The primary goal of OT cyber risk management is to insure OT cyber incidents do not have an unacceptable impact to the business, customers and community. A secondary goal is to reduce, and ideally eliminate, the frequency of overall OT cyber incidents. It is clear that 2021 has been another year of success in achieving these goals – – – hoping not to jinx things with 10 days left and acknowledging that this is due in large part to attackers’ restraint and easier money elsewhere.
This continues a string of successful years from a results standpoint stringing over two decades now. Even the two most high profile attacks in the US cannot be viewed as OT cyber risk management failures.
- Oldsmar Water Supply Attack – the attacker did find a glaring security failure and gain access to a HMI and issue a command to poison the water supply. It failed. Not only due to being caught early on and reversed, but it would have been stopped in multiple places due to control limitations and safety measures. Oldsmar’s customers were not at risk and suffered no disruption.
- Colonial Pipeline Ransomware – based on all public information, the ICS and OT were not compromised. This was a failure on the corporate network. Colonial Pipeline was required by the US government to restore pipeline operations in seven days; they did it in six. This should give asset owners pause as to putting systems required to operate the ICS on the corporate network, and what the recovery time objective (RTO) of these systems need to be. It should also have the US Government planning on what they would do if a key system like this was down for a month or more. However, we cannot say that Colonial Pipeline demonstrated inadequate ICS or OT cyber security.
There were a number of other outages in manufacturing, water, building automation, hospitals and other ICS, primarily caused by ransomware and primarily ransomware on the corporate network. There were a small number of OT cyber incidents that were made public, and I have no doubt that Dragos, Mandiant and other companies doing OT incident response have a larger number of actual OT cyber incidents in 2021. These are very small blips in the incidents and events that caused large consequences in 2021. This perspective is important.
People, companies and governments dealt with the massive impact of Covid again in 2021. Not potential impact, not feared impact, actual massive impact. I’m impressed that given the ongoing Covid impact that companies have had the bandwidth and foresight to continue to address OT cyber risk.
Covid, labor shortages and international relations have caused a real and significant supply chain impact for many sectors and companies. Again this is not a possible impact. It’s real and needs to be dealt with for many company’s survival. So have labor shortages. And now some are dealing with real inflationary impact on their business.
This does not mean we should stop pushing for improved OT and ICS security. My incessant talk on insecure by design and grousing on other items should be clear that I believe there is much that needs to be done. Looking at 2021 with perspective, a lack of OT and ICS security was not a large contributor to incidents that negatively impacted people, companies and communities. This is a good thing, and I hope a combination of attacker caution, luck and the ICS security communities good work will make this true again in 2022.