Securing critical infrastructure: Challenges and new approaches

With Industry 4.0 becoming a reality, operational infrastructure, which used a lot of electronic technology but were so far isolated from the rest of organizational IT, are now getting connected to IT. This opening up of closed infrastructure has exposed them to new threats—cyber threats that IT systems have been exposed to for years. How do organizations tackle this new risk—risks that could bring the entire operation of a plant or refinery to halt? Risk that could shut off the entire transport system of a city at one go?

And such risk is real.

Also Read: Securing the Digital Economy

A panel of expert CIOs from such industries tackle the issues concerning these new challenges, at the 9th Annual CSO Forum Conference in a discussion titled 'Cyber Security for Critical Infrastructure.' Moderated by R Giridhar, Group Editor, CIO&Leader and CSO Forum, the panel included Manish Anand, Corporate Vice President, Head - Information Technology Services/Operations at Max Life Insurance Company; Suhas Mhaskar, Head IT, Special Projects, Mahindra Group; Vipul Anand, Group CIO, Jindal Power & Steel Ltd; Keyur Desai, Chief Information Officer - Essar Ports & Shipping; and Jayant Gupta, DGM, IS, Hindustan Petroleum Corporation (HPCL).

They discussed a wide range of issues and challenges concerning security for critical infrastructure. Excerpts from the conversation...

R GIRIDHAR: What exactly are the new challenges we are talking about, concerning operational technologies and how are they different from traditional IT security challenges?

SUHAS MHASKAR: Very first thing that could happen is denial of service. Imagine if that happens in peak time in a city like Mumbai. We will have complete chaos. Imagine in the case of connected cars – the cars stopping suddenly.

JAYANT GUPTA: Yes, denial of services is the first possibility. Second, the mishap that could be caused by managing certain controls. We have seen that happening in case of Stuxnet. Our reading is that there are lots of cases where controls are being altered; the parameters are being altered. If you look at refinery, it has a cooling period. You simply cannot stop a refinery. If you want to do it today, you won't be able to. There is a cooling period. What if that period is not available? Someone just abruptly stops it. Those are the threats. Those are the extents to it can go.

VIPUL ANAND: We are India’s largest private power producer. Our power plant in Tamnar has a high level of IT and OT integration. We have taken adequate measures. But talking about threats, it is not the technology that is the challenge; it is the processes and the people that is the worry. If you are talking of an integrated manufacturing environment, all the OEMs have to upgrade and enhance their technology versions, which we call patches. And not just that, they have to integrate with your IT systems. There’s huge amount of process integration that is required. There is huge amount of technology integration. And in India, the biggest challenge is: Do we have the right amount of skilled people to do all this? Apart from all the challenges other panelists have mentioned, people and process are the biggest challenge. How you mitigate it varies from organization to organization.

R GIRIDHAR: As IS professionals, do we have adequate understanding of these challenges in OT?

KEYUR DESAI: Answer is yes and no. While we understand it from the vulnerability part, from an IT perspective, we often may not appreciate it on the OT side. We have managed to build a good relationship with IT and OT teams.

MANISH ANAND: Are we secure from these threats? No, we are not. Because most of our security initiatives are in silos. So, industry X could be secure. Y could be secure but together, they are not secure. Let me give an example from our industry. If there’s a claim that a person is no more, the claim is awarded. In a digital world, it will take me five minutes to prove that you don’t exist. And you get the claim.

R GIRIDHAR: So, what about from a national perspective? From the perspective of India as a country?

JAYANT GUPTA: From the government perspective, there’s a lot of push. The Home Ministry asked for an inventory of critical infrastructure. That was the very first thing. That was developed. The second aspect which was started about six months back around critical infrastructure is the CERT for every organization is being developed, specifically for the critical assets - pipelines, refineries and so on.

R GIRIDHAR: Is it only for the PSUs?

JAYANT GUPTA: For critical infrastructure inventory, yes, they are included.

R GIRIDHAR: What about the tools and technologies? Are the traditional tools adequate for tackling these threats? Often IT and OT are connected through software, apps, connectors...How secure are they?

VIPUL ANAND: The biggest challenge with integration is that both these set of systems and technologies are set up by different sets of people, often in different countries. In manufacturing, these automatic machines were manufactured years back. And they were procured years back. And your workforce has been working on them. And here comes Internet of Things (IoT); here comes Industry 4.0; and here comes your CEO and says we have to integrate it. Big challenge is change management issues. People do not allow you to change that. Once you overcome that, comes the real challenge: How do you integrate? Well, as far as tools and technologies, tools are available, open standards are available. But you have to do SIT – Systems Integration Testing. If you do not do proper integration testing, your plants and machinery are at risk of stop functioning, because of a wrong algorithm or a wrong parameter being created.

SUHAS MHASKAR: Well, not all of OT should get integrated. There are many watertight areas and there are air gaps. Even today, they exist. Our R&D network is completely isolated. We ask them to work on different machines when they communicate with the external world.

JAYANT GUPTA: One of the challenges that we faced earlier was the understanding of events that were getting generated in the OT side. We are very well aware of the events that get generated on the IT side. You cannot make head and tail of OT events unless there’s a person who understands itis sitting by your side. So, you have to have those teams with you.

MANISH ANAND: You talk of security only when you realize it is not there. I heard a financial services industry CEO saying ideally security should not have a budget. It should be free of budgets. You invest as and when it is needed.

R GIRIDHAR: That is a good thought. We do not hear many CEOs saying we give you unlimited budget. You talked of lack of skill, especially on the OT security side. So, what do you do?

VIPUL ANAND: We have had such people elsewhere but they are very costly. So, the best solution is to raise your own skilled manpower.

R GIRIDHAR: We also hear a lot about machine learning/AI in security. Anything interesting happening there?

MANISH ANAND: I come from digital forensic background. But in India, our approach is more reactive than proactive. So, that is mostly missing.

Roshe Run Kaishi