Sithembile Songo, Group Head: Information Security, Eskom, discusses key cybersecurity challenges unique to a national grid supplier, the fundamental elements of a successful cybersecurity framework, creating a strong cybersecurity culture within an organisation and how breaking down silos between IT and OT departments is critical.
What are the key cybersecurity challenges unique to managing a national grid supplier?
Digitalisation and connectedness of industrial environments is opening business opportunities and enhancing operational efficiency. This rapid modernisation and complexity of interconnected systems has expanded the attack surface, opening more entry points for cybercriminals and exposing organisations to cyberattacks that can counterpoise the benefits.
This surge in digitalisation has also exponentially increased the importance of cybersecurity, making it imperative to revise the cybersecurity strategy and uplift the cybersecurity posture to address the growing digital criminal activity.
National grids rely on operational technology, OT that was not designed with security in mind. These OT systems are used to monitor events, processes and devices of industrial operations. The lifecycle of OT last longer than that of IT systems, sometimes ranging between 15 to 20 years as compared to an average of five years IT systems life span. This can present the inability to implement controls that rely on modern technologies.
To mitigate this risk the Encapsulation Principle can be applied when an upgrade is not possible. This is where a new intermediate secure technology is introduced to interact with business applications. Thereafter, system hardening can be practiced together with a tightening of usage procedures. Legacy systems should also be placed behind other layers of defence.
The necessity of increased convergence of OT with the traditional IT environment is leading to additional inherent vulnerabilities, which are doubling every year. Secure design of IT-OT convergence is therefore crucial and should include cybersecurity from the beginning and evolved through every stage.
The process of IT/OT convergence involves merging the two environments to exchange and distribute data that could enhance the value and enterprise supply chains through Digital Transformation. For instance, a benefit of this convergence within the energy sector could be for the better planning of energy delivery through smart meters where real-time data of consumption can allow precise supply of power in real-time, especially in situations where demand is higher than supply.
Households that reduce power below certain levels can benefit from having a constant supply of power, to run essential systems such as lights and critical low power appliances during their load-shedding phase without being subjected to a total black-out or power cut.
As is evident, this convergence enables Industry 4.0 by turning automation functions to Internet of Things through connectivity to business processes and applications. While these benefits are positive, there may be challenges faced with the implementation of IT/OT convergence due to either obsolete technologies being used in OT environments or the slow adoption of more recent advanced technologies that are often quickly deployed in IT environments.
These challenges are mainly driven by differences in objectives when it comes to the application of cybersecurity within the two environments; IT is driven mainly by security of the systems while OT is driven by the safety and availability of the systems. Furthermore, IT can afford planned downtime to apply the required patches or software updates, however the OT systems need to operate around the clock to avoid business impact.
According to a recent study done by Microsoft, 75% of the OT systems /ICS devices are unpatched and feature high severity vulnerabilities. The Redundancy Principle of designing systems with replicated components, operating in parallel, so that the system can continue to operate despite errors or excessive loads could be applied with strong procedures to perform online upgrading and testing.
A 2023 global survey on OT cybersecurity leadership confirms that protecting critical operational assets is a paramount priority for organisations, driven by the rapidly evolving cyberthreat landscape and an increase in OT security breach incidents.
Ransomware attacks are still prevalent. 2023 was an exceptionally active period for ransomware groups, posing significant threats to industrial organisations. A report by McKinsey shows that OT cyber-events have increased by 140% from 2020 to 2021. Of those events, 35% sustained physical damage with an estimated impact of US$140 million per incident.
Supply chain risks due to too much dependency on the OEMs (Original Equipment Manufacturer) also increase the risk hence a need for an effective third-party security management programme. Cloud providers are also targeted as part of a supply chain attack, a compromised provider increases the attacker’s gain by compromising multiple victims at once.
IEC 62443 addresses security considerations throughout the supply chain of industrial products. A secure supply chain reduces the risk of compromised or counterfeit products. This helps to ensure the integrity and reliability of goods traded between countries.
As a seasoned CISO, what overarching strategies do you recommend for effectively managing cybersecurity risks within critical infrastructure environments?
A risk-based cybersecurity strategy that uses a defence-in-depth holistic approach which includes governance, technology, training, collaboration and continuous improvement should be adopted. The strategy should opt for more proactive cybersecurity measures in order to maximise ROI, shifting investment into capabilities that continuously improve cyber-resilience and demonstrate cyber-risk reduction.
It should also ensure that digital technologies, systems, applications and IT-OT convergence is designed with security in mind and should include information security throughout the life cycle. Information security should not be retrofitted as this can be costly and may prevent the proper controls from being implemented in the future that can compromise security.
