"COLUMN: Test and Verify That Cybersecurity Products Can Protect Critical Infrastructure"
Vergle Gipson, Senior Advisor for the Idaho National Laboratory's (INL) Cybercore Integration Center, recently testified before the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation. He concluded that Operational Technology (OT) systems in the US are more vulnerable to malicious cyberattacks than Information Technology (IT), which is concerning given that much of the world's critical infrastructure has been the target of cyberattacks. On a global scale, there have been many attempted cyberattacks on grids and utilities, many of which have been successful, using phishing and ransomware. Cyberattacks on critical infrastructure is cited as a top concern in the World Economic Forum's Global Risks Report. Attacks on critical infrastructure have become the new normal in sectors such as energy, healthcare, and transportation, according to the World Economic Forum. Among critical infrastructures, the energy sector stands out as particularly vulnerable. Power plants, utilities, nuclear plants, and the grid are all part of the energy ecosystem. It is a difficult task to protect critical Industrial Control Systems (ICS), OT, and IT systems from cybersecurity threats as each have its own operational frameworks, access points, and a mix of legacy and emerging technologies. Hardware-implemented cybersecurity is required in critical infrastructure OT to ensure safety in the face of an ever-increasing threat landscape. Penetration testing is the best way to determine if OT is secure. The Israel Electric Corporation (IEC), Israel's largest supplier of electrical power, recently began penetration testing on potential vendors to determine how well they are protected from breaches. IEC cannot afford to deploy security technologies that fail to meet mission specifications because it builds, maintains, and operates power generation stations, substations, and transmission and distribution networks. This is especially important given that Israel's critical infrastructure is constantly under attack, and hardware product vulnerabilities now attached to critical infrastructure could present a major threat if discovered and exploited by adversaries. This article continues to discuss the threat of cyberattacks to critical infrastructure and the mitigation of hardware risk through comprehensive penetration testing.