Are you vulnerable to attack?

20 June 2017

According to Derek Burton too many of industrial systems remain unnecessarily vulnerable to cyber attacks.

The recent WannaCry cyber-attack that hit UK hospitals and continued to creep across industries in almost 100 countries is a reminder to all who are operating critical systems of the need for robust security strategy. 

The biggest threat to UK systems isn’t the hackers, it is the lack of ongoing oversight and review by organisations providing critical services. In the same way that many NHS systems were affected as a result of operating out-of-date systems, it is likely that most industrial control systems are highly vulnerable to attack. 

The recent attack gives a glimpse of what could happen if other critical systems went down across the country. What might happen if areas such as energy or water supplies were hit? Cyber security is a relatively new concept in the world of industrial automation and control systems used to manage such life-essential areas. Most systems were installed without considering cyber security. There are a lot of systems out there that are older legacy systems. Cyber attacks were the furthest thing from anyone’s mind when they were developed and installed. 

The bad news is that the patch created for the WannaCry ransomware probably hasn’t been applied to many computers that are part of industrial control systems. Even worse, some computers that form part of industrial control systems are likely to be running very old versions of Widows that may not be able to be patched.

Some companies simply don’t keep up with the necessary fixes that are developed to protect them. Some organisations are leaving themselves unnecessarily vulnerable to attack. The ransomware that hit the NHS had a fix developed for it in March, but it managed to get through to numerous unprotected systems. 

The Health and Safety Executive (HSE) recently issued guidelines for operators of major hazard workplaces to ensure they are managing cyber security appropriately. Inspectors will be visiting all such sites across the UK to ensure they are taking the steps needed to protect their sites from cyber threats.

This guidance offers a way to ensure organisations are protected where cyber-security could pose a major accident risk to the health and safety of employees, members of the public or the environment. However, these inspections don’t cover the protection of critical infrastructure, such as utility networks, process plants or manufacturing systems. 

The Cougar Automation cyber-security team recommends that organisations providing goods and services critical to the daily lives and working of the UK take steps immediately to ensure they are safe, including:

• Identify all computers in their industrial control system that are running Windows operating system.
• Apply the security patch (and any other missing security patches) to computers running Windows versions new enough to be patched.
• Unless they are critical to your ongoing operations, immediately shut down any machines running older versions of Windows that cannot be patched until they can be upgraded to secure versions of Windows.
While these actions will protect against this specific threat, and increase security in general, it is vital that all operators of industrial control systems put in place ongoing security against the wide range of evolving threats they faced. The good news is that there are ways to protect systems easily and reduce network vulnerability.

Derek Burton is company leader at Cougar Automation.

Contact Details and Archive...

Print this page | E-mail this page