The seriousness of computer attacks on industrial control systems is becoming increasingly apparent. Appropriate countermeasures are essential for the safety of assets and people.
The modern history of cybercrime against ICS (Industrial Control Systems) and critical infrastructures (energy production and distribution systems, utilities, transport networks, military sites, banks, territorial, health and agricultural infrastructures) began approximately 20 years ago when, with the standardization of the connectivity of industrial control systems, the IT-OT (Information Technology-Operational Technology) convergence began to take shape, that is, between computer networks and factory networks.
Since then, it has been such a long succession of episodes of varying magnitude that it is difficult to keep track of every one of them. Some have made the honors of the news. In 2007, strained relations between Russia and Estonia led to a massive wave of DDoS (Distributed Denial of Service) attacks against the Baltic Republic. Banks, government structures and national media were blocked for months.
In 2010, many will remember the “discovery” of Stuxnet, a computer virus created and distributed by the US government in collaboration with the Israeli government to sabotage Iran’s Natanz nuclear power plant.
And more: Shamoon (malware that in different variants from 2012 to 2018 has affected oil & gas giants such as Saudi Aramco and Saipem), Oldrea (trojan of 2014 that opened the doors to remote attacks on strategic servers), Irongate (malware appeared at the end of 2015 that could compromise communications between Scada and peripheral devices), BlackEnergy and CrashOverride (trojans that hit Ukrainian power plants in 2015 and 2016), Mirai (bootnet attacks carried in 2016 against over 500,000 IoT devices such as webcams, thermostats, lights), Wannacry and NotPeya (ransomware that in 2017 paralyzed the UK healthcare system and several multinationals). Finally, the next generation Triton and Triconex viruses designed to attack instrument systems used in the energy sector.
Defense strategies
It has long been thought that Security Instrumented Systems (SIS) were unrelated to cybersecurity issues because they are independent from the control system. Unfortunately, that is not correct. Cybersecurity can have a significant impact on the availability and reliability of a SIS. Moreover, in 2016 the global functional security standard, IEC 61511, was updated with the addition of two new cybersecurity requirements. The first requires the execution of a “security risk assessment” to identify the cyber vulnerability. The second is that the design of a SIS ensures the necessary resilience to the risks identified.
What's more, with the increasing convergence of Information Technology (IT) and Operational Technology (OT), hackers continue to experiment new ways to find even the slightest vulnerability in industrial systems. Securing businesses and facilities is therefore an ongoing process that requires proper design of the OT network and cybersecurity services. Let's see which possible defensive strategies can be deployed.
Digitization
While industrial digitization brings many benefits, it is also true that the risks associated with cybersecurity must be considered. The good news is that with proper design, manufacturers can avoid data interruption or theft related to cyber risk. Remaining disconnected from the network is not a realistic option, as the benefits of digitization and Industry 4. 0 cannot be ignored.
Stay online
Even systems that are not connected to the Internet have network vulnerabilities that can be exploited with simple low-tech devices, such as a USB flash drive or a Raspberry PI that scans local Wi-Fi networks. That's why it's important to protect yourself by staying online and monitoring your network connections.
Understanding the risk
No company is completely safe, but there are several strategies to significantly reduce risks and other countermeasures that can reduce the impact of a cyber-attack. Such recovery action plans and strategies should be part of the normal operating procedures of an installation.
Assets visibility
Every business needs an up-to-date inventory of its assets to gain visibility. Many networked industrial systems have developed over time and may have not been designed with today's parameters or may use technology now obsolete. You also need to know the characteristics of the OT network and monitor its traffic.
Protecting the OT Network
To be protected from cyber risk, it is necessary to have an OT network that fits the purpose. Systems that rely on technologies that are no longer supported by vendors should be replaced, operating systems should be updated, patches should be made, and vendors should be monitored to see if they are removing vulnerabilities with software updates. It is also good to consider grouping plant assets on a virtual platform.
Best practice
Managing the key factors of visibility and security should make your business much more resilient. But staying protected requires a continuous approach. Putting simple patch update processes in place, verifying device additions and removals in the network, and regularly assessing vulnerability, should be a normal and systematic practice.
Emergency plans
It is important that your company is able to determine the consequences of a cyber-attack. Active and real-time threat detection, a disaster recovery/emergency plan and adequate backup and recovery solutions are also key.
Competences
The skills gap in cybersecurity has a profound impact on companies in all sectors, exposing them to the risks of cybercrime. However, it is important to search for new talent and rely on trusted partners to implement the right solution.