Strengthening Your Organisation’s Physical and Technical Infrastructure
As recent events have demonstrated, organisations must take coordinated steps to protect their IT and physical systems.
There are times when a single and highly specific event can highlight a problem that looks set to become increasingly pressing across a wide range of industries.
In October of 2022, tr ain services in Northern German were severely disrupted by an attack on national rail company, Deutsche Bahn’s critical infrastructure. To be more precise, unknown actors cut essential cables in two places, an act of sabotage that affected the network’s digital radio system and resulted in train cancellations over several hours.
The attack served to illustrate that organisations can no longer think about security in binary terms with IT in one silo and physical infrastructure in another. In reality, the two are inextricably linked and when bad actors seek to disrupt an organisation they have a range of options. An attack on physical assets can take out IT. Equally, a software hack on a digital control system can bring operations to a halt on a rail network, in a power station or along a stretch of oil pipeline.
This would be worrying at any point in time, but with the war in Ukraine showing no signs of coming to an end, everyone must be aware that critical infrastructure is potentially a target and should decide to adopt a strategy of so-called hybrid warfare to spread alarm to destabilise target countries. From the perspective of state-affiliated actors, such attacks cause chaos but crucially, they are also hard to attribute. For instance, the recent sabotage of the Nordstream pipeline is widely thought to have been the work of Russia or its agents but no hard evidence – certainly, none that has been shared publicly – has been put on the table.
Malicious Actors
In addition, there is also a familiar cast of malicious operators. These include organised criminals seeking to steal data or secure ransom payments, hacker activists and former employees with a grudge.
And arguably, thanks in part to the digitisation of the modern global economy, these actors have more opportunities than ever to attack both digital and physical assets.
This is where we must look beyond the obvious targets. Clearly, companies working in sectors such as transport, oil and energy are responsible for the security of widely distributed physical assets and increasingly these are controlled and monitored by digital Operational Technology systems.
That creates new vulnerabilities. For instance, a recent Verizon report on protecting physical infrastructure cited UK figures suggesting that 86% of managers had detected attacks on their Operational Technologies.
Until relatively recently, however, a great many businesses would think of digital and physical security purely in terms of protecting operations within the perimeters of their factories or offices – equipment, servers, desktop PCs etc. They wouldn’t think of themselves as infrastructure dependent.
Outside the Perimeter
Today, that has all changed. Companies using cloud computing, and co-location of servers are all dependent on digital and physical assets that sit outside their four walls. And more recently, we’ve seen the switch to greater home working and (in some cases) the adoption of internet of things (IoT) technology. Again, this creates a network of physical assets and software systems that may be widely dispersed geographically. Gartner has characterised this trend as the “Everywhere Enterprise” and predicts that by 2025, 85% of infrastructure strategies will integrate on-premises, colocation, cloud and edge delivery options, compared with just 20% in 2020.
So, here’s the challenge. Hackers of all description are using technologies such as AI, machine learning and automation to find vulnerabilities not only in software but also in digitised control systems. Once vulnerabilities are found, immense damage can be done to critical infrastructure.
What can be done? Well, one thing that organisations will certainly have to do is include external assets, resources and users in their security plans. Consultancy McKinsey suggests the creation of what it calls a Zero Trust Architecture. One important feature of this approach is to restrict access to the kind of data that could enable security to be breached.
Given the complexity of some organisations in terms of their external infrastructure, there is also a need for security strategies that can be applied across systems. Verizon recommends that the security processes around control systems should be standardised and codified. This would make it much easier to manage threats and breaches in physical/digital and multicloud environments while also increasing resilience.
It’s also important to increase contact and integration between IT and Operational Technology teams, so that when potential security breaches are identified, they are also shared and acted upon. Staff in both teams should be trained to understand the potential threats, ranging from fishing and denial of service through to physical sabotage. Regular patching of applications and operating systems along with the physical protection of assets is also vital.
The exact strategies will depend on the organisation, but the key point is that physical and digital systems cannot be treated as separate and distinct.
