OT Under Greater Scrutiny in Global Cybersecurity Regulatory Environment
By Dr. Terence Liu, CEO, TXOne Networks
Highly publicized cyberattacks have focused governments globally on re-examining and bolstering their cybersecurity regulations and policies, and it’s not just information technology (IT) under heightened scrutiny. The Colonial Pipeline ransomware attack in the United States, disruption of regional petroleum trading via attacks on refineries in Belgium and the Netherlands and Russia’s cyberattack on the U.S. satellite company Viasat in the early stages of the invasion of Ukraine are among the events to have galvanized regulators’ attention on operational technology (OT).
Indeed, evidence of the intensified government regulatory focus on OT cybersecurity is found in markets worldwide, as agencies seek to thwart hackers in their targeting of urban power, water supply, corporate and personal data security and other critical resources.
United States
In the United States, for example, President Biden in 2021 signed both Executive Order 14028 “Improving National Cybersecurity,” which for the first time emphasized that protection and security must encompass both IT and OT, and the National Security Memorandum, which established a voluntary initiative to foster collaboration among the federal government and the critical infrastructure community in adopting minimum cybersecurity standards of industrial control systems (ICS) and OT.
The following year, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act, providing legal protections and guidance (e.g., cyber incidents must be reported within 72 hours; ransom payments, within 24 hours). Also in 2022, the U.S. Transportation Security Administration introduced performance-based directives to boost cybersecurity in the aviation, pipeline and rail sectors, as well as performance goals to illuminate the value of investing in cybersecurity.
The U.S. government, furthermore, passed bipartisan law to encourage cybersecurity investment in the modernization of infrastructure, such as providing for stronger network protection in expansion of the nation’s stations for electric-vehicle charging. The same legislation introduced the first cybersecurity grant program for state, local and territorial governments to invest in digital security as high-speed Internet is rolled out to underserved areas of the nation.
European Union
A landmark moment in regulation of EU cybersecurity management came in 2016: announcement and implementation of the Security of Network and Information Systems (or, “NIS Directive”). In response to increasingly serious cyber threats, the European Commission (EC) proposed NIS 2 Directive, an amendment to address the new and future threat landscape and to align with the post-COVID-19 and 5G eras.
Critical infrastructure such as energy systems, medical networks and transportation services get the majority of attention in the proposed upgrade. The scope of regulated objects in NIS 2 Directive is expanded to include additional management agencies, such as district heating and cooling facilities, hydrogen energy-related agencies and government administrative departments. It also establishes a response center, “EU-CyCLONe,” to aid EU countries in their monitoring and responding to cyberattacks.
Furthermore, in 2022, the EC proposed the Cyber Resilience Act (CRA) to boost cybersecurity of digital products and streamline the EU regulatory framework. Applying to all digital products directly or indirectly connected to another device or network (and stipulating potential penalties of up to €15,000,000 or 2.5% of a manufacturer’s global annual revenue), CRA could turn out to be one of the most significant EU cybersecurity laws.
Japan
Evolution of Japan’s National Security Strategy is in keeping with the rest of the world in its increasing emphasis on securing critical infrastructure and ICS. The version released in 2022 stresses the importance of boosting Japan’s response capabilities—to the vanguard of national competencies globally—in terms of safe and stable use of national cyberspace and especially key infrastructure.
The measures specifically outlined in the latest version of Japan’s National Security Strategy include:
- Creating a means to continuously assess the security of and manage vulnerabilities in government agency information systems
- Improving responses based on lessons learned from the most recent cyber threats
- Introducing “active cyber defense” to avert serious potential cyberattacks
- Enhancing cybersecurity information collection and analysis
- Establishing a network for public and private information sharing, detecting attacks and initiating countermeasures
- Reorganizing the National Cybersecurity Incident Preparedness and Strategy Center (NISC) to coordinate cybersecurity policy
- Aligning with other countries to strengthen information collection and analysis, attribution and publication and to develop international frameworks and rules
To the last point, Japan’s Ministry of Economy, Trade and Industry (METI) has struck agreements with the Ministry of Industry of the Republic of Indonesia, the Ministry of Industry of Thailand and the U.S. Department of Homeland Security to cooperate in areas such as ICS security.
Smart industrial safety is one of Japan’s primary areas of focus. The Industrial Cybersecurity Research Group was launched in 2017 to identify cybersecurity challenges faced by Japanese industry and to promote relevant policy responses. Furthermore, METI has established working groups and published guidelines for the cybersecurity and physical security of the country’s buildings and plant systems.
Conclusion
With varied threat research data confirming that OT-focused cyberattacks are growing more prevalent globally, OT cybersecurity awareness and adoption also are climbing. Regulations and standards are bringing consistency to both cybersecurity execution and quality across critical infrastructure and strategic, nation-sponsored industries.
The success of this effort also will depend on a respect for the unique complexities of the OT world and developing a specialized approach, as opposed to merely adapting IT solutions for the operational environment. Proactive defense strategies such as supply-chain security, asset inspection, endpoint detection and threat intelligence, network segmentation, vulnerability management, patching and continuous monitoring undergirded with OT zero-trust solutions will be necessary for organizations everywhere to better avert or respond to OT cyberattacks and achieve the higher degree of cybersecurity that their national governments seek.
About the Author
Dr. Terence Liu is the chief executive officer of TXOne Networks, the leader of industrial cybersecurity. He started his career at Broadweb, where, as CEO, Terence defined and created the company’s Deep Packet Inspection products and business, winning numerous leading networking and security vendors as customers. Then, following its acquisition of Broadweb in 2013, Terence served as Trend Micro’s vice president. He led the company’s Network Threat Defense Technology Group, expanding the company’s footprint into the telecommunications network and extending protection for IoT devices and services from on-premises to the edge and the core. Since 2019, Terence has led TXOne Networks, which offers cybersecurity solutions that ensure the reliability and safety of ICS and OT environments through the OT zero trust methodology. TXOne Networks works together with both leading manufacturers and critical infrastructure operators to develop practical, operations-friendly approaches to cyber defense. Terence can be reached at https://www.linkedin.com/in/rongtai/ and https://www.txone.com/?utm_source=CyberDef.