Industry urgently needs to implement robust cyber security strategies
- Criminals infiltrate industrial networks relatively easily
- There is an urgent need to secure operational environments
- ABB Ability™ Cyber Security Workplace (CSWP) simplifies security monitoring
A common misconception is that both cyber attacks and cyber security controls are sophisticated and complex. “In fact, the methods criminals use to infiltrate industrial networks are often relatively straightforward,” warns Charles Blackbeard, Business Development Manager, ABB Ability™ Digital Solutions.
Therefore, it follows that protection measures also often do not need to be overly convoluted, especially when implemented in line with a defined strategy based on a risk assessment and managed by a user-friendly application that enables everyone to be part of cyber security efforts.
Cyber criminals may gain access to a facility through insecure remote login software by exploiting disclosed vulnerabilities in the software or sending phishing emails to employees, who open them on a system connected to the plant network. Attackers may then take control of the mouse on an individual workstation and perform malicious tasks undetected in the guise of a control system engineer performing their typical job but remotely.
“While controls such as patching, malware protection and system backups offer essential protection from cyber-attacks, they need a solid foundation,” stresses Blackbeard. Suppose an industrial system is built on a poorly designed, indefensible network, where all devices are separated from the internet by a single firewall. In that case, additional risks are added to the mix and may even offset the benefit from the implemented security controls.
Combining this with an ageing distributed control system relying on unsupported Windows computers makes it much easier for attackers to find and infiltrate the operation without using sophisticated methods.
Implementing and maintaining even the most basic security controls upon a solid architecture significantly reduces the risk of being compromised. Over time, when the assessed threat changes, one may need to add more security to stay ahead and aligned with the company’s strategy and risk appetite.
According to the SANS 2021 OT/ICS Cybersecurity Report, 48% of organisations surveyed did not know whether their industrial control system (ICS) had been compromised. “That statement by itself is rather disturbing, but even more so when coupled with the evidence that most systems already are or have been compromised,” highlights Blackbeard.
This illustrates that the urgent need to secure operational environments is matched only by the need for cultural change. Leadership must understand and support OT cyber security efforts and instigate an organisational cultural shift to prioritise training and action. “Without culture and behavioural change, it is unlikely that any investment in technology or software will lead to long-term protection,” argues Blackbeard.
Ransomware attacks carried out by criminals for financial gain account for around eight out of ten attacks. Industrial companies are viewed as easy, high value targets whose OT systems may be outdated, unprotected and exploitable, maybe even via the internet, making an attack even easier.
“The question industrial companies should be asking is not ‘Can I afford to implement a cyber security strategy?’, but rather ‘Can I afford not to?’” points out Blackbeard. Viewed in terms of business criticality, protecting internal systems from hackers is now a business priority, particularly when it comes to critical public infrastructure such as electricity or fuel and water supplies.
Defining ROI from cyber security is never easy, because you are effectively buying risk insurance, rather than tangible increases in revenue and production. However, companies are increasingly aware that security is not just about protecting critical assets: It is also about answering to investors and protecting their right to operate by complying with international best practices and standards.
Keep in mind that the yearly cost of implementing a robust cyber security strategy and controls –which can be upgraded to respond to evolving threats to OT production assets – in partnership with a trusted service and technology provider works out far less than the cost of an insurance policy. A well-implemented cyber security strategy may reduce the insurance premium to fund these cyber efforts partly or fully.
Operators can seamlessly monitor the status of basic security controls such as patching, malware protection and system backup, perform standard security tasks and receive alerts with actionable insights to remediate weaknesses and reduce risks – all from a single, easy-to-use dashboard.
This makes maintaining your cyber security easier, quicker and, critically, less daunting. CSWP is scalable, meaning it can be updated with new security features to keep up with evolving threats and support regulatory compliance without a lengthy learning curve. For example, an industrial plant may have McAfee malware protection software, Windows Server for patching and separate software for backup, all of which can be complex to operate and maintain.
CSWP makes this both standardised and configurable and consolidates all security controls into one view so that staff do not have to access multiple applications. Equipping front-line workers with the tools to secure the operational environment also reduces labour and operating costs.
Another feature requested by many is the power to isolate the OT and IT environments by a click of a button and prevent IT network intrusions and external actors from affecting the OT systems and potentially harming people, assets or the environment. CSWP also reduces the risks associated with remote access by managing user accounts and authentication, notifying staff when someone remotely accesses the systems, and letting operators activate and terminate remote sessions at will.
REFERENCE
‘Shifting Behaviors – How to make everyone guardians of Cyber Security’
