Such is the prevalence of cyber attacks that all companies are at risk. There’s a higher than average likelihood of being hit if a company holds digital data on customers and – not surprisingly – in those businesses where senior managers fail to prioritise cyber security. As Paul Darby explains, organisations for whom online services are not seen as core to their business are also more vulnerable.
Last April, the Government announced that almost half (46%, in fact) of all UK businesses had been hit by a cyber breach or attack in the past 12 months. The Cyber Security Breaches Survey 2017 found that nearly seven-in-ten large businesses identified a breach or attack, with the average cost to those firms over the year being £20,000. In some cases, that total reached millions.
Manufacturing, engineering and utilities companies are slowly coming to the realisation that what they had previously considered to be entirely secure and separate Control Rooms and networks can be breached by something as simple as an Internet of Things-enabled coffee machine being connected mistakenly to the internal network instead of to an isolated Wi-Fi connection. This happened recently at a chemical engineering plant which, it’s thought, was then infected by the now notorious WannaCry ransomware.
Industrial organisations from factories to power plants prioritise availability above all else. Operating technology (OT) is designed to run constantly because any interruption could lead to serious production delays and onerous financial implications. OT is traditionally open and robust and very much built for safety because engines, motors and processors present a physical risk to operators.
Conversely, IT is less concerned about physical safety and much more worried that a breach of computer networks could wipe out essential data or otherwise allow hackers to gain access to sensitive control systems.
Clearly, a balance needs to be struck between ensuring uptime and guarding against the risk of cyber attack. As OT and IT systems continue along the convergence path, clearly this becomes an increasingly urgent matter.
No longer immune
The industrial sector can no longer think of itself as being immune, or somehow less appealing to hackers than banking or the commercial sector. These attacks are motivated not just by money, but also to cause the maximum amount of disruption. What could be more appealing to a rogue nation state than shutting down a vital production line, disrupting a water supply or turning off the power to an entire city?
An alarming and increasing number of incidents prove the point. In July last year, The Times reported that senior engineers at the Electricity Supply Board, which serves both Northern Ireland and the Republic, were sent e-mails containing malicious software. The intention was to infiltrate control systems in order to take out part of the electricity grid.
News reports last year also highlighted how hackers broke into a water utility company’s control system and altered the levels of the chemicals being used to treat tap water. This was enabled by ageing operational control systems and log-in details that were stored on the front-end web server. While there’s no indication that the attackers understood how the flow control system in the company actually worked, this didn’t deter them in the least from modifying application settings.
Meanwhile, breaches that are financially motivated continue apace. The same WannaCry attack, which seriously affected NHS systems back in May (and prompted the coffee machine incident), then went on to cause disruption at Nissan’s production plant in Sunderland and later at Honda, where production was halted in Tokyo for an entire day.
Work of nation states
While it’s challenging for those operating outside of intelligence organisations to be able to categorically deny or confirm from where an attack originates, there have been a number of claims that the WannaCry ransomware was the work of a nation state. Recently, Ben Wallace (the Minister of State for Security) also added weight to this claim by stating that the UK Government believes “quite strongly” that the attack came from a foreign state.
What all of these incidents indicate is that, even with traditional endpoint and perimeter security in place, it takes only one phishing e-mail to be opened, one vulnerable application to go ‘unpatched’ or one set of log-in details to be out of date and the entire network is wide open for cyber criminals to exploit. With nation states sponsoring the development of advanced cyber tools and techniques, traditional security infrastructures can be easily breached.
Both WannaCry and Petya malware attacks spread quickly and have also been attributed to nation state-sponsored hacking. Major – and some not so major – powers employ networks of highly-trained and very capable computer hackers to probe the defences of other nations and/or develop advanced attack tools. Many of these tools have made it far easier for less talented hackers to launch more sophisticated attacks, in turn accelerating the obsolescence of traditional security measures.
The explosion in the availability of tools combined with the increasing frequency of attacks against systems run by engineering, industrial control and utilities companies signals that point at which we’re entering a new era of critical breaches and vulnerabilities beyond anything imagined by most of today’s Chief Information Security Officers.
Present day Ukraine
The Ukraine has suffered repeated blackouts, including one blamed on a sophisticated cyber attack which left no less than 700,000 homes without water or electricity in the coldest months of winter. This occurrence took place for the second year in succession.
After investigating, the Ukrainian authorities blamed Russia, a country with which Ukraine has been in conflict for years, although Moscow has denied any involvement. The hack affected power company networks and eventually compromised a VPN used for remote access, including the highly specialised industrial control software that affords operators remote command over equipment like circuit breakers.
It’s exactly this type of national cyber campaign that has led our own Department for Digital, Culture, Media and Sport to launch a consultation exercise which is designed to make Britain’s essential networks and infrastructure safe, secure and resilient against incidents of this nature.
One possible outcome of the EU’s upcoming General Data Protection Regulation could be financial penalties for those companies who neglect to implement effective cyber security measures. Currently, it’s reported that these penalties could reach into the millions of pounds bracket or up to 4% of global turnover. If organisations haven’t given appropriate consideration to the risks they face, implemented security measures and engaged with competent authorities then they’re likely to be fined if attacks prove successful.
Certainly, our Government’s five-year National Cyber Security Strategy does compel essential infrastructure service providers to evaluate and address their security systems. Any network, system and server vulnerabilities will need to be thoroughly assessed and members of staff educated or trained to enforce strict rules. Unwittingly, staff can be a weak link in the security chain as the WannaCry ransomware and NotPetya attacks so clearly illustrated.
Zero trust approach
Nation state-sponsored attacks bring with them an added layer of complexity. Cyber espionage is notoriously difficult to deal with because the enemy is unknown and, when that enemy’s also hidden by state assets, this makes the likelihood of detection even more doubtful.
Organisations will find it hard to trust anyone, which means that until there’s a more reliable method for identifying attackers, the only way in which to deal with today’s threats is by adopting a zero trust approach.
This is enabled by using powerful technology that delivers granular access controls to assets and programmes based on trust, earned through a number of key metrics. Trust should be measured across all devices, software, users and systems at all times.
Connections should be permitted only on the basis of having a deep knowledge of where a connection initiates from and where it’s going to, validation of relevant credentials and continuous monitoring to ensure that access is restricted only to approved assets.
With the cloud computing revolution firmly underway, companies are introducing more devices to take advantage of remote access to their systems. While this means easier facilitation for remote employees, it also means that data is potentially being delivered across unsecured networks, or through a VPN, which gives access directly. The net result of this can be the exposure of valuable information.
Paul Darby is Regional Director (EMEA) at Vidder