Test, test, test! The business importance of stress testing operational technology.
As the scale, nature, and complexity of cyberattacks continue to evolve, businesses cannot afford to be complacent with their cyber strategy if they want to remain secure. It is not news that hackers are turning to newer more sophisticated methods to target new sources to infiltrate. And with digital transformation and Internet of Things technologies continuously ramping up, there are even more connected technologies to target and even more opportunities for cybercriminals to strike.
For businesses that want to stay one step ahead and keep these associated risks at bay, a robust, agile, and adaptable approach is needed. We can no longer assume that having strong cybersecurity barriers in place is enough, we also need to assume and anticipate that things will go wrong. Indeed, cyberattacks have become the inevitable price we pay for doing business nowadays and something we cannot guarantee immunity from.
An era for resilience, not just security
As we move away from the notion that strong cybersecurity is the sole defense required, cyber resilience instead takes center stage. Cyber resilience has even become a key pillar of both the Ministry of Defence and the UK Government’s brand-new cyber strategies. In simple terms, businesses need to be realistic about the threats they face, and best prepare their cyber response for those inevitable breach attempts.
Perhaps one of the most important elements of building cyber resilience is stress testing, otherwise known as response exercising. This involves creating a simulation of a real threat scenario that could be encountered to determine the fragility of a system’s infrastructure and its ability to withstand negative impacts, such as cyberattacks.
This is an incredibly important exercise, especially when it comes to businesses that utilize operational technologies. For instance, businesses involved in logistics and manufacturing typically consist of processes that are tightly coupled and have critical external dependencies – which means many parts within a system rely on other parts (some external to the organization) to operate correctly, such as the supply chain. Therefore, while automation and emerging technologies create efficiencies and streamline production, they can also introduce considerable fragility within the system. This means as soon as one such element is disrupted the entire process or business is compromised. As a result, businesses cannot afford to be too reliant on single points of failure, or highly efficient solutions, should they be the target of a breach.
Regular stress testing situations – such as intentionally creating an error or simulating an attack on one of these interconnected environments – can test how prepared a business would be if the system were to face a real cyberattack. This is an extension of a well-known concept called ‘chaos engineering’, but within a security context.
We recommend that businesses take the following first steps to build critical cyber resilience within their own business’ operational technology…
1. Assess your dependencies
Businesses must first unpick and identify each and every critical dependency and interdependency within their business model, infrastructure, and operational technology. Once they know just how reliant they are on these external factors, businesses can develop a continuity plan and alternative supplies.
2. Undergo regular exercises
Run through threat scenarios by simulating attacks on your key dependencies and systems. This does not often require much effort and can have minimal disruption to operations, depending on the scenario, but the ROI is invaluable. Doing such practices at random also most accurately replicates realistic scenarios that strike without warning, and most accurately reflects a business’ true response to them. These exercises can take the form of tabletop pre-planned events all the way up to deploying test agents (such as Chaos Monkeys) to simulate real-world effects.
As with all exercises, it is better to build your maturity first before adopting any practices that actually interfere with operations.
3. Reflect on your performance
After each exercise, you can look back at how prepared the business was for that threat scenario and how resilient the ecosystem is when specific elements are compromised or shut down completely. The critical question at these points isn’t necessarily how the compromise occurred but rather how confidently they were able to respond, and what elements still require attention. This will ultimately empower businesses to know how to best offset the risks when they actually occur, enabling them to act quickly and confidently.
4. Adapt where you are weak or fragile
Once you know the pressure points within the system, and what elements caused unacceptable impacts when out of action, you can look to introduce additional resiliency measures and security controls where needed. These will enable your business to both lower the risk of compromise and strengthen the system’s and cybersecurity team’s ability to effectively respond to them.
5. Think beyond yourself
Remember, no business is a self-reliant, autonomous island that operates entirely on its own. All businesses are inherently linked to wider elements such as open-source software, and are reliant upon their vendors, suppliers, and IT service providers, amongst potentially dozens of other stakeholders. This interconnected system of systems necessitates businesses to start considering the overall cyber resilience of their supply chain, as any single-point failure within that chain can have a monumental knock-on effect if compromised.
6. Promote the cultural shift to cyber resilience
The shift from cybersecurity risk management to overall cyber resilience will require an evolution in business culture and priorities. Business leaders need to accept the almost inevitable likelihood of a breach attempt. With cyber resilience, businesses concern themselves with managing the associated impact of a cyberattack rather than just minimizing the chance of the incident occurring in the first place.
There is an added bonus to this change in mindset and culture. The most cyber resilient businesses are also often those businesses that are able to recognize change in the market and adapt, making them well placed to stay relevant and make the most of new opportunities – all while staying safe and secure.
