At the forefront of OT and IoT Cybersecurity, Edgard Capdevielle and the team at Nozomi Networks are helping build a secure future for the world’s industrial and critical infrastructure.
Nozomi Networks solutions support more than 57 million devices in thousands of installations across energy, manufacturing, mining, transportation, utilities, building automation, smart cities and critical infrastructure. Nozomi Networks makes it possible to tackle escalating cyber risks to operational networks while accelerating digital transformation by providing exceptional network visibility, threat detection and operational insight for OT and IoT environments.
M.R. Rangaswami: Critical infrastructure Cybersecurity is in the public spotlight. Beyond the obvious, what’s driving this keen interest?
Edgard Capdevielle: 2021 was a monumental year for cyber-attacks on industrial and critical infrastructure. SolarWinds, Colonial Pipeline, Oldsmar Water, the JBS meat plant attack, hospital attacks among many others. In a very short time, we moved from theoretical conversations about the cyber risk to critical infrastructure to a series of real-world scenarios that not only impacted the bottom line but could be felt by everyday citizens.
So far this year, the threat has only increased. Cyber criminals have doubled down on high value targets and the United States and other governments are stepping up efforts aimed at shoring up cyber defenses for electric utilities, transportation, water systems and other critical infrastructure.
Put simply, as industrial organizations have ramped IT and OT connectivity to accelerate digital transformation, modernize business processes and support new remote work scenarios, their security postures aren’t keeping up and cyber criminals took notice. Over the last 12-to-24 months we’ve seen threat actors weaponize the software supply chain and ransomware attacks are growing in number, sophistication and persistence. Nation state threats are also on the rise and the current Russian Ukrainian conflict is taking cyber warfare tactics to levels never before seen.
M.R.: So, just how secure or insecure are our operational networks today – what are the biggest threats?
Edgard: The public and private sector are stepping up efforts to strengthen the cybersecurity of operational networks, and organizations are beginning to mature their cybersecurity postures. Still, most operational networks are woefully unprepared and highly vulnerable to attack. A recent Nozomi Networks-sponsored SANS ICS Cybersecurity survey found 70% of respondents rated the risk to their OT environments as high or severe. Ransomware and financially motivated cybercrimes topped the list of threat vectors (54.2%) followed by nation-state sponsored cyberattacks (43.1%) and unprotected (IoT) devices and things added to the network came at 31.3%. In general, external connections are the dominant access vector (49%) with remote access services identified as the most prevalent reported initial access vector for incidents (36.7%).
As technology matures and evolves, cybercriminals do too. In fact, they’ve outpaced their victims in that regard. There are three fundamental reasons we’ve gone from spotting an occasional headline about a major cyberattack to seeing them virtually every week:
- Many critical infrastructure companies and industries starting their digital transformation journey are already way behind their “digitally transformed” counterparts when it comes to investing in IT
- Those early in their journey are investing in cybersecurity at a lower rate as a proportion of IT spending
- They don’t have a post-breach mindset: Unless a breach happens, they delay the needed prioritization of security investments rather than preparing early on to prevent a breach before it happens
The reality is a perfect storm has been brewing for years around operational security. It has as much to do with what businesses and critical infrastructure companies aren’t doing as it does with what hackers are doing.
M.R.: What Can We Expect in the Future for Critical Infrastructure and its Required Security?
Edgard: We are at an important inflection point and efforts to improve defenses are accelerating. It’s an exciting time to be in OT and IoT security. Government guidelines, mandates, and legislation in combination with self-governance at the sector level are helping establish and enforce a standard baseline for critical infrastructure cybersecurity. Public and private sector efforts are beginning to shift the landscape — thanks in part to the significant progress made by Jen Easterly to establish CISA as the central point of collaboration and coordination across the infosec community.
On the tech side, Zero Trust is becoming a more strategic discussion in OT cybersecurity as organizations evolve their security frameworks to address a new reality of distributed architectures and IoT. Zero Trust policies will begin to address device restrictions and insecure-by-design PLCs, IoT sensors and controllers. At a minimum, OT cybersecurity vendors will have to address visibility and adherence to Zero Trust policies across all OT and IoT devices. This will transform an evolving Purdue model to a more intentional adoption of Zero Trust.
With the massive adoption of IoT devices, and as IT and OT borders blur, the attack surface is only getting larger. 5G will begin to make it possible to connect the previously unconnected and will drive even more devices into the network. In turn, we’ll see new risks to critical infrastructure and ICS. While cloud adoption will not be universal in OT environments, for many, cloud-based cybersecurity solutions will make their way into the mix as CISOs and security professionals look for ways to build and quickly scale cybersecurity enterprise-wide. Expect more organizations to abandon siloed security strategies and adopt hyper-converged solutions that can effectively bridge IT, OT and IoT toward fully addressing cyber-physical risks.
Cyber threats will continue to grow and evolve, but defenders will catch up. Last year we turned an important corner. The threat scenarios we’ve discussed for years – and even ones we hadn’t – became real. At the same time IT and OT organizations have continued to come together and grow stronger. So has their perspective and approach to cybersecurity. Today industrial and critical infrastructure cybersecurity is a top priority that in more and more cases is demanding – and receiving – the resources it needs for success. The private and public sector – and even the vendor community are joining forces to help the cause. Building a secure future for critical infrastructure is a daunting task, but based on our experiences with hundreds of customers, partners and peers around the world, our global defenders are up for the task.
M.R. Rangaswami is the Co-Founder of Sandhill.com