cloud and artificial intelligence increases, the risks also magnify.
A safety-first mindset is a critical aspect in reducing both physical and cybersecurity risks. Whether it’s minimizing human errors in physical safety or safeguarding sensitive OT infrastructure data, adopting a holistic approach to safety is vital for mitigating many incidents.
This article explores four areas on how a strong safety mindset can increase your awareness, while reducing future risks of physical human harm and cybersecurity incidents. It also looks at some best practices for securing IT and OT business operations.
The Alarming Number of Human Safety Incidents
According to the U.S. Bureau of Labor Statistics, in 2022 there were 5,486 fatal workplace injuries recorded in the United States, reflecting a 5.7% increase from 2021. In 2022, one worker died every 96 minutes from a workplace injury. In addition, according to a recent report by Waterfall and ICS Strive, there were 68 attacks with physical consequences in 2023, affecting over 500 sites, which represents a 19% increase over the 57 attacks reported in 2022.
What’s noteworthy here is that the impact of the physical consequences were found to include production outages, equipment damage, environmental disasters, and injuries or casualties. Further analysis leads us to the reality that incidents involving physical system outages caused by people who purposefully attacked various IT technologies and industrial OT processes are on the rise. This article highlights how unsafe IT practices may lead to physical harm in critical infrastructure environments and provides recommendations to help address the blurring lines of managing toward effective cybersecurity and human safety.
Cybersecurity Use Cases
A good way to understand the importance of a safety mindset is to examine some compelling real-world incidents. Below are two cyber threats that we can learn from to better protect human life.
Triton/TRISIS
The first incident is what’s known as Triton/TRISIS, which is a specific type of industrial control system (ICS) malware that could negatively impact a safety instrumentation systems (SIS) within an OT environment. According to Dragos, TRISIS has the capability to change the logic on the final control element, which could be leveraged to change set points that would be required for keeping a process in a safe condition. Historically, SIS systems use safety controllers designed to provide advanced safety features and workflows for essential processes in industrial environments. Possible impacts include equipment and facility damage, operations downtime, targeting and manipulation of distributed control systems (DCS), and potential loss of life.
Below are some recommendations you can use to help ensure the safe and reliable operation of your SIS systems:
· Check with the SIS company that manufactures the equipment to ensure that the appropriate or approved security features are enabled in the SIS systems.
· Consider deploying safety systems on isolated networks (i.e., ensure proper network segmentation) to reduce the risk of exposure to external unauthorized users.
· Ensure that physical controls are in place so that no unauthorized user can access the safety controllers, peripheral safety equipment, or the OT network where the safety system resides.
· Keep all SIS controllers and sensitive OT equipment locked in cabinets when possible, and ensure that only authorized operators have access to those cabinets.
· Consider configuring operator workstations to display an alarm whenever the SIS safety controller key switch is in program mode.
· Do not allow data on any CDs, USB drives, DVDs or any other media to be used in an ICS/OT environment unless it is authorized, and ensure the data is scanned before use.
Volt-Typhoon
The second threat is known as Volt-Typhoon, which is an attacker group who is known for gaining unauthorized access and compromising many company IT network environments through “living off the land (LOTL)” techniques. The attackers use phishing, credential stealing and known vulnerability exploits of computer systems exposed to the Internet. Additionally, these attackers gain access to valid accounts and leverage existing built-in approved tools to understand the network environment while maintaining long-term persistence.
According to security experts who’ve researched this group, there have been no physical consequence outcomes reported to date. However, there has been at least one case where the attackers demonstrated the ability to laterally move from the IT network to a sensitive industrial OT network.
Safety and security actions you can perform to minimize the risk of an OT operations compromise are as follows:
· Get buy-in and a budget from IT, OT operation teams and leadership to implement safety/security best practices.
· Limit access to the Internet for assets considered to be crown jewels (OT assets deemed essential to operations uptime), and apply patches to Internet-facing IT system vulnerabilities that are actively being exploited in the wild.
· Implement multi-factor authentication (MFA) on all IT endpoints and, where possible, on OT systems as well.
· Remove “end-of-life” software and hardware technology on the IT network (especially if those IT systems have connectivity to the OT network).
· Monitor both the IT and OT networks, and enforce usage of approved (safe) VPN and remote access software technology solutions; ensure that your network teams keep a close eye out on the following applications/systems as they have been exploited by Volt-Typhoon:
o Fortinet FortiGate
o PRTG Network Monitor appliances
o ManageEngine ADSelfService Plus
o FatPipe WARP
o Ivanti Connect Secure VPN
o Cisco ASA
o Versa Networks’ Director Servers – See CVE-2024-39717.
By leveraging the above security and safety recommendations, companies can better protect both their employees and industrial operations. As OT environments become more interconnected and exposed to the internet, best practice efforts must also expand to include effectively managing physical and cybersecurity risks in tandem.
Insecure Remote Access to OT Networks
One of the most significant risks in today’s operational environments is insecure remote access to industrial networks. OT networks manage industrial operations, including machinery and processes in manufacturing plants, power electric utilities, water treatment facilities, and many other critical infrastructure environments. These OT systems, once isolated from IT networks, are now increasingly connected, creating new risks, threats and vulnerabilities to operations.
Many organizations allow remote access to OT networks for monitoring, diagnostics and maintenance. However, inadequate security controls surrounding this access can lead to disastrous consequences. Once inside the OT network, attackers can cause significant operational disruptions, such as shutting down machinery, altering production processes, or even causing physical damage to equipment and harm to personnel.
To prevent this, it’s essential that organizations implement multi-factor authentication, secure remote access policies, and regularly update and patch approved systems. These best practices are part of adopting a safety-first mindset, ensuring that all remote access points are as secure as reasonably as possible.
How IT and OT Teams Can Work Together
To improve both safety and security in modern operations, collaboration between IT and OT teams is essential. Historically, these teams operated independently, with differing goals. IT traditionally focuses on data confidentiality, integrity and availability of commercial information systems, whereas OT focuses more on safety of people, protection from physical equipment damage, availability of engineering processes, and integrity in managing industrial processes. However, in present day, OT networks are becoming more digitized. As a result, there’s an increasing need for these two teams to work together.
Shared Objectives for Safety and Security
Cybersecurity and physical safety training: IT teams often have more experience with cybersecurity issues, making them valuable resources for OT teams who may not be as concerned with system patching or network vulnerabilities. Regular training and collaboration (e.g., tabletop exercises, etc.) can help ensure that both teams become more aligned on cybersecurity and safety goals.
Cross-system monitoring: By integrating IT and OT monitoring tools, both teams can gain better visibility into potential security and safety incidents. This includes monitoring for abnormal network traffic, unauthorized physical and security access, or sudden changes in system behavior that could indicate a breach.
Unified response plans (i.e., incident response): Safety and cybersecurity incidents derived from OT system outages can have physical consequences, such as equipment failure or unsafe working conditions. By working together, IT and OT teams can develop unified incident response plans that account for both cyber and physical risks.
By fostering collaboration between these teams, organizations can achieve safer, more resilient operations, reducing the risk of both human safety incidents and cybersecurity breaches.
Prioritize Safety to Reduce Cybersecurity Incidents
In conclusion, by prioritizing and implementing safety and security best practices, companies can more effectively mitigate the risk of cyber-attacks. Establishing secure remote access, robust network segmentation, safety training, and patching and/or mitigating critical or high exploitable network vulnerabilities are all a must. In addition, fostering a strong relationship between IT and OT teams will minimize breaches and enhance response time when incidents do occur. A safety-first mindset is about safeguarding the critical infrastructure that supports industrial operations while working together to protect physical life.
