Take control of IT to reduce cyber-crime vulnerability
01 October 2013
With the ever-present integration of the Internet into day-to-day aspects of our lives, cyber-attacks are becoming all too common. Organisations need to act now to protect themselves, says Paul Gogarty, Cyber Security, Oil & Gas at ABB UK.
There have been several high-profile cases where cyber-attacks have led to security breaches affecting large organisations and in some cases even Government organisations.
It comes as no surprise that in the past 10 years, as the reach of the Internet has expanded, the level of threats to individuals and organisations from cyber-attacks has increased significantly. This increase has been so sharp in its development that governments and organisations have joined forces in an effort to increase resilience against attacks and to mitigate the risks cyber-attacks pose to our economies.
The World Economic Forum (WEF) created an initiative called Partnering for Cyber Resilience, which is designed to concord signing nations and organisations to an agreement to work together to make themselves safer from cyber-attacks. The WEF initiative requires signatories to recognise the importance of cooperation, develop risk management programmes and encourage partners and suppliers to adopt the same commitments to tackling cyber security.
But what exactly does the term cyber resilience mean? It is the ability of organisations, and their systems, to withstand cyber-attacks, measured by mean-time to failure and mean-time to recovery. The objective of measuring in such a way is to raise the level of sophistication required for an attack to succeed and lower the time taken from identification of an attack to its resolution.
A need for transparency
The WEF initiative has highlighted, through the number of nations and organisations keen to sign-up, that there is an inherent need for transparency by businesses who have been subjected to cyber-attacks to acknowledge what happened so others can learn. This is something the Partnering for Cyber Resilience initiative is aimed at providing, but is unable to do so without each signatory making solid commitments to bolster their own national cyber security capabilities at the same time.
As part of its Strategic Defence Security Review, the UK Government has allocated £650 million over a four-year period to the development of a National Cyber Security Programme to strengthen the UK’s cyber-attack response capacity. The new national programme also desires the building of a ‘Cyber Information Sharing Partnership’ with businesses, to allow the government and industry organisations to exchange information and expertise on cyber threats in a secure and trusted environment.
While governments and business leaders are recognising and making changes to address cyber resilience through co-operation and collaboration, senior business management and systems management also have a role to play.
It is impossible to achieve 100% security against cyber-attacks, even when a system is arranged with the latest myriad of security measures it may still be vulnerable through the spiralling number of connections to the networks of suppliers, contractors and partners.
There is also an assumption when talking about cyber-security that we are referring purely to the enterprise-wide IT systems such as computers, servers and other network devices. We do often forget, that with increasing industrial technologies also comes network connections to supplier networks for things like remote service, condition monitoring and troubleshooting of manufacturing equipment. All of these connections to various supplier or manufacturer networks pose as equal a risk, one which is typically brushed under the same cyber-security umbrella as the company-wide enterprise IT systems, which means cyber-attack concerns are deemed identical.
This however is not the case, as industrial automation and control system (IACS) networks have changed from their standalone isolated operations and still face cyber-attack vulnerabilities. Even isolated IACS systems that have minimal network interactions with third-party suppliers, manufacturers or partners still have to contend with attacks from portable computers, memory devices, unauthorised software installs or even deliberate attacks by insiders.
The impact of an attack on control systems IT could, therefore, have a more serious effect on organisations than an attack on company-wide enterprise IT systems.
With the company-wide enterprise systems, the key priority should a cyber-attack occur is to protect data confidentiality, followed by integrity of the system and lastly the availability of information to authorised network users. However, when applying this to a cyber-attack on an IACS network, the priorities are, in fact, very different with a criticality focus on availability, closely followed by integrity and confidentiality of information coming in last.
A disconnect in response
Why does such a disconnect in response to a cyber-attack exist within organisations? The answer lies in the structure of enterprise IT and control systems IT functions, where the enterprise IT department is assigned the responsibility for the entire organisations cyber security and have criticality priorities towards enterprise system IT resilience.
Control system IT departments are responsible for the safe and continuous running of the production process and often have no cyber security expertise due to the traditional isolated nature of such IACS networks of-old. This makes the control system IT department extremely vulnerable to cyber-attacks, the control of which is covered by the enterprise IT department, who often do not understand the differences in IACS networks and their complexities and are unsure how best to support them.
There is, therefore, a need for both functions to build bridges around the differences that exist between IACS engineers and IT professionals, so that both groups can learn to speak the same language and recognise that while IACS networks are vulnerable to cyber-attacks, they simply cannot employ all the security measures a corporate network would use. Alternatives must be considered to help IACS networks get the same level of protection against cyber-attacks as enterprise systems while working within the control system IT departments criticality focusses.
Collaboration between understanding the need to ensure IACS availability while also ensuring sufficient protection and risk mitigation company-wide against cyber-attacks is needed to be able to define and implement cyber security plans that will:
* Increase plant and community protection.
* Reduce potential for system and plant disruption.
* Better manage the risk of cyber-attacks.
* Lower detection, containment and recovery costs from cyber-attacks.
* Provide a solid foundation for a comprehensive, robust cyber security strategy.
Contact Details and Archive...
Most Viewed Articles...