Protecting the machines
July 2018, This Week's Editor's Pick, Cyber Security, Integrated Solutions, Industrial (Industry)
Industrial installations are busy, dirty and more often than not filled with dangers due to machinery malfunctioning or careless actions by people. These days, however, industrial concerns are also under fire from cyber-attacks designed to sabotage processes and machinery, delay the company’s operations or bring the operations to a halt, impacting everyone relying on the industry concerned.
Scada (supervisory control and data acquisition) systems were designed for operations, not security, making them a juicy target for hackers wanting to mess about with process controls, PLCs and other industrial controllers. More importantly, an expert in scada processing is not necessarily a cybersecurity expert, not yet anyway.
This means that security operations at industrial sites need to include cybersecurity and it needs to be treated with the same importance as the physical security of the site as well as health and safety standards. Hi-Tech Security Solutions asked two industry experts for their take of industrial cybersecurity: Jason McGregor, business development manager, digital security & CCTV, Dell EMC South Africa, and Carey van Vlaanderen, CEO at ESET Southern Africa.
Hi-Tech Security Solutions: Industry 4.0 reads well in the media, but what exactly does this idea entail and how does it expose industrial operations to more cyber risks?
Jason McGregor: With Industry 4.0, the interconnectivity increases, but this brings new challenges in the form of increased exposure to cybersecurity attacks. Industrial systems are moving from scada to open protocols, or even just interconnecting with more traditional computers and networks that are better connected and generally easier to compromise.
The fact is, the more end-points (eg. sensors) you have and the more locations in which you store your data (eg. cloud), the more signals you put out into the virtual world and the more your perimeter disappears. This makes detection much more difficult, especially when you don’t add staff.
Carey van Vlaanderen: The fourth industrial revolution brings with it a new operational risk for connected, smart manufacturers and digital supply networks: cyber. The interconnected nature of industry 4.0-driven operations and the pace of digital transformation mean that cyber-attacks can have far more extensive effects than ever before, and manufacturers and their supply networks may not be prepared for the risks.
Hi-Tech Security Solutions What are the primary cybersecurity risks facing industrial operations today?
Jason McGregor: The primary risks to data today are data deletion or destruction, and of course encryption via some form of ransomware. The threat actors can be criminals looking to make a profit or being paid to damage a business, or they could even be nation states – as we saw with the NotPetya malware (en.wikipedia.org/wiki/Petya_(malware)). These cyber weapons are so powerful they can cause hundreds of millions of dollars in losses, even when the injured party was not the target.
The NotPetya attack didn’t target specific companies; it was a Russian attack on Ukraine. However, over 60 companies saw the impact when they downloaded the affected malware through their supply chain. As an example of the costs involved in such an attack, pharmaceutical giant Merck says the attack cost it $300 million in its third quarter alone – “$135 million from lost sales and approximately $175 million in costs, spread across the cost of goods sold and the operating expense lines”.
Shipping giant Maersk claimed that the ransomware also cost the company as much as $300m, while FedEx was said to have been hit with a similar loss in its first quarter.
It’s also important to note that attacks don’t only come from outside. The insider threat is also a growing concern for companies globally.
Carey van Vlaanderen:
a. Running outdated infrastructure without proper patching process and security measures.
b. Adding ‘smart’ devices to the network, that have no protection.
c. Internal incidents spurred by accidental actions.
d. External threats from hacktivists and state-funded attacks.
e. Extortion – including ransomware.
Hi-Tech Security Solutions: How can a cybersecurity breach impact operations? And, how can good cybersecurity defences help to improve operations?
Jason McGregor: The velocity of cybersecurity attacks are extremely rapid and can spread within seconds and the impact on highly-connected business can be significant. Hundreds to thousands of critical servers, desktops, phones can be rendered useless almost instantly. The supply chain impact can also be substantial, bringing logistics, production and operations to a complete halt (as with Maersk and FedEx above). In the worst case, it can lead to the shut down or even bankruptcy of the company.
A complete, well thought out cybersecurity defence is therefore critical. That defence has to protect against both traditional breaches and theft of data, and the attacks listed above. Leveraging standards such as NIST CSF (Cybersecurity Framework) or ISO 27001 (Information Security Management) is critically important.
Carey van Vlaanderen: The loss of proprietary information is the most likely consequences of an ICS security incident. But the consequences of cybersecurity breaches in operations are far greater than simply financial cost. Companies seem to underestimate the impact on the environment, critical services and national security, but also the fact that – in their extreme – such incidents can result in loss of life, the reputational issues of which can significantly damage brands, lead to mistrust in industries and cause companies to close.
