The increasing attacks on operation technology (OT) systems have gotten serious enough that President Joe Biden took notice and brought together the Cybersecurity and Infrastructure Security Agency, the Environmental Protection Agency and private sector partners to better understand cyber threats against the industrial control systems that manage water treatment processes.
Malicious actors have found that they can manipulate these digitized systems with the possibility of damaging water infrastructure or even changing the way it’s treated to introduce harmful chemicals.
This was almost the case in February 2021, when attackers used remote access software to increase levels of sodium hydroxide at a public water treatment plant in Oldsmar, Florida. Thankfully, the plan was thwarted by a plant operator who caught the intrusion in just a few minutes. But that won’t always be the case.
The issue has global implications as well. In Ukraine, critical infrastructure is at risk from an attack by Russia or its allies. In fact, in a recent Harvard Business Review article, MIT Sloan Director of Cybersecurity Stuart Madnick said that given the interdependence of critical infrastructure sectors, “aggressive attack would likely knock down many sectors at the same time, magnifying the impact.”
Last year the U.S. government assessed that an increasing number of both countries and non-state actors have the capability to damage physical and digital critical infrastructure. Gartner predicted in a report that by 2025, cyber attackers will have weaponized OT environments to the point where they could successfully harm or kill humans. Attacks on OT are not only becoming more common but are also evolving from process disruptions like cutting power to a water treatment plant to compromising OT in ways that can do a lot more physical damage like cutting off water access to a population or changing processes to affect the safety of drinking water.
Since IT and OT networks are becoming increasingly interconnected, virtually any point of access or OT device can be targeted to attempt to gain entry to the IT network. And while attacks on OT systems were once limited to specialized and advanced threat actors, prepackaged capabilities are increasingly easy to buy – or even to rent — on the Dark Web.
Beyond that, many OT and IoT devices lack strong security and cannot be upgraded or patched, forcing organizations to be nimble and adopt methods such as virtual patching of such headless devices.
This could spell disaster for the federal government if they don’t deploy cyber tactics to combat risks in the vast, interconnected network of buildings and smart infrastructure.
That includes the use of deception technology to help agencies discover intruders and impede their movement. Deception technology is a strategy to attract cyber criminals away from an agency’s true assets and divert them to a decoy or trap. Using a layer of digital decoys and honeypots, deception technology helps conceal sensitive and critical assets behind a fabricated surface, which confuses and slows attackers while revealing their presence on the network.
Decoys mimic legitimate servers, applications and data so that the intruder is tricked into believing that they have successfully infiltrated and gained access to the enterprise’s most important assets when in reality they have not.
Studies also suggest that an agency can deploy deception technology selectively rather than universally and still reap much of the benefit, much as the presence of a home security sign affects whether a would-be burglar decides to break in and how they proceed, even if the home doesn’t actually have an alarm system.
A connected federal government that includes smart buildings and integrated IT-OT that makes it easier to deliver citizen services will be transformational. But with that transformation comes a host of security issues that need to be addressed every step of the way. These buildings don’t just hold public and personal information, they will also be filled with interconnected OT systems that, if manipulated, can cause damage stretching from data loss to putting lives at risk. The General Services Administration must take this into account as it plans and begins to execute on connecting federal buildings with smart technology.