How safe are our factories?

Issue 5 2021 Industrial (Industry), Information Security

How safe are our factories from cyber threats? This depends on how automated the factory is and what levels of protection have been implemented from a people, process and technology perspective. Thanks to the Internet, threats can come from anywhere in the world, from someone with enough motivation, skill and resources.

Are we really at risk in South Africa and have any local factories been breached?

Sadly, if local companies have been breached, nobody is talking. This is understandable, but does not help the broader community. According to a recent Forester Consulting report, 58% of organisations surveyed have had at least one operational technology (OT) security breach in the last 12 months.[1] [2]

In this series, I will further explore the topic and offer practical advice and resources to reduce the risk of an attack. I aim to raise awareness of the issues: why we should be concerned, recommend what can be done and encourage a collective response. I will be using the term OT to cover industrial control systems, PLCs and SCADA technologies.

I started in the IT industry in the early nineties at a sugar mill on the south coast of KwaZulu-Natal. My role was to support the IT systems at the site. The company had a centralised mainframe at the head office in Durban, to which users connected via a LAN and a shared, leased line with a 9600 bits/s modem. Internet browsing and ‘external email’ were very limited. MS-DOS and text-based systems were the order of the day. Cyber threats were minimal. The Internet was still in its infancy as there were only a few million connected devices. There were basic security controls like antivirus and firewalls and the plant had basic automation, but no connectivity to IT.

Cybercrime pays well

Fast forward to today and the situation is vastly different. Internet connectivity is ubiquitous with billions of connected devices as the digital and physical worlds merge at an incredible rate. Cybercrime pays and is one of the primary motivations for cyber threats. It has become a lucrative business: the impact of cybercrime is estimated to be US$1 trillion per annum.[3] [4]

According to an ISACA report on advanced persistent threats (APTs), many industrial plants are far from immune from deliberate cyberattacks because that type of threat was not conceivable when the installations were originally designed. Components were not built to withstand sophisticated technical attacks and control systems were designed to be readily accessible across networks to mobile engineers. This has been exacerbated by Covid-19 and the shift to remote workforces.[5]

The latest weapon of choice is ransomware. This is the ‘heavy metal’ of threats and not to be taken lightly. It is an ingenious form of malware designed by organised cybercriminals to sneak into your systems, exfiltrate your data and then encrypt it. The victim is asked to pay a ransom in bitcoin for the encryption key and the leaked data to be deleted. If the ransom is not paid, your IT or OT systems will be inoperable and the data could be released or sold on the dark web (where ransomware can be bought as a service).

This presents a few problems. The encryption used cannot be broken as they use the latest and best algorithms, plus there is no guarantee your stolen data will be deleted. There are only two options: pay up or reload your systems from backups. This assumes you have recent backups that have not also been encrypted.

The perpetrator can be anywhere in the world, masking their location and identity. The stolen data could belong to your customers or may be sensitive proprietary information; and once the ransom is paid, the criminals often return for round two if the original entry points they used have not been closed.

Can ransomware really jump to your OT systems? Unfortunately, yes. In addition to organised cybercrime, there are also other threat actors: Nation-states motivated by political gain and espionage have immense resources to design the ultimate cyber weapons, which are then reverse engineered and copied by others. Here are some examples:

• 2010 – Stuxnet malware made an appearance at Natanz, an Iranian nuclear enrichment facility. It was able to disable the plant by reprogramming Siemens PLCs to damage centrifuges. Suppliers to the plant were initially targeted and they brought it to Natanz via USB flash drives. Stuxnet opened a Pandora’s box showing the way for future attacks on OT systems.[6] [9]

• 2013 – Havex exfiltrates large amounts of data from about 2000 energy grid operators and electricity generation companies in the USA and Europe. Reconnaissance is the first step in any cyberattack.[7]

• 2015 – IronGate targets Siemens control systems and has functionalities similar to Stuxnet’s. Intentions were unclear.[7]

• 2015 – Black Energy targets critical infrastructure in Ukraine. 230 000 people were left in the dark for six hours.[7]

• 2016 - Industroyer causes outages in the Ukraine electric grid. Deployed by the Sandworm Team.[7]

• 2017 – Triton Framework used to gain remote access to an oil refinery. It had the ability to manipulate industrial safety systems.[7] [8]

• 2021 – Darkside Ransomware infects Colonial Pipeline’s systems affecting a large part of the USA’s fuel supply.[10]

Cyberattacks on conventional IT systems mostly affect logical systems – money can be lost or stolen and brands or reputations can be damaged. OT operates in the physical realm where the dangers are real and can potentially threaten human life. A breach can shut down a plant and impact production and the bottom line. A comprehensive review of OT cybersecurity controls should be carried out at least once a year to ensure a safe working environment.

