Announcing the launch of OT-specialist firm Secolve, founder and CEO Laith Shahin said Australian businesses were not immune to the growing number of OT cyber attacks globally, most recently a Snake ransomware attack on a US Honda manufacturing plant and series of attacks on US power grids.
“Attacks on ICS are becoming increasingly organised, with nation states the biggest threat actors in the space. When we speak about ICS attacks, we are likely to be dealing with large enterprises with possibly millions of dollars in investments,” Shahin said.
Secolve will work with organisations to bridge the gap between security and OT, primarily focusing on industrial sectors such as mining, energy, manufacturing and utilities.
Shahin, deputy chair of the Australian Information Security Association Sydney branch, described Secolve as the next generation of cyber security, helping businesses to transition from legacy ICS systems to mature OT environments capable of withstanding increasingly sophisticated attacks.
“Australia’s OT security environment is relatively immature, with organisations often using propriety operating systems that haven’t been subjected to security hardening or testing,” he said.
Many organisations also avoided assessing the security of their industrial control systems because of the impact it could have on the business in terms of downtime or unavailability of critical systems.
“When it comes to OT, the priority is all about uptime and availability in comparison to the CIA triad that governs IT environments. But not adequately investing in security is a false economy and the consequences can be catastrophic, not just financially but also through potential loss of life, particularly in heavy industry sectors. In fact, a new Gartner report predicts the financial impact of cyber attacks resulting in fatalities will be more than US$50 billion by 2023,” Shahin said.
The convergence of IT and OT environments has seen an escalation of attacks, with attackers gaining access to OT systems through compromised IT networks.
“In many instances there is little alignment between IT and OT. Secolve’s goal is to step in and fill the gap by working closely with OT teams to understand the environment, and then collaborating closely with IT teams to increase the cyber security maturity around the OT setting,” Shahin said.
In an Australian-first, Secolve surveyed more than 2000 risk, compliance and security managers to measure awareness and preparedness for cyber attacks. The results highlighted a lack of understanding of OT systems, even among those working in related areas, with just 17 per cent of 737 respondents with OT, IT and risk responsibilities confident in their knowledge of OT operations.
The survey also found many businesses were not actively testing or upgrading their OT systems:
- only one third of respondents with OT responsibilities said their business had implemented new OT technology in last two years;
- just 31 per cent had used a third party to test their OT security; and
- one in 10 businesses hadn’t undertaken any reviews or updates in the last two years.
Shahin said he was not surprised by the results.
“Working in the consulting cyber security space with some of Australia’s leading organisations across manufacturing, water and energy really highlighted to me a lack of OT awareness, and was the inspiration for creating a stand-alone OT specialist like Secolve,” he said.