A few months ago, a cyber-criminal gang called Darkside brought Colonial Pipeline’s systems offline for nearly a week, causing panic buying and fuel shortages. Soon afterward, The Health Service Executive (HSE) in Ireland was hit by a ransomware attack that stole health records and scrambled telemetry data in IT hospital systems.
The Internet of Things (IoT) has changed the way we need to think about protecting operational technology. It’s no longer enough just to physically protect the machinery and digital devices used in healthcare, business, manufacturing, and transportation. Increasingly, today’s operational technology is smart and that makes it more vulnerable than ever to attack.
The importance of protecting critical digital infrastructure and the operational data it produces was highlighted by a recent one-day summit where President Biden handed Vladimir Putin, his Russian counterpart, a list of 16 critical infrastructure sectors that must be “off-limits” from cyberattacks. For many people, the summit reinforced the idea that protecting the operational technologies used in industry, businesses and homes needs to be a collaborative endeavor. The question then becomes, who is responsible for what? Here’s a breakdown:
Responsibilities of End Users
- Practice good cyber hygiene
End users can be the weakest link in security operations. You can help staff stay on top of the latest phishing email and social engineering exploits by offering them security-awareness training on a frequent basis. Be sure to enforce security policies that require strong passwords and multi-factor authentication.
End users can also be your first line of defense. Quick response and escalation of cyber incidents is key to limiting the damage a cyberattack can cause. Consider testing end users periodically to make sure they know what to do and who to contact if they suspect a cyber exploit.
Responsibilities of Private Sector Managers
- Replace old, legacy systems
Legacy operational technology can be expensive and difficult to replace. Some operational technology systems used in industry, for example, still run on Windows 95 and weren’t designed with cybersecurity in mind. Collaborate with stakeholders to create an enterprise lifecycle plan for operational technology that addresses how you plan to mitigate risk.
- Make sure investments in cybersecurity are a priority
Failure to allocate sufficient resources to protect operational technology assets will only increase the chance that an attack will be successful. When budget time rolls around, make sure your organization views security controls as an asset, …….