If companies are regularly being targeted overseas, isn’t it only a matter of time before someone with enough motivation, skill and resources targets us?[11]

For more information contact Bryan Baxter, Wolfpack Information Risk, +27 82 568 7291, [email protected], www.wolfpackrisk.com

References

1. Maurya. R 2020 OT Security Breaches Are Anything But Rare, https://www.cioandleader.com/article/2020/05/26/ot-security-breaches-are-anything-rare

2. Fortinet 2021 Independent Study Finds That Security Risks Are Slowing IT-OT Convergence https://www.fortinet.com/content/dam/fortinet/assets/white-papers/wp-report-ot-forrester.pdf

3. IT Web 2020 Cybercrime losses exceed $1 trillion: McAfee https://www.itweb.co.za/content/P3gQ2qGx1pnvnRD1

4. Mcaffee 2020 The Hidden Costs of Cybercrime https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hidden-costs-of-cybercrime.pdf

5. ISACA 2013 Advanced Persistent Threats How to Manage the Risk to Your Business

6. Zetter. K 2014 An Unprecedented Look at Stuxnet, the World’s First Digital Weapon https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/

7. Rocccia. T 2018 Triton Malware Spearheads Latest Attacks on Industrial Systems https://www.mcafee.com/blogs/other-blogs/mcafee-labs/triton-malware-spearheads-latest-generation-of-attacks-on-industrial-systems/

8. Fireeye 2017 Attackers Deploy New ICS Attack Framework ‘TRITON’ and Cause Operational Disruption to Critical Infrastructure https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

9. Gilbert. G 2013 International Space Station Infected With USB Stick Malware Carried on Board by Russian Astronauts https://www.ibtimes.co.uk/international-space-station-infected-malware-russian-astronaut-521246

10. Bloomberg 2021 Hackers Breached Colonial Pipeline Using Compromised Password https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password

11. News24 2021 SA firms hit in massive ransomware attack https://www.news24.com/fin24/companies/ict/sa-firms-also-hit-in-massive-ransomware-attack-20210705




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Cybersecurity and AI
AI & Data Analytics Information Security
Cybersecurity is one of the primary reasons that detecting the commonalities and threats of what is otherwise completely unknown is possible with tools such as SIEM and endpoint protection platforms.

Read more...
Data security and privacy in global mobility
Security Services & Risk Management Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Read more...
Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

Read more...
The CIPC hack has potentially serious consequences
Editor's Choice Information Security
A cyber breach at the South African Companies and Intellectual Property Commission (CIPC) has put millions of companies at risk. The organisation holds a vast database of registration details, including sensitive data like ID numbers, addresses, and contact information.

Read more...
AI augmentation in security software and the resistance to IT
Security Services & Risk Management Information Security
The integration of AI technology into security software has been met with resistance. In this, the first in a series of two articles, Paul Meyer explores the challenges and obstacles that must be overcome to empower AI-enabled, human-centric decision-making.

Read more...
Milestone Systems joins CVE programme
Milestone Systems News & Events Information Security
Milestone Systems has partnered with the Common Vulnerability and Exposures (CVE) Programme as a CVE Numbering Authority (CNA), to assist the programme to find, describe, and catalogue known cybersecurity issues.

Read more...
Access & identity expectations for 2024
Technews Publishing IDEMIA ZKTeco Gallagher Salto Systems Africa Regal Distributors SA Reditron Editor's Choice Access Control & Identity Management Information Security AI & Data Analytics
What does 2024 have in store for the access and identity industry? SMART Security Solutions asked several industry players for their brief thoughts on what they expect this year.

Read more...
Zero Trust and user fatigue
Access Control & Identity Management Information Security
Paul Meyer, Security Solutions Executive, iOCO OpenText, says implementing Zero Trust and enforcing it can create user fatigue, which only leads to carelessness and a couldn’t care attitude.

Read more...
Passwordless, unphishable web browsers
Access Control & Identity Management Information Security
Passkey technology is proving to be an easily deployed way to bring unphishable, biometric-based security to browsers; making identification and authentication much more secure and reliable for all parties.

Read more...
Practical guide to protect data privacy
Training & Education Information Security
The Data Privacy Toolkit, reflecting the evolving landscape of data privacy, includes guidelines and recommendations to safeguard sensitive information crucial for protecting sensitive information from malicious actors.

Read more...