Lured by the promise of greater efficiency and better margins, businesses are seeking to join computers with machinery, in a corporate version of the Internet of Things (IoT). As operations technology (OT) in utilities, factories and transport goes online, the threat of cybercrime is becoming a potential threat to many businesses.
The question is: what are we going to do about it?
Cybercrime on an industrial scale
Major cyber attacks against critical industry are rare occurrences, compared to the steady stream of credential and payment breaches that fill the headlines of computer journals.
Even so, most will have heard of Stuxnet, which targeted Iranian nuclear plants in 2010, tampering with the speed of the centrifuge to set back the country’s nuclear programme. It took two years until US president Barrack Obama admitted to having ordered the attack, having developed the tool in collaboration with Israel under mutual suspicion of the Islamic republic.
The malware targeted a particular model of Programmable Logic Controller (PLC) from Siemens, leaving infected machines untouched otherwise. Despite the widely held view that only a state could have funded such sophistication, the vehicle for the attack was as basic as a USB falling into the hands of an unsuspecting worker.
That combination of simple tactics with devastating results has made industrial cybersecurity a serious concern for IT managers. David Hatchell, director of global critical infrastructure at Intel Security, told CBR: "The increase in threats [on the industrial control system side (ICS)] is not just from vulnerabilities, but it also comes as nation states start to look at this problem and become able to penetrate the lower levels of the process control network – that is a lot scarier."
It’s not merely employee naivety that cybersecurity has to defend against. In the wake of Shellshock, a flaw with the Bash command line common to Mac, Unix and Linux systems, fears arose that it would be difficult to patch older systems. Joe Hancock, cyber security specialist at insurance firm AEGIS London told CBR: "Many embedded devices are not designed with regular updates in mind and will never be able to be patched."
Content from our partners
In the wake of the bug, Intel partner Siemens had to hastily release updates for some of its industrial products. If left unfixed, the bugs would have allowed hackers to remotely execute code via a networking protocol, and escalate privileges on its application engineering tool.
As that incident proved, vulnerabilities and attacks can lie unseen for a long time. As one manufacturer told Hatchell: "My biggest concern is if something compromises my process which increases the degree of rust potential in that automobile. That would be a defect which we’d find three to four years later."
Bringing the IT to the OT
As with regular IT systems, the response to industrial cyber threats has to be layered. Adrian Clarke, EMEA principal consultant for cybersecurity at Schneider Electric, told CBR that his company used endpoint protection from McAfee, backup tools from Symantec and centralised authentication from Microsoft to secure its operating environments.
"It’s not just saying: ‘We have Active Directory, that’s enough,’" he said. "It’s not just saying ‘Let’s have a firewall, we’re protected.’ You’ve got technologies there, and they’ve been configured, and they’re all complementary."
Intel Security are also advocates for defence in depth, but for Hatchell the biggest challenge for industrial cybersecurity is lack of guidance. "It’s understanding and articulating the risk at board level to get funding to look at the technologies, in addition to understanding the changes in products and processes you have to impact," he said. "That’s what’s really important."
He added that international standards beginning to come together in various regions were also helping companies tackle the problem. The US Department of Homeland Security even runs an ICS working group that provides free seminars for the industry. The threats may be looming large, but it seems the solutions are as well.
