THOUGH cyber security experts have long warned of the threats to nations’ critical infrastructure, recent incidents are now opening the eyes of business and political leaders to the ecosystem risks of the world’s connected utility networks, power grids and other essential services.
Plugging these security gaps will require collaborative strategies—both ‘inside’ and ‘beyond the box’—among business, governments and the tech sector, to try to remedy ecosystem weaknesses that could cause massive disruption, financial damage or loss of life.
Overlooked ecosystem risks
WHILE industry and governments have invested heavily in cyber security—building cyber ‘walls’ around internal company networks and legislating national security guidelines for domestic industries—less attention is paid to the risks posed ‘outside the box’, by the growing web of interconnected infrastructure.
Recent headlines are jarring, including images of shuttered gas stations and grounded airliners after a ransomware attack on a major U.S. pipeline company. Similarly, news bulletins described how patient treatments were suspended in Irish hospitals after a crippling hack on the national health system. Suddenly, it’s clear how a single attack on a seemingly isolated computer system can spill across an entire supply chain or disrupt vital public services.
For business or political leaders who are now asking, ‘How could this happen? part of the answer lies in the adoption of IT functionality across industry’s operational environments. Many infrastructure operators have embraced IT innovation to better manage their operations and reduce costs, including remote operating capability so a company production asset can be managed from central location or even remote (anywhere, anytime).
Such innovation can bring significant benefits; however, it has often challenged Operations Technology teams, who were focused on physical protection of assets, rather than emerging, external cyber risks. Although many business systems are vigilantly guarded against cyber threats, operational systems haven’t always enjoyed the same security scrutiny. And, with the rise of interconnectivity between a company, its customers, suppliers, and even government partners, cyber threats can arrive from many sources—and spark unexpected consequences, near and far.
More effort, inside the box
DESPITE efforts by leading companies to protect their systems, there is still much work to be done by many organizations. In my view, many high-profile ransomware attacks could have been avoided or at least reduced. And, many companies are still not meeting a minimum level of cyber security to fend off such attacks.
Segmentation of a company’s distributed network would reduce the risks, since firewall separations between key areas would make it easy to shut down and isolate a cyber hack. We must also ask whether companies are investing enough to keep their operational environments up to date and address the costs of replacing legacy systems; whether the avoidance of scheduled maintenance shutdowns that could impact production has led to issues; or if companies should do more to ‘push’ their technology vendors to deliver adequate updates to aging industrial systems. Whatever the answer is to these questions, it seems that many operational systems languish with outdated functionality and lack much-needed security upgrades.
Also, an enduring ‘people culture’ within many organizations can stall their cyber security efforts. While operations teams may lack cyber-savvy, the issue may originate at the supervisory and executive board level, where leaders are not familiar with their own operational assets, nor understand their ecosystem dependencies. This culture may extend to front-line employees who aren’t adequately trained on basic “Don’t click the link” cyber-safe practices, nor are they encouraged to report operational issues or glitches that create vulnerabilities to future cyber-attacks.
The excerpt was taken from KPMG in the Netherlands Partner Ronald Heil’s blog post entitled “Cyber Security Gaps in Infrastructure.”
© 2021 R.G. Manabat & Co., a Philippine partnership and a member-firm of the KPMG global organization of independent member-firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
KPMG in the Philippines recently gathered industry tech leaders as well as experts in the fields of audit and assurance, tax, and advisory. The 4-day Innovation Summit spurred exciting conversations and exchange of ideas from attendees across different industries and expertise. Be inspired to innovate and keep track of the latest trends by watching the recorded sessions.
As a recognized Center for Excellence for data, analytics, cybersecurity, regulatory-driven transformation, intelligent automation and emerging technologies, KPMG in the Philippines’ Lighthouse Group is here to successfully navigate organizations’ transformation journeys. Visit https://bit.ly/3zawwEJ to know more.
1 comment
Great article! The idea to not only invest on the IT but also to train the employees the basics of preventing cyber hacks does help. But what I didn’t understand is the ‘inside the box’ and ‘outside the box’ terms. May I know what sources comes into these categories?
Thank you
– A student from EC Council University