Managing Cyber Threats to Operational Technology
By Dr. Christine Izuakor - June 23, 2020
In the fast-paced and highly commercialized world of manufacturing, better automation creates a valuable competitive edge. The physical systems leveraged in the industry, the machinery, and the manual processes have all become more automated since the first industrial revolution. Today, smart systems that leverage advanced technologies such as machine learning and integrated IoT control are creating a next-generation industrial environment often termed 4.0.
Total automation means relying on the convergence of information technology (IT) and operational technology (OT) to run and maintain infrastructures in manufacturing, agriculture, telecommunications, and much more. Using Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) reduces the need for human intervention, and where human involvement is required, much of this can be done remotely. The benefits of this level of automation cannot be overstated. A fully integrated and automated system can be many times more efficient than one more reliant on human support. As a result, the ICS market is expected to be worth $81 billion globally by 2021. Although such systems require an initial financial investment, the realized efficiency quickly mitigates the cost. Total automation can also reduce concerns over health and safety. With less need for human intervention, the workplace of the future could be a cleaner and safer place for most people.
While these are great benefits, the reliance on a hyperconnected and internet-dependent system is not without its own risks.
The Significance of Cyber Security Risks in Newly Automated Operational Technology
With every extension of an interoperable system and every extra link in the chain of automated operational technology, comes an extra vulnerability. For every new function of a connected world comes a new threat. When any system goes online, it becomes a potential target. Hackers are quick to find and exploit these vulnerabilities, and threats evolve almost as quickly as the technology to defend against them. A 2019 survey found that 74% of OT-reliant businesses had experienced significant IT security breaches in the preceding 12 months.
The sheer level of interconnection required for the amount of automation now available means that a breach in security could have catastrophic effects on all resources, exposing valuable, sensitive data and allowing malicious control over automated systems. Even more concerning is the idea that, unlike most industries that worry mainly about data leaks, when it comes to operational technology risks, safety can be impacted as well. In response to this critical need, the ICS security market alone is predicted to grow by over 12.7% by 2025.
There is no limit to the potential for automation in manufacturing and operational technology. With thousands of machines, equipment, robotics, and devices that keep the industry running - anyone using up-to-date or emerging technology is at risk. In addition, the bigger the enterprise, the more attractive – both in financial incentive and potential for disruption – it is likely to be to a hacker.
The risks posed to the automated industry may vary depending on the size and nature of their operation. Private industries such as large manufacturing plants are at risk of loss of earnings and all of the subsequent effects of a security breach. However, larger enterprises may be able to absorb the impact in a way that a smaller business may not survive. The impact can also be more serious where critical infrastructure or essential supplies are interrupted. For example, a vulnerability in an automated water treatment plant or energy supply could have catastrophic and immediate consequences on the surrounding community. In another example, automated agriculture relies increasingly on ‘smart’ farms. A security breach here could affect food production, land use, animal welfare, and control of heavy machinery. Also, healthcare supply chains have come under intense scrutiny of late as demand for personal protective equipment has soared; for a vulnerability to threaten already stretched healthcare provision could have serious ramifications.
Industries must prepare to address these risks, and there is a long way to go. The World Economic Forum’s 2019 Global Risk Report identified “Failure to adequately invest in, upgrade and/or secure infrastructure networks” as one of the most significant global risks.
A Look Back at Prior Operