How safe are our factories?

Issue 5 2021 Industrial (Industry), Cyber Security

How safe are our factories from cyber threats? This depends on how automated the factory is and what levels of protection have been implemented from a people, process and technology perspective. Thanks to the Internet, threats can come from anywhere in the world, from someone with enough motivation, skill and resources.

Are we really at risk in South Africa and have any local factories been breached?

Sadly, if local companies have been breached, nobody is talking. This is understandable, but does not help the broader community. According to a recent Forester Consulting report, 58% of organisations surveyed have had at least one operational technology (OT) security breach in the last 12 months.[1] [2]

In this series, I will further explore the topic and offer practical advice and resources to reduce the risk of an attack. I aim to raise awareness of the issues: why we should be concerned, recommend what can be done and encourage a collective response. I will be using the term OT to cover industrial control systems, PLCs and SCADA technologies.

I started in the IT industry in the early nineties at a sugar mill on the south coast of KwaZulu-Natal. My role was to support the IT systems at the site. The company had a centralised mainframe at the head office in Durban, to which users connected via a LAN and a shared, leased line with a 9600 bits/s modem. Internet browsing and ‘external email’ were very limited. MS-DOS and text-based systems were the order of the day. Cyber threats were minimal. The Internet was still in its infancy as there were only a few million connected devices. There were basic security controls like antivirus and firewalls and the plant had basic automation, but no connectivity to IT.

Cybercrime pays well

Fast forward to today and the situation is vastly different. Internet connectivity is ubiquitous with billions of connected devices as the digital and physical worlds merge at an incredible rate. Cybercrime pays and is one of the primary motivations for cyber threats. It has become a lucrative business: the impact of cybercrime is estimated to be US$1 trillion per annum.[3] [4]

According to an ISACA report on advanced persistent threats (APTs), many industrial plants are far from immune from deliberate cyberattacks because that type of threat was not conceivable when the installations were originally designed. Components were not built to withstand sophisticated technical attacks and control systems were designed to be readily accessible across networks to mobile engineers. This has been exacerbated by Covid-19 and the shift to remote workforces.[5]

The latest weapon of choice is ransomware. This is the ‘heavy metal’ of threats and not to be taken lightly. It is an ingenious form of malware designed by organised cybercriminals to sneak into your systems, exfiltrate your data and then encrypt it. The victim is asked to pay a ransom in bitcoin for the encryption key and the leaked data to be deleted. If the ransom is not paid, your IT or OT systems will be inoperable and the data could be released or sold on the dark web (where ransomware can be bought as a service).

This presents a few problems. The encryption used cannot be broken as they use the latest and best algorithms, plus there is no guarantee your stolen data will be deleted. There are only two options: pay up or reload your systems from backups. This assumes you have recent backups that have not also been encrypted.

The perpetrator can be anywhere in the world, masking their location and identity. The stolen data could belong to your customers or may be sensitive proprietary information; and once the ransom is paid, the criminals often return for round two if the original entry points they used have not been closed.

Can ransomware really jump to your OT systems? Unfortunately, yes. In addition to organised cybercrime, there are also other threat actors: Nation-states motivated by political gain and espionage have immense resources to design the ultimate cyber weapons, which are then reverse engineered and copied by others. Here are some examples:

• 2010 – Stuxnet malware made an appearance at Natanz, an Iranian nuclear enrichment facility. It was able to disable the plant by reprogramming Siemens PLCs to damage centrifuges. Suppliers to the plant were initially targeted and they brought it to Natanz via USB flash drives. Stuxnet opened a Pandora’s box showing the way for future attacks on OT systems.[6] [9]

• 2013 – Havex exfiltrates large amounts of data from about 2000 energy grid operators and electricity generation companies in the USA and Europe. Reconnaissance is the first step in any cyberattack.[7]

• 2015 – IronGate targets Siemens control systems and has functionalities similar to Stuxnet’s. Intentions were unclear.[7]

• 2015 – Black Energy targets critical infrastructure in Ukraine. 230 000 people were left in the dark for six hours.[7]

• 2016 - Industroyer causes outages in the Ukraine electric grid. Deployed by the Sandworm Team.[7]

• 2017 – Triton Framework used to gain remote access to an oil refinery. It had the ability to manipulate industrial safety systems.[7] [8]

• 2021 – Darkside Ransomware infects Colonial Pipeline’s systems affecting a large part of the USA’s fuel supply.[10]

Cyberattacks on conventional IT systems mostly affect logical systems – money can be lost or stolen and brands or reputations can be damaged. OT operates in the physical realm where the dangers are real and can potentially threaten human life. A breach can shut down a plant and impact production and the bottom line. A comprehensive review of OT cybersecurity controls should be carried out at least once a year to ensure a safe working environment.

If companies are regularly being targeted overseas, isn’t it only a matter of time before someone with enough motivation, skill and resources targets us?[11]

For more information contact Bryan Baxter, Wolfpack Information Risk, +27 82 568 7291, bryan@wolfpackrisk.com, www.wolfpackrisk.com

References

1. Maurya. R 2020 OT Security Breaches Are Anything But Rare, https://www.cioandleader.com/article/2020/05/26/ot-security-breaches-are-anything-rare

2. Fortinet 2021 Independent Study Finds That Security Risks Are Slowing IT-OT Convergence https://www.fortinet.com/content/dam/fortinet/assets/white-papers/wp-report-ot-forrester.pdf

3. IT Web 2020 Cybercrime losses exceed $1 trillion: McAfee https://www.itweb.co.za/content/P3gQ2qGx1pnvnRD1

4. Mcaffee 2020 The Hidden Costs of Cybercrime https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hidden-costs-of-cybercrime.pdf

5. ISACA 2013 Advanced Persistent Threats How to Manage the Risk to Your Business

6. Zetter. K 2014 An Unprecedented Look at Stuxnet, the World’s First Digital Weapon https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/

7. Rocccia. T 2018 Triton Malware Spearheads Latest Attacks on Industrial Systems https://www.mcafee.com/blogs/other-blogs/mcafee-labs/triton-malware-spearheads-latest-generation-of-attacks-on-industrial-systems/

8. Fireeye 2017 Attackers Deploy New ICS Attack Framework ‘TRITON’ and Cause Operational Disruption to Critical Infrastructure https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

9. Gilbert. G 2013 International Space Station Infected With USB Stick Malware Carried on Board by Russian Astronauts https://www.ibtimes.co.uk/international-space-station-infected-malware-russian-astronaut-521246

10. Bloomberg 2021 Hackers Breached Colonial Pipeline Using Compromised Password https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password

11. News24 2021 SA firms hit in massive ransomware attack https://www.news24.com/fin24/companies/ict/sa-firms-also-hit-in-massive-ransomware-attack-20210705


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

AI-powered hardhat detection
Issue 8 2020, Hikvision South Africa , Industrial (Industry), CCTV, Surveillance & Remote Monitoring
Hardhats save lives, but only if people wear them. Intelligent, AI-powered hardhat cameras are helping to ensure workers in dangerous locations stay safe at all times.

Read more...
Managing a breach or ‘dirty’ network
Issue 5 2021 , Editor's Choice, Cyber Security
Nasser Bostan, head of security sales, Middle East and Africa, BT, shares BT’s insights gleaned from the SolarWinds incident and offers recommendations for organisations to step up their cybersecurity strategies.

Read more...
Securing industrial control systems
Issue 4 2021 , Industrial (Industry)
The increase in connectivity among OT devices and systems helps keep your critical industrial processes up to date and running smoothly, but it also risks exposing all your OT-related devices and facilities.

Read more...
Gijima and Cattron to deliver intelligent solutions
Issue 4 2021, Gijima Specialised Solutions (GSS) , Industrial (Industry), News, Integrated Solutions
South African ICT provider, Gijima, has entered into a partnership agreement with Cattron, a provider of high-performance, intelligent control solutions, as part of Gijima’s quest to expand its horizons.

Read more...
Cybersecurity in the physical security world
Issue 4 2021, Technews Publishing, Milestone Systems, Axis Communications SA, AVeS Cyber Security, Vox , Editor's Choice, Cyber Security, Integrated Solutions, IT infrastructure
Hi-Tech Security Solutions, in partnership with Milestone Systems, hosted a round table discussion to find out about the trends and realities and the importance of cybersecurity in the physical security and IoT world.

Read more...
Design for the users, not against them
Issue 4 2021 , Editor's Choice, Cyber Security, IT infrastructure
Security is an evolving process, a liquid and malleable evolution that engages with user, technology and system to ensure absolute security coherence, says Henk Olivier, MD of Ozone Information Technology Distribution.

Read more...
Automation and AI in security
Issue 4 2021 , Editor's Choice, Cyber Security, Commercial (Industry)
It’s important for businesses to have an internal strategy for automation and AI as these can relate to both cybersecurity and other parts of the business and provide a benchmark for evaluating the security vendor.

Read more...
A framework for information risk mitigation
Issue 3 2021, Wolfpack Information Risk , Editor's Choice
Apart from the obvious cybersecurity risks they face in terms of lost money, reputation and so forth, a cyber breach could also affect their compliance standing and attract the attention of regulators.

Read more...
Dahua Technology’s cybersecurity approach
Issue 3 2021, Dahua Technology South Africa , CCTV, Surveillance & Remote Monitoring, Cyber Security
With a mindset that emphasises cybersecurity and all the resources it can allocate to establish, carry out and strengthen its cybersecurity approach, Dahua plans to stay positive, open, responsible and constantly improving its cybersecurity.

Read more...
Passwords are 60, time for them to go
Issue 3 2021 , Access Control & Identity Management, Cyber Security
It has been 60 years since passwords were first used at MIT and if the number of breaches in the news are anything to go by, we are no more adept at managing our passwords than we were in 1961.

Read more...