Cyber security month spotlight: Safeguarding critical infrastructure in the age of technology disruptions

“Be smarter than a hacker” – that’s the theme chosen for this year’s European Cybersecurity Month (ECSM), an annual event sponsored by the EU Agency for Cybersecurity (ENISA) that aims to promote cyber security awareness throughout businesses and society.

Historically, OT networks have been self-contained – that is, deliberately kept separate from IT networks. This isolation is advantageous from a cyber security perspective, as it makes the networks in question less vulnerable to outside incursions. But it also prevents networks from taking advantage of the increased efficiency and savings that emerging technologies such as artificial intelligence, machine learning and cloud computing can offer.

This opportunity for raising efficiency levels and lowering costs has been compelling enough to convince many OT operators to adopt such technologies. This has created new risks; in that it necessarily involves connecting these domains to the outside world.

Even so, new technologies can also be used to ramp up security levels. OT operators can, for example, use machine learning to sift through data streams to identify the structural or behavioral patterns that make their networks more vulnerable.

New tools create new capabilities and new vulnerabilities

This push/pull dynamic looks set to remain in place as technology continues to evolve.

In September 2023, for example, US-based Honeywell became incorporated quantum computing into the security features of products used by utilities. Specifically, quantum computing-hardened encryption keys were embedded into smart meters that monitor water, electricity and natural gas consumption. The goal is to establish a new highwater mark for guarding against cybersecurity breaches and ensuring that critical infrastructure organisations can provide services to the public without interruption.

At the same time, though, quantum computing has the potential to become a double-edged sword, as IBM predicted already in 2018. The US-based giant pointed out in a whitepaper published that year that quantum computing systems would not only have more power than their conventional counterparts to identify and repel cyber attacks but also more power to solve the math’s problems that underlie many existing approaches to encryption.

Quantum computing has the potential to help critical infrastructure providers and other organisations, for example, to overcome the problem of how to store and process the massive amounts of data they are now using to optimise operations, but on the other hand, it could inspire malicious actors to harvest encrypted data now in the expectation that quantum computing could break the encryption later.

Take action today to prepare for the threats of tomorrow

Clearly, advances in technology will continue to create new opportunities for both sides. OT operators have already gained access to new tools that can heighten security levels, while malicious actors have also gained access to new tools that are more capable of exploiting vulnerabilities – and they will continue to do so as more powerful technologies such as quantum computing emerge.

Under these circumstances, it’s all the more crucial that critical infrastructure providers take action today to prepare for the threats of tomorrow. It’s not just individuals and employees with access to IT networks who need to “be smarter than a hacker,” in line with the ECSM slogan; it’s also OT operators and employees with access to industrial control systems (ICS) and other connected devices.

Strengthening our collective commitment to safeguarding society

Having a dedicated cyber security month brings the community together to forge a collective understanding of the challenges and opportunities that lie ahead. An array of resources is made available throughout different sectors, levels and disciplines, inviting for reflection and empowering action.

We, for example, plan to elaborate on some of these points at The Nightwatch, our annual OT security gathering to be hosted in Amsterdam on November 9, 2023. But attendees won’t just be hearing from Applied Risk. The event also features a line-up of expert guest speakers with high-level insight and experience in critical infrastructure operations and security, and we look forward to hearing their take on the incorporation of new and emerging technologies into OT networks.

An additional resource to help turn awareness into cyber resilience is our OT cyber security programme series.?In four publications, we walk through the important stages to implement a sustainable OT security programme – from the first idea and planning phase, to design, implementation, and long-term maintenance.

In other words, cyber security month reminds us to strive for heightened levels of awareness. Together, by fostering a culture of vigilance and collaboration, we are better equipped to face the ever-evolving cyber landscape and protect our critical infrastructure.