Cyber security requires buy-in at all levels

06 September 2016

Cevn Vibert explores the changing face of cyber-attacks and explains why security needs to be a priority throughout the industrial IT supply chain.

In 2010, the industrial IT industry received a wake-up call in the aftermath of the Stuxnet attack. For a period, the sector was looking over its shoulder and evaluating the risks. However, Stuxnet quickly became the stuff of folklore. The common – but incorrect – story of how it spread via infected USB drives quickly became an accepted truth. Many businesses, regarding themselves as not politically or strategically important – like the original targets of the attack – so assumed they were safe. In reality, however, the threat to industrial control systems has never been closer.

Today many still understand little of the stuxnet legacy and, worse, others believe the myths surrounding its origins. Stuxnet has been dismissed by many as an anomaly, caused by the use of infected USB drives. The reality is much more frightening, or at least, it should be. To get their weapon into the plant, the attackers launched an offensive against the computer systems owned by a number of different companies. The significance of these companies? They were involved in industrial control and processing of some sort, either manufacturing products and assembling components, or installing industrial control systems. They were all chosen because they had some connection to the target company and provided a gateway through which to pass Stuxnet. Researchers now know that the sabotage-oriented code used supplier businesses as Trojan horses, making indirect attacks a reality. 

Even those who know the real origins of the Stuxnet attack believe it to be a rarity and that other cyber-attacks on industrial control systems are not capable of causing significant damage.  In reality, cyber-attacks can trigger catastrophic results, but these events are rarely publicly disclosed. More recently there have been attacks on the Ukrainian Power Grid, a number of oil and gas networks, a German steel foundry and an undisclosed water treatment site. However, these are only the attacks which achieved news coverage, and are likely to be just the tip of the iceberg.

Cyber attack increases
In 2014 cyber-attacks increased by 48% – half of these were on industrial control systems. Crucially, these are only the statistics for the reported cases, most of the attacks on operational technologies in the past 20 years have not been reported, which means that exactly how attackers interact with industrial control systems is still unknown. While the hacking of industrial control systems, including SCADA systems, has been commonly associated with causing physical damage, there are a growing number of hackers targeting them for economic gains, or kudos, and, while many businesses know what to do with office network attacks, they are less sure when it comes to industrial cyber systems. 

Security incidents are not necessarily caused by external factors, they may also originate from inside an organisation – either deliberately or accidentally. Regardless of the intent or originator, a cyber security issue can lead to loss of revenue, significant downtime, accidental contamination, late delivery charges from clients and damage to brand integrity. Crucially, every manufacturer also has unique assets and recipes it must protect to remain competitive and a cyber-attack, whether deliberate or not, will put these assets in danger. 

The first step towards protection is to understand the real risk-impacts and, for many manufacturers, this means letting go of long-held misconceptions. Firstly, air-gapped computers are not the answer. Although in theory, the idea of creating a physical gap between the control network and the business network, sounds like it would provide protection against hackers, it is simply not enough. Likewise, manufacturers who claim that their industrial control systems are not connected to the Internet, need to look again. The reality is that the average system will have 11 direct connections to the Internet, putting it at risk of a breach. 

Similarly, although firewalls offer a degree of protection, they are far from impenetrable and most are set to allow ‘any’ traffic on an inbound service. One survey found that almost 70% of firewalls permitted machines outside the network perimeter to access and manage the firewall.

What can be done?
So what can be done? Firstly, it is important to rethink your approach to security. We can no longer hide behind the belief that hackers do not understand industrial controls systems and SCADA. One single action is not the answer; companies need to take a more holistic approach. Security needs to be layered and multidimensional.

Firstly, work with your own people to educate them about the ways in which the organisation and they, as individuals, may be targeted directly or indirectly. Training is key and should not be limited to the IT department.  If you equip any operative with a device on the shop floor, they need to be made aware of the risks that come with using that device. Reward security conscious behaviour such as finding rogue USB keys or assisting others in avoiding phishing attempts and create a security savvy culture across your business. 

Next, companies should examine their processes. Having the correct processes in place to help control the health of an industrial control system is key.  For example, the IT department maybe perfectly competent at managing the updating of systems within the corporate network, but it requires specialist skill to complete something like an antivirus or firewall update within the industrial control system. 

The solution does not lie in one piece of software of technology, but rather in continual improvement. SolutionsPT takes an approach that centres around eight simple steps, the ‘stairway to security’ – scope, consult, design, educate, deploy, monitor, integrate and defend. These steps alone will not take you to a final destination. They need to be repeated. First, define the scope of the problem by conducting an audit, consult with your team and review existing operations and threats. This insight can then inform the design of everything you put in place internally, from network architectures and operational procedures to team briefings. This information can then be cascaded down through the organisation via education and training, before deployment, thorough testing, monitoring and a focus on full integration with all existing systems.  

Finally focus on defence, not just security. Conduct trials and tests, challenge your own solutions. The threats and threat actors are constantly evolving, so our responses need to do the same. New solutions are being developed. Many are good, but all will fail without buy-in from the top down. 

Cevn Vibert is an industrial cyber security evangelist at SolutionsPT.

Contact Details and Archive...

Print this page | E-mail this page