Increasing mandates to digitize critical infrastructure among companies is creating a greater potential of cyber risks. The key reason behind this, according to Deloitte’s OT Cybersecurity Strategy report from this month, is operational technologies (OT) still being largely based on obsolete software platforms – which, when integrated with the information technology (IT) infrastructure of companies, compounds the cyber security vulnerabilities in critical equipment.
Targeted cyber attacks on the Indian power sector’s load despatch units in July 2021 are prime examples of the kind of threats that these security vulnerabilities represent. During these attacks, four out of five load despatch units operated by the Power System Operation Corporation under the Indian government’s Ministry of Power came under cyber attacks – suspected to have been acts of state-backed cyber criminals from China.
Data from National Critical Information Infrastructure Protection Centre (NCIIPC)’s Responsible Vulnerability Disclosure Programme from Q3 2021 stated that as of that quarter itself, a total of 3,913 vulnerabilities in critical infrastructure were reported.
“Use of legacy systems, lack of proper network segmentation, absence of robust governance, security policies and monitoring, and unsecured remote access are leading to increased cyber vulnerabilities,” the Deloitte report said.
Santosh Jinugu, executive director of Deloitte India, told TechCircle that one key reason why OT security is complicated begins with the longevity of OT infrastructure. “Company OT infrastructure typically have long lifespans. When they are connected to a company’s IT infrastructure, it could make maintaining their security standards a complicated affair,” he said.
The OT infrastructure refers to the physical infrastructure of a company, which makes for the core operational equipment that they own. With increasing digitisation initiatives, core OT infrastructure such as power grids, oil rigs and major manufacturers are being connected to IT infrastructure of companies.
“It’s not that companies have been careless in their adoption of Industry 4.0. But, the security threat that comes with digitising legacy infrastructure is definitely there,” Jinugu added.
Multiple reports have corroborated this. For instance, a report by civil body CyberPeace Foundation published in April this year said that between October 2021 and April, the Indian oil and gas sector faced over 3.6 lakh cyber attacks. The one on government-owned hydrocarbon producer Oil India Limited (OIL), also occurring last month, is a clear example – with hackers reportedly demanding $7.5 million in a ransomware attack.
OIL, in response, stated that no damage to critical infrastructure took place as a result of this attack, and necessary precautions had been taken.
While such vulnerabilities in OT infrastructure threaten to put public services at risk, cyber security experts state that often, the errors are avoidable. The latest half-yearly report by US-based cyber security firm Nozomi Networks, which specialises in OT security services, stated, “Too often, overburdened security teams allow human error to compromise even the most advanced defences with weak passwords, misconfigured networks and devices, or social engineering. Many ransomware attacks begin with a naïve user clicking on a malicious email link, in an otherwise well-defended network.”
Jinugu also added that the lack of ample skilled cyber security professionals is a key reason behind such errors. “Companies are increasingly looking at specialists to cater to their needs, and are also hiring, but there is a clear demand for such professionals across industries,” he said.