The focus and spending on information technology (IT) systems by business organisations in India needs to be complemented with similar efforts in operational technology (OT) and consumer technology (CT) systems to combat myriad cyber-attacks, suggested a recent ASSOCHAM-PwC study.
“Currently, such initiatives are not taking place, thereby leading to a rise in attacks by cybercriminals,” said the study titled, ‘Protecting interconnected systems in the cyber era,’ jointly conducted by ASSOCHAM and PricewaterhouseCoopers (PwC).
OT and CT systems have long been used in industrial and end-user products to monitor and control physical processes. Traditionally, these technologies have been air-gapped, in that they are segregated from the IT network. However, OT and CT systems are becoming increasingly interconnected and integrated with other IT systems.
“Economic challenges, resource constraints, business requirements and technology standardisation have made it impractical to continue completely segregating OT and CT networks from IT networks,” noted the ASSOCHAM-PwC study.
With an increase in the usage of information and OT and CT in critical infrastructure, overall effectiveness has increased. However, these elements have also become the target of choice for attackers since they recognise the impact of disrupting the routine way of life.
Thus, considering that organisations today are more reliant on OT and CT networks to control their operations and infrastructure, they should build a forward-looking cyber security programme that is based on the right balance of technologies, processes and people skills—all supplemented with an ample measure of innovation.
“With these components in place, organisations are likely to be better prepared for the future of cyber security,” said the ASSOCHAM-PwC study.
Attackers can gain control of vital systems such as nuclear plants, railways, transportation or hospitals that can subsequently lead to dire consequences such as power failures, water pollution or floods, disruption of transportation systems and loss of life.
“By identifying cyber security flaws and issues, decision makers will be better placed to implement appropriate security controls, design additional secure architectures, monitor targeted attacks and maintain effective cyber resilience for their IT, OT and CT networks,” said the ASSOCHAM-PwC study.
It also highlighted certain cyber security gaps in OT and CT systems amid organisations in India – lack of accountability about ownership to secure OT and CT infrastructure; poor maintenance of basic security hygiene (missing security updates, poor password practices, insecure encryption and authentication, lack of segregation within networks); limited understanding of security risks and vulnerabilities amid stakeholders; poor monitoring for security purposes; missing security plans thereby increasing potential impact of incident.
Maintaining a secure and resilient OT and CT environment requires a comprehensive strategy that covers security governance and process, implementation of the right technology and employing people with the right skills.
“A national strategy to secure critical infrastructures requires collaborative efforts through timely information sharing across critical sectors. Timely information on events and incidents to critical infrastructure stakeholders, for potential cross-sectoral impacts, would help in appropriate response mechanism. National-level cross-sector forums could be established to institutionalise the cooperation between various critical sectors.”
Besides, a clear understanding of cyber risks and adequate cooperation between relevant business, IT, OT and CT teams is required.
The study also impressed upon the need for setting up sector-specific nodal body for designing plan, advisories and guidelines to manage and govern overall cyber security aspect for the sector and enhance public-private partnerships.
Further, it suggested for an emergency warning network regarding cyber vulnerabilities, threats and incidents is crucial to proactively analyse and respond to damage or attacks on such infrastructures.
“With regard to security incidents in critical infrastructure, organised efforts are required to reduce the potential cascading impact and response time,” the report recommended.
Incident response for critical infrastructures requires a partnership between public and private organisations to perform analysis, issue early warnings and coordinate response efforts, it added.