Test, test, test! The business importance of stress testing operational technology. 

As the scale, nature, and complexity of cyberattacks continue to evolve, businesses cannot afford to be complacent with their cyber strategy if they want to remain secure. It is not news that hackers are turning to newer more sophisticated methods to target new sources to infiltrate. And with digital transformation and Internet of Things technologies continuously ramping up, there are even more connected technologies to target and even more opportunities for cybercriminals to strike. 

For businesses that want to stay one step ahead and keep these associated risks at bay, a robust, agile, and adaptable approach is needed. We can no longer assume that having strong cybersecurity barriers in place is enough, we also need to assume and anticipate that things will go wrong. Indeed, cyberattacks have become the inevitable price we pay for doing business nowadays and something we cannot guarantee immunity from. 

An era for resilience, not just security

As we move away from the notion that strong cybersecurity is the sole defense required, cyber resilience instead takes center stage. Cyber resilience has even become a key pillar of both the Ministry of Defence and the UK Government’s brand-new cyber strategies. In simple terms, businesses need to be realistic about the threats they face, and best prepare their cyber response for those inevitable breach attempts. 

Perhaps one of the most important elements of building cyber resilience is stress testing, otherwise known as response exercising. This involves creating a simulation of a real threat scenario that could be encountered to determine the fragility of a system’s infrastructure and its ability to withstand negative impacts, such as cyberattacks. 

This is an incredibly important exercise, especially when it comes to businesses that utilize operational technologies. For instance, businesses involved in logistics and manufacturing typically consist of processes that are tightly coupled and have critical external dependencies – which means many parts within a system rely on other parts (some external to the organization) to operate correctly, such as the supply chain. Therefore, while automation and emerging technologies create efficiencies and streamline production, they can also introduce considerable fragility within the system. This means as soon as one such element is disrupted the entire process or business is compromised. As a result, businesses cannot afford to be too reliant on single points of failure, or highly efficient solutions, should they be the target of a breach. 

Regular stress testing situations – such as intentionally creating an error or simulating an attack on one of these interconnected environments – can test how prepared a business would be if the system were to face a real cyberattack. This is an extension of a well-known concept called ‘chaos engineering’, but within a security context. 

We recommend that businesses take the following first steps to build critical cyber resilience within their own business’ operational technology… 

1. Assess your dependencies

Businesses must first unpick and identify each and every critical dependency and interdependency within their business model, infrastructure, and operational technology. Once they know just how reliant they are on these external factors, businesses can develop a continuity plan and alternative supplies. 

2. Undergo regular exercises

Run through threat scenarios by simulating attacks on your key dependencies and systems. This does not often require much effort and can have minimal disruption to operations, depending on the scenario, but the ROI is invaluable. Doing such practices at random also most accurately replicates realistic scenarios that strike without warning, and most accurately reflects a business’ true response to them. These exercises can take the form of tabletop pre-planned events all the way up to deploying test agents (such as Chaos Monkeys) to simulate real-world effects. 

As with all exercises, it is better to build your maturity first before adopting any practices that actually interfere with operations. 

3. Reflect on your performance

After each exercise, you can look back at how prepared the business was for that threat scenario and how resilient the ecosystem is when specific elements are compromised or shut down completely. The critical question at these points isn’t necessarily how the compromise occurred but rather how confidently they were able to respond, and what elements still require attention. This will ultimately empower businesses to know how to best offset the risks when they actually occur, enabling them to act quickly and confidently. 

4. Adapt where you are weak or fragile

Once you know the pressure points within the system, and what elements caused unacceptable impacts when out of action, you can look to introduce additional resiliency measures and security controls where needed. These will enable your business to both lower the risk of compromise and strengthen the system’s and cybersecurity team’s ability to effectively respond to them. 

5. Think beyond yourself

Remember, no business is a self-reliant, autonomous island that operates entirely on its own. All businesses are inherently linked to wider elements such as open-source software, and are reliant upon their vendors, suppliers, and IT service providers, amongst potentially dozens of other stakeholders. This interconnected system of systems necessitates businesses to start considering the overall cyber resilience of their supply chain, as any single-point failure within that chain can have a monumental knock-on effect if compromised. 

6. Promote the cultural shift to cyber resilience

The shift from cybersecurity risk management to overall cyber resilience will require an evolution in business culture and priorities. Business leaders need to accept the almost inevitable likelihood of a breach attempt. With cyber resilience, businesses concern themselves with managing the associated impact of a cyberattack rather than just minimizing the chance of the incident occurring in the first place. 

There is an added bonus to this change in mindset and culture. The most cyber resilient businesses are also often those businesses that are able to recognize change in the market and adapt, making them well placed to stay relevant and make the most of new opportunities – all while staying safe and secure. 

Alex Tarter

Chief Cyber Consultant and CTO-Cyber at Thales

Unlock the Power of WiFi 6: How To Leverage It...

TBT Newsroom • 01st March 2023

Are you tired of being left behind in the technological world? Well, fear not! WiFi 6 is here to save the day and bring your business into the future. With unprecedented speeds and a host of new capabilities, WiFi 6 is the must-have technology for any business looking to stay ahead of the curve.

Sustainable Phones

TBT Newsroom • 04th May 2022

Cat phones (made by UK-based company Bullitt Group) are explicitly designed to be rugged, with devices built to last and have a longer lifespan. Industry Analyst firm Canalys notes that the current average lifecycle of smartphones in the mass market is approximately 37 months for iPhones and 33 months for Android devices.

From Credit Cards To Mobile Payment  

Ripsy Plaid • 27th April 2022

Plaid, the open finance data network, and payments platform have appointed Ripsy Bandourian as its first Head of Europe as it continues to rapidly expand across the continent. Based in Amsterdam, Ripsy will lead the business strategy and operations for Plaid’s Europe arm as it moves into its next stage of growth. 

How biometric technology can be used for remote proof of...

Chris Corfield • 08th April 2022

The pandemic has accelerated the adoption of digital financial services, driving organizations to speed up their transformation programs globally. Most banks, as well as pension providers, are still in the early stages of integrating technologies such as machine learning and artificial intelligence, and as the world continues to battle the long-term effects of COVID-19, the...