Fortinet: Converging IT/OT networks create opportunities for cybercriminals.

The march of technology, and the benefits it brings, means more devices and objects in a business are connected – but that same advance heightens another potential connection carrying the threat of major damage: intrusion by cybercriminals.

In the past, Kiwi businesses have run information technology (IT) networks and separate operational technology (OT) networks for offline plants or equipment. However, IT and OT are now converging across all industries, creating new potential vulnerabilities for security breaches.

Whether it’s a legacy printer, a point-of-sale (POS) machine or any other type of legacy equipment, it’s remarkable how easily a cybercriminal can find a point of entry.

“In the old days, before we linked OT to the internet, someone might need to be physically near your OT or your air-gapped network to cause any damage,” explains Glenn Maiden, Director of Threat Intelligence at FortiGuard Labs, Australia and New Zealand. “Now it can be a sophisticated cybercrime gang operating out of Eastern Europe. These criminals are extremely capable of breaking into and moving around your system.

“For criminals and adversarial nation-states, it can be an absolute piece of cake to find a vulnerability in legacy OT, exploit that vulnerability and break in, then move around and steal your data or disable your infrastructure.”

The convergence between IT and OT systems is happening in all industries, but the financial sector is often targeted because it is considered high value. While banks, insurers and other financial services industries don’t always consider their OT a risk, Maiden says it’s surprisingly common to see legacy operating systems at work on financial equipment.

“There could still be some ATMs and POS machines running an old, unsupported Windows version as their operating systems, old versions of Linux and even something like an old robot backup tape machine or printer humming away in the corners of a large financial institution,” he says.

“Every threat actor is an opportunist. If I can get you to click on a link, I then have access to your computer. I see an old printer that’s not patched and that’s the perfect place to move into the network and establish a possible base of operations."

“People know now they need to keep their workstations, servers and phones up to date. But sometimes people forget that routers, access points, printers and even fridges run an operating system that can harbour vulnerabilities. From there I can do as much damage as anywhere else in the network.”

If cybercriminals are successful in shutting down services, the costs can be enormous. Firstly, the direct costs of the outage which, for a major financial service like a bank, can be substantial – particularly if a large ransom is demanded to restore service.

The second cost may come from regulators who may fine the business if data is compromised. In Australia, the fine was previously up to A$2.22 million but has now increased to A$50m or 30 per cent of domestic turnover in the year the breach occurred, whichever amount is higher. In addition, companies may also face civil action from customers or clients. The impact of a financial cybercrime to an individual or a business can be devastating.

Finally, reputational damage can also be significant. Maiden says: “For some companies in the financial services sector, the costs could be an existential level event,” Maiden says. “Considering the potential repercussions and penalties, getting cybersecurity right is not something a business can just risk-manage – the numbers just don’t add up.

“Uptime is everything for financial platforms and banking apps – just a half-day outage can cause chaos. Because financial systems are so interconnected, any shocks to a single banking system can cause catastrophic damage to that particular system as well as the bigger financial ecosystem.”

Maiden would like to see New Zealand and Australian businesses raise the standard of cybersecurity, so the regions gain a reputation as a hard target to attack. If we can make it too challenging for cybercriminals to profit from attacks, hopefully they will turn their attention to softer targets.

“It’s easy to feel a bit cynical in this business, but I see a lot of qualified, enthusiastic young people in the industry with a passion for making a positive impact. The cybersecurity sector is very optimistic in New Zealand and Australia, and especially Kiwis seem to have the agility, giving you the opportunity to adapt fast.”

There is more good news: a recent international Fortinet report on OT cybersecurity found that, globally (including Asia-Pacific), intrusions were lower than the previous year. Approximately 75 per cent of organisations reported at least one intrusion in the 12 months prior, down from 90 per cent in 2022. However, this decline may be due to cybercriminals adopting a more targeted approach.

The average cybersecurity maturity levels also improved, and Maiden says other data indicates that fewer businesses are paying ransoms than in the past.

“There’s some great information in that report and, when we consider all the data, it indicates that businesses are building more resilience in their networks and they feel confident to recover their systems rather than pay a ransom, which is a very positive trend.”

The main findings of the report are:

  • Overall decline in intrusions due to fewer insider breaches, though ransomware and phishing are still major threats; however, this may be due to cybercriminals adopting a more targeted approach.
  • Nearly all organisations have placed the responsibility for OT cybersecurity under a chief information security officer (CISO) rather than an operations executive or team.
  • There are indications that point products and solution sprawl may make it more challenging to apply policies and enforce them consistently across the converged IT/OT landscape.
  • The number of respondents who consider their organisation’s cybersecurity maturity to be at Level 4 fell from 21 per cent a year ago to 13 per cent today. Those who see their cybersecurity at Level 3  are up from 35 per cent to 44 per cent. This suggests that OT professionals now have a more realistic self-assessment of their organisation’s OT cybersecurity capabilities.

To find out more go to global.fortinet.com