February 23, 2022 Time to Take CyPhy Seriously

In light of today’s massive threats to critical infrastructure, organizations must prepare for significant upgrades.

By Red Curry, chief marketing officer, Tautuk

There’s no longer a clear distinction between cybersecurity and physical security; the boundary lines have been blurred thanks to factors such as the disappearance of the OT air gap, nation-state actors and attacks on infrastructure. We’ve seen how Russian actors attacked Ukraine’s power grid in the past, leading to fears of more cyber-attacks carried out in tandem with a physical invasion.

At the same time, concerns about cyber-attacks on our infrastructure are warranted, as it’s old. Most of it was designed for far fewer people than it currently serves, whether that’s water systems or electricity grids. In short, the cyber/physical (CyPhy) threat is real.

The problem is that the majority of IT security team energy goes to protecting only the digital network – which is negligent and unforgivable when critical infrastructure is at stake. And even the digital side isn’t always being well-protected. A recent report by one control systems cybersecurity expert found that over 3,000 smart instruments in one petrochemical facility had no passwords – even by default – potentially making the industrial environment that much more vulnerable. This must change.

The current state of OT systems

America’s infrastructure is aging and outdated. The American Society of Civil Engineers gave it a C-minus on its quadrennial infrastructure report card – with the transit system getting even lower marks. It’s clear that legacy structures and legacy technologies must be addressed.

Many of America’s roads, bridges and other actual physical structures are worn out, but that’s not the whole story. The systems within most types of infrastructure (i.e. the sensors that control train crossings) are, too. Infrastructure procedures are also outdated. In most of the U.S., we still have our power lines above ground, where they’re wide open and vulnerable to common occurrences like massive snowstorms that can take down a city’s power. In other countries, including much of Europe, power lines are often underground. Why isn’t this the case for the U.S. in 2022? The major reason is cost.

There are gaps in skills and knowledge, too. As is the case across many industries, OT faces a skills gap, particularly when it comes to the technical skills needed for more modern systems. The convergence of IT/OT means you need skills for both. Applications and critical services are built on both physical infrastructure and digital, and they’re inseparable.

As if these issues weren’t enough, it’s also logistically challenging to upgrade these  infrastructure systems because many of them are located in remote, hard-to-reach areas, and the sheer volume and mass of devices, power lines and so on makes. It’s also expensive to replace all these aging systems – Biden’s infrastructure bill is a big step towards fixing some of those issues, but it’s going to take a long time for the needed changes to be made.

The emergence of CyPhy

Aging, less-secure systems present a significant opportunity for bad actors. We’re seeing more and more attacks against critical infrastructure – from oil pipelines to municipal water supplies  and more. Almost every day we hear of another ransomware attack, and attacks against critical infrastructure can have far more dire consequences than monetary loss alone.

To strengthen defenses, organizations must converge their digital and physical security. It’s all about systems thinking. Think about  a doctor – they don’t diagnose a problem in insolation, they look at the whole person and determine if the condition is caused by stress, environmental factors, disease or so on. Without a whole perspective, organizations are just treating systems and are then puzzled when they can’t find the root cause.

It’s no longer an option to keep physical and digital systems separate; they must be treated as inseparable. What’s needed is more collaboration across the cybersecurity industry, critical infrastructure industries and the public sector. We need new training/education initiatives for the existing workforce and leadership that can bring fresh, innovative and creative ideas. We need stronger standards, regulations and compliance mandates with real legislation and policy changes to provide the funds that will tackle the high costs of building stronger infrastructure.

Strengthening vital security

The rise in ransomware attacks against critical infrastructure bears witness to the fact that the time for CyPhy security has arrived. It’s a nearly Herculean task to modernize legacy OT systems, but it’s no longer an option. Rethinking critical infrastructure is important, too (like burying power lines). New staffing solutions, including private/public partnerships, will also help organizations bring new levels of ability and security to this crucial sector.

Red Curry is chief marketing officer at Tautuk, coming most recently from RSA Security. Red has been a marketing leader with over 15 years inbound and outbound marketing experience in the cybersecurity and geospatial intelligence industries. Red has a passion for telling great stories helping companies attract visitors, convert leads, and close customers. Previously, Red worked as an SVP of marketing for two cybersecurity software startups and continues to work as a strategic advisor to investment companies in the cybersecurity space. He graduated with honors from University of Massachusetts with a dual degree in Fine Arts and Graphic/Web Design.

Subscribe to Industry Today