Protect physical assets from cyber attacks
Recent cyber attacks have disabled and even closed physical assets. Strong basic security and training personnel who can recognize an attack can help mitigate the threat, as ABB’s Rob Putman explains. Edge Devices and Data Analytics As cybersecurity specialists, we must navigate an ever-changing threat landscape made even more complex by the increased interconnectivity between Operational Technology (OT) and Information Technology (IT), as businesses seek to leverage edge devices and data analytics, as well as remote connectivity, in the wake of the COVID-19 pandemic. As the threat surface evolves, the industry must guard against attacks on key physical infrastructure, carried out by a range of malicious actors, including nation states and blackmail criminals. Chemical industry a high-value target for cybercriminals Cybercriminals view the chemicals industry as a high-value target due to the potential cost In 2017, shortly after a ransomware attack that targeted Maersk , the world’s largest corporate carrier, made the news around the world. Another cyberattack, this time targeting physical industrial assets, made less headlines, but could have resulted in both real and financial damage. Cybercriminals view the chemicals industry as a high-value target, due to the potential cost, both financial and reputational, to the operator if production is interrupted or completely halted. Cyber Security Vulnerabilities Put Physical Assets At Risk The attack in question, a custom “Triton” malware attack on a petrochemical facility in Saudi Arabia, targeted a security system, taking control of the system’s controllers. Bugs in the code triggered an emergency shutdown, but could have led to the release of toxic and explosive gases. It was a vivid reminder of how cybersecurity vulnerabilities increasingly put key physical assets of companies at risk. Two more recent and high profile incidents illustrate my point. In February, a Florida water treatment plant was hacked into. The malicious actor remotely accessed the system for three to five minutes, during which he opened various functions on the screen, including one that controls the amount of sodium hydroxide (NaOH) in the water. The hacker increased the NaOH from about 100 parts per million to 11,100 parts per million, which could have resulted in mass poisoning. Colonial Pipeline Cyberattack Incident Then, in May, the Colonial Pipeline system, which originates from Houston, Texas and carries gasoline and jet fuel, suffered a ransomware attack. Using a VPN, hackers targeted back office computer systems, forcing Colonial to shut down computer hosts and network infrastructure, severing communication with the OT systems responsible for communicating “transactional data.” associated with fuel delivery. In this case, a single compromised password disrupted Colonial’s ability to bill its customers. This dependence on OT data halted the pipeline and business operations, and the company was chosen to pay the hackers an initial ransom of US $ 4.4 million to restore operations. The colonial attack was multidimensional, in that it impacted not only on Colonial’s operations, but also on the wider U.S. economy and national security, as the pipeline carries nearly half of the supplies. in fuel from the east coast. Obsolete IT System Increases Physical Risk The increased interconnectivity between IT and OT can also create vulnerability. Infrastructure. As mentioned at the outset, the increased interconnectivity between IT and OT can also create vulnerability. Producers often want to know: is it risky to connect a production asset or their operating environment to the cloud? My answer is that if you do it without having performed risk audits on people, processes and technology, or without improving and maintaining that environment, then yes, it is risky. For example, we often observe that the life cycle of a production asset far exceeds the computer systems that are used to run it. Take a cement kiln. Several generations of factory operators may have passed, but this asset can still work, using legacy software, such as Windows XP and why not? Need to Replace Aging Distributed Control Systems Well, that’s fine, if you don’t worry about that asset being compromised, and all that that entails. A “flat” computer network, an aging distributed control system, and machines with legacy versions of Microsoft Windows, all of which, which are still commonplace in many industries, allow attackers to find and infiltrate a business a lot. more easily, without the need for tools. The age-old mantra of not interfering with equipment or software that seems to work often applies to individual assets. For example, this cement kiln which is still controlled by the same control software based on Windows XP. However, if we’re being honest, things have changed quite a bit, not because something was broken, but because innovation has happened. This same oven control system is most likely connected to other systems, only when first put into service, and this opens it up to exposure to threats for which it was never intended. The Human Element There is a misconception that IoT-connected devices can put businesses at risk There is a misconception that IoT-connected devices can put businesses at risk, but many Recent and high profile cyber attacks have been carried out from a laptop computer, by hacking someone’s VPN, or are a simple phishing / malware attack. In all of these cases, the human element is partly to blame. Take the attack on Florida. The compromised computer at the water treatment facility was using an outdated Windows 7 operating system and the staff were all using the same password, in order to gain remote access through the Teamviewer app, which the hacker has then could use. Physical and human assets, the key to robust cybersecurity The discussion of how best to mitigate the threat is often hinged only around specific technical solutions and ignores the fact that a strong basic cybersecurity is actually two-driven. types of capital: physical assets (eg production machinery) and human assets. The truth is that smart digital software and industry-leading cybersecurity applications, while critical, are in many cases as good as the weakest human link in the chain. So the industry would do well to ask itself the following question: do we have a security problem, or a complacency problem? At this point, it is important to stress that the majority of companies with which ABB works are at least aware of the threat posed by cyber attackers and the potential impact of an attack on their revenue, reputation and bottom line. . User errors and human-induced exposures It is vital to ensure that personnel are aware of the threat and to train them to respond correctly, if targeted. However, most of these attacks do occur. These human failures are usually not due to malicious intentions on the part of employees, but to the lack of training of employees on secure behaviors. It is vital to ensure that personnel are aware of the threat and to train them to react correctly, if they are targeted. However, there is also the age demographics at play here. Much of the operations employee base is headed for retirement and often there is no plan or capacity to replace these people. Need to invest in new digital and automated technologies If you think you don’t have enough staff now, in order to stay on top of the basic care and nutrition of the OT environment, regarding the security, what will it look like in 20 years? For this reason, there has to be a major industry reset, when it comes to its workforce. Businesses need to invest in new digital and automated technologies, not only to ensure they stay ahead and mitigate risk, but also to attract the next generation of digitally trained talent. Robust cybersecurity is built on solid foundations When we talk about fundamental cybersecurity, we mean the fundamentals, such as patches, malware protection, high-fidelity system backups, an up-to-date antivirus system, and other options, such as as authorization list of applications and inventory of assets. These basic checks can help organizations understand their system configuration and potential threats, identify vulnerabilities, and assess their risk exposure. The Pareto principle states that about 80% of consequences come from 20% of causes. In the context of cybersecurity, this means that 80% of risk exposure comes from 20% of lack of security. If companies do the fundamentals right, they can manage a significant portion of this risk. Importance of Maintaining and Upgrading Security Controls However, having basic security controls in place, such as antivirus software, is only the first step on this journey. Equally important is having someone within the organization, with the required skills, or the extra manpower bandwidth, to operate, maintain, and update these security controls, as they arise. and as they evolve. Education, training and recruitment of existing employees and the next generation of talent, as well as forging partnerships with trusted technology providers, will enable the industry to take advantage of the latest digital technologies, in order to generate business value and secure physical assets against cyber attacks. .