Breaking down silos between IT and OT departments is fundamental, a mutual relationship of trust must be formed, and the concept of separate isolated environments should be discouraged. Silos can lead to security oversights that can increase complexity, duplicate efforts, increase operating costs and expose security flaws which can be exploited by cybercriminals.
In your experience, what are the fundamental elements of a successful cybersecurity framework that can be applied across various industries to protect against evolving cyberthreats?
A defence-in-depth strategy is fundamental. Digital assets visibility and protection is paramount since it is not possible to protect what you do not know. Identifying potential malicious activities in the early phases of the cyber kill chain through real time detection and response, leveraging AI and Machine Learning is very effective.
It also enables organisations to defend against AI enabled cyberattacks. Applying the basics is still very important and building a cybersecurity framework on a foundation of layers of defence which are based applicable standards, such as ISO-series, NIST, CIS.
A combination of IT and OT security standards are key in protecting critical environments, such as:
NIST or ISO/IEC 27000 series for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS)
ISO/IEC 19249 – catalogue of architectural and design principles that should be used to foster the secure implementation of convergence. These also help in addressing the balance between functionality and security
IEC 62443 – designed for the cybersecurity of industrial automation and control systems (IACS) which provides guidelines for implementing robust security measures in sectors such as manufacturing, energy and transport
Applications using Purdue Model – defines the best practices for the relationship between Industrial Control Systems and the Business Networks i.e., between IT and OT
How can CISOs succeed in fostering a culture of cybersecurity awareness among employees at all levels of an organisation?
A sustainable security culture requires care and feeding. It is not something that develops naturally, it requires nurturing, relevant investments. It is bigger than just ad-hoc events. When a security culture is sustainable, it transforms security from ad-hoc events into a lifecycle that generates security returns forever.
A CISO and team should engage and encourage employees at all levels to participate in a security culture that is co-created, enjoyable and value-adding. Furthermore, for people to invest their time and effort, they need to understand what they will get in return. In other words, it should provide a return on investment, such as improving a business solution, mitigating risks associated with cyberbreaches.
Culture change can either be driven from the top or be a bottom-up approach, depending on the composition and culture of the organisation. A bottom-up approach rollout allows engaged parties to feel they are defining the way forward rather than participating in a large prescriptive corporate program, while support from the top helps to validate the change, regardless of how it is delivered.
In particular, a top-down mandate helps to break down barriers between various business functions, as well as being one of the few ways to reach beyond the technical teams and extend throughout the business.
CISOs can co-create a strong cybersecurity culture through the following:
• Senior leadership support from the board and executive committee that echo the importance of cybersecurity within the organisation
• Define a security awareness strategy and programme, including the Key Performance Indicators (KPIs)
• Targeted awareness campaigns which segment staff based on risk. Grouping users by risk allows for messages and the frequency of messages to be tailored to the user group
• A cybersecurity champion programme which allows for a group of users embedded in the organisation to drive the security message
• Usage of various mediums to accommodate different types of people who learn differently
• Employees are always encouraged to report cybersecurity incidents and they know where and how to report incidents
• Creating an organisational culture where people are encouraged to report mistakes could be the difference between containing a cyber-incident or not
• Measurements to test effectiveness: This is often done with phishing simulations
• Employees have a clear understanding of what is acceptable verses what is not acceptable
• Information security becomes a shared responsibility instead of the CISO’s sole responsibility
How should CISOs approach the selection of cybersecurity technologies and solutions and what criteria should they adopt?
Selecting the right cybersecurity technologies and solutions is crucial to building an effective cyberdefence against the evolving cyberthreat landscape and sophisticated cyberattacks. The CISO should define a formal solution selection framework, including a guideline for a selection criterion, using cybersecurity outcome-driven metrics to steer investment. This approach will assist in making the right investment that balances the needs to protect with the needs to run their business.
The framework should include assessment of the business needs and objectives, how cybersecurity can support these goals leveraging on relevant security best practise frameworks, regulatory frameworks requirements and legal requirements. Embedding security throughout the solution life cycle is also very essential. IEC 62443 addresses security considerations throughout the supply chain of industrial products.
What is the best way for CISOs to stay up to date with emerging cyberthreats and trends?
CISOs should evolve beyond just the threat intelligence sharing to joint collaboration, build a network of data across Africa or globally to cyber and energy sector communities. They should also rely on building partnerships with the relevant communities, regulators, OT industry bodies and other relevant agencies.
Click below to share this article