The convergence of operational technology (OT) and information technology (IT) are coming together as IT shops deploy software on top of OT communications to try to improve the efficiency of a plant or facility. This IT/OT convergence means that the potential impact on a security breach can extend well beyond data loss into areas of physical and human risk.
A single cyberattack on an oil and gas plant costs an average of $13 million according to Frost & Sullivan. Or a power outage, as seen in case of BlackEnergy (en.wikipedia.org/wiki/BlackEnergy) or Industroyer (en.wikipedia.org/wiki/Industroyer), can paralyse large regions, cities, city parts as well as their essential services. There are many potential weak links, such as city’s smart traffic signals, city water or power infrastructure, or outdated healthcare facilities, which could all be targeted by the attackers and lead to chaos, damage to health, life and property.
In addition to securing all the above mentioned critical systems by proper and multi-layered security, companies can also conduct security awareness programmes for staff, contractors and partners. Organisations that take the previous steps typically experience less financial loss. Investing in cybersecurity awareness for all staff is therefore critical in the effort to secure one’s systems and infrastructure.
Hi-Tech Security Solutions: How important is it for these concerns to integrate their security defences, even as far as integrating cyber and physical security? Is this a necessity or a nice-to-have?
Jason McGregor: Companies that were hit by the ransomware attacks above had good detection and prevention strategies in place, but they were still breached and had to resort to backups after nothing was left of their IT environment. A strong and sound recovery strategy has become essential to be prepared for a full-blown cybersecurity breach.
This is an absolute necessity both from an operational as well as from a legal or regulatory standpoint. Most industries in almost every country have some cybersecurity requirements that apply to them. For corporations with shareholders, the board usually has a fiduciary responsibility to protect the ongoing operations of the business. Failing to provide proper security – cyber and physical – is a derogation of those duties.
Carey van Vlaanderen: It is absolutely a must have. ESET experts consistently stress that many industrial environments are still running outdated systems which are not protected well enough. Based on our experience, companies often underestimate the impact of cyber risks and only build and invest in proper security measures after a breach has happened. The threat of an attack inside industrial control systems (or supply-chain), however, is very real as we have seen on multiple occasions in the past years in cases such as BlackEnergy, NotPetya and Industroyer.
Hi-Tech Security Solutions: What strategy should industrial companies take when dealing with cybersecurity risks given that this is not an area they are traditionally worried about?
Jason McGregor: My experience is that many of these companies are aware of the risks they face, but their cost/risk analysis wound up focusing more on physical threats for various reasons. That has changed. Today, cybersecurity is consistently ranked #1 in spending priority in surveys from organisations such as the Enterprise Strategy Group.
Companies know this is a primary concern and they are eager to do something about it. Many large companies have CISO/CSO in place to handle the task, but the challenge that often has to be overcome is a coordinated strategy between security and IT people. For example, data recovery (or cyber recovery) plans are often not coordinated with an overall incident response plan.
As noted above, a cyber-recovery strategy needs to be an integral part of cybersecurity defences. A good cyber-recovery strategy is needed to prepare for worst-case scenarios so that the organisation can respond more quickly and effectively. In addition, copies of critical data should be stored in an air-gapped vault that can be used to recover critical applications if the IT operations have been compromised.
Carey van Vlaanderen: Companies that have the necessary funds and opportunity should move to newer and better protected operating systems. There is also scope for companies to further protect themselves with increased usage of vulnerability scans and patch management.
As the WannaCry pandemic has shown, the up-to-date patching of generic systems like Windows OS is a crucial security measure. Running updated and multi-layered security solutions on all potentially ‘interesting’ systems is also a way to improve protection of the ICS environment. There is also a very real need for education and assistance to ensure the network security of industrial environments and to reduce risk of any kind of breach.
ICS cybersecurity risk management is recognised to be a growing need for organisations. Companies therefore need to know what the risks are. They need to have trained and qualified staff available to identify risks and manage the businesses response, and have in place the right controls and software to protect those systems and hardware. There’s a clear need for raising levels of awareness of all staff about the cyber risks within operational technologies.
For more information, contact:
• Dell Technologies, +27 76 663 6820, firstname.lastname@example.org, https://datasecurity.dell.com
• ESET-SA, +27 21 659 2000, email@example.com, www.eset.co.za