printer friendly version

How safe are our factories?

How safe are our factories from cyber threats? This depends on how automated the factory is and what levels of protection have been implemented from a people, process and technology perspective. Thanks to the Internet, threats can come from anywhere in the world, from someone with enough motivation, skill and resources.

Are we really at risk in South Africa and have any local factories been breached?

Sadly, if local companies have been breached, nobody is talking. This is understandable, but does not help the broader community. According to a recent Forester Consulting report, 58% of organisations surveyed have had at least one operational technology (OT) security breach in the last 12 months.^{[1] [2]}

In this series, I will further explore the topic and offer practical advice and resources to reduce the risk of an attack. I aim to raise awareness of the issues: why we should be concerned, recommend what can be done and encourage a collective response. I will be using the term OT to cover industrial control systems, PLCs and SCADA technologies.

I started in the IT industry in the early nineties at a sugar mill on the south coast of KwaZulu-Natal. My role was to support the IT systems at the site. The company had a centralised mainframe at the head office in Durban, to which users connected via a LAN and a shared, leased line with a 9600 bits/s modem. Internet browsing and ‘external email’ were very limited. MS-DOS and text-based systems were the order of the day. Cyber threats were minimal. The Internet was still in its infancy as there were only a few million connected devices. There were basic security controls like antivirus and firewalls and the plant had basic automation, but no connectivity to IT.

Cybercrime pays well

Fast forward to today and the situation is vastly different. Internet connectivity is ubiquitous with billions of connected devices as the digital and physical worlds merge at an incredible rate. Cybercrime pays and is one of the primary motivations for cyber threats. It has become a lucrative business: the impact of cybercrime is estimated to be US$1 trillion per annum.^{[3] [4]}

According to an ISACA report on advanced persistent threats (APTs), many industrial plants are far from immune from deliberate cyberattacks because that type of threat was not conceivable when the installations were originally designed. Components were not built to withstand sophisticated technical attacks and control systems were designed to be readily accessible across networks to mobile engineers. This has been exacerbated by Covid-19 and the shift to remote workforces.^[5]

The latest weapon of choice is ransomware. This is the ‘heavy metal’ of threats and not to be taken lightly. It is an ingenious form of malware designed by organised cybercriminals to sneak into your systems, exfiltrate your data and then encrypt it. The victim is asked to pay a ransom in bitcoin for the encryption key and the leaked data to be deleted. If the ransom is not paid, your IT or OT systems will be inoperable and the data could be released or sold on the dark web (where ransomware can be bought as a service).

This presents a few problems. The encryption used cannot be broken as they use the latest and best algorithms, plus there is no guarantee your stolen data will be deleted. There are only two options: pay up or reload your systems from backups. This assumes you have recent backups that have not also been encrypted.

The perpetrator can be anywhere in the world, masking their location and identity. The stolen data could belong to your customers or may be sensitive proprietary information; and once the ransom is paid, the criminals often return for round two if the original entry points they used have not been closed.

Can ransomware really jump to your OT systems? Unfortunately, yes. In addition to organised cybercrime, there are also other threat actors: Nation-states motivated by political gain and espionage have immense resources to design the ultimate cyber weapons, which are then reverse engineered and copied by others. Here are some examples:

• 2010 – Stuxnet malware made an appearance at Natanz, an Iranian nuclear enrichment facility. It was able to disable the plant by reprogramming Siemens PLCs to damage centrifuges. Suppliers to the plant were initially targeted and they brought it to Natanz via USB flash drives. Stuxnet opened a Pandora’s box showing the way for future attacks on OT systems.^{[6] [9]}

• 2013 – Havex exfiltrates large amounts of data from about 2000 energy grid operators and electricity generation companies in the USA and Europe. Reconnaissance is the first step in any cyberattack.^[7]

• 2015 – IronGate targets Siemens control systems and has functionalities similar to Stuxnet’s. Intentions were unclear.^[7]

• 2015 – Black Energy targets critical infrastructure in Ukraine. 230 000 people were left in the dark for six hours.^[7]

• 2016 - Industroyer causes outages in the Ukraine electric grid. Deployed by the Sandworm Team.^[7]

• 2017 – Triton Framework used to gain remote access to an oil refinery. It had the ability to manipulate industrial safety systems.^{[7] [8]}

• 2021 – Darkside Ransomware infects Colonial Pipeline’s systems affecting a large part of the USA’s fuel supply.^[10]

Cyberattacks on conventional IT systems mostly affect logical systems – money can be lost or stolen and brands or reputations can be damaged. OT operates in the physical realm where the dangers are real and can potentially threaten human life. A breach can shut down a plant and impact production and the bottom line. A comprehensive review of OT cybersecurity controls should be carried out at least once a year to ensure a safe working environment.

If companies are regularly being targeted overseas, isn’t it only a matter of time before someone with enough motivation, skill and resources targets us?^[11]

For more information contact Bryan Baxter, Wolfpack Information Risk, +27 82 568 7291, bryan@wolfpackrisk.com, www.wolfpackrisk.com

References

1. Maurya. R 2020 OT Security Breaches Are Anything But Rare, https://www.cioandleader.com/article/2020/05/26/ot-security-breaches-are-anything-rare

2. Fortinet 2021 Independent Study Finds That Security Risks Are Slowing IT-OT Convergence https://www.fortinet.com/content/dam/fortinet/assets/white-papers/wp-report-ot-forrester.pdf

3. IT Web 2020 Cybercrime losses exceed $1 trillion: McAfee https://www.itweb.co.za/content/P3gQ2qGx1pnvnRD1

4. Mcaffee 2020 The Hidden Costs of Cybercrime https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hidden-costs-of-cybercrime.pdf

5. ISACA 2013 Advanced Persistent Threats How to Manage the Risk to Your Business

6. Zetter. K 2014 An Unprecedented Look at Stuxnet, the World’s First Digital Weapon https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/

7. Rocccia. T 2018 Triton Malware Spearheads Latest Attacks on Industrial Systems https://www.mcafee.com/blogs/other-blogs/mcafee-labs/triton-malware-spearheads-latest-generation-of-attacks-on-industrial-systems/

8. Fireeye 2017 Attackers Deploy New ICS Attack Framework ‘TRITON’ and Cause Operational Disruption to Critical Infrastructure https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

9. Gilbert. G 2013 International Space Station Infected With USB Stick Malware Carried on Board by Russian Astronauts https://www.ibtimes.co.uk/international-space-station-infected-malware-russian-astronaut-521246

10. Bloomberg 2021 Hackers Breached Colonial Pipeline Using Compromised Password https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password

11. News24 2021 SA firms hit in massive ransomware attack https://www.news24.com/fin24/companies/ict/sa-firms-also-hit-in-massive-ransomware-attack-20210705

Share this article:

Further reading: