The oil industry is still reeling from the recent Colonial Pipeline cyber attack. According to media reports, a ransomware attack by a hacker group shut down the pipeline. A week after the attack, 7% of gas stations in Virginia are still without fuel.
CEOs and management of critical infrastructure and physical assets need to take stock before they find themselves reading about their companies in the news for bad reasons. What can they do right now?
IT is Not the Same as OT
IT departments are responsible for computer networks. OT refers to operational technology – physical assets (as opposed to computer files which are the realm of IT). Critical infrastructure, cars and factories require an OT department with professionals who are trained to protect, detect and respond to cyber attacks on physical assets.
IT departments aren’t going anywhere. Companies that have both digital and physical assets need IT and OT departments in order to manage and protect company assets and avoid cyber attacks. Hire OT professionals now.
Review Cybersecurity Policies, Processes and Playbooks
Initiate a review of your company’s cybersecurity policies. Get management onboard to support these efforts and go over everything – from basic login rules to who has access to what. Try tempting your employees with a test phishing email and use it as a lesson so they know how to identify suspicious emails.
Look for common Achilles’ heels such as third party software. Cyber attackers often enter a company’s computer system via under-protected software, and make “lateral movement” (hopscotch or jumping) to other systems. Review outside people and vendors who have access to your company’s crown jewels.
Software and operating systems often have default privileges that are out of sync – much higher – than what is required. What access are new users given by your company’s IT systems? What access do outside parties receive when they create a new account?
Hire Penetration Testers
One of the keys to success in business is knowing when to hire outside help. We do this in our personal lives when we hire or go to accountants, attorneys and medical professionals for things that we wouldn’t dare do on our own. The same goes for cybersecurity.
Hire an outside team of penetration testers who are trained to look for vulnerabilities in your industry. Pen testers (as they are often called) are “good guy hackers” who help companies discover IT and OT weaknesses before hackers find them. As in many other aspects of our lives, the earlier you discover a problem, the easier it is to mend, fix and move on.
The latest cyber attacks on oil pipelines and physical assets are unfortunately just the beginning. Hackers are learning that attacking the physical world can cause a lot more damage than “merely” hacking bits and bytes. Factories, airplanes, cars, supply chain and all things “real world” are targets for hackers. The time to learn about OT cybersecurity and prepare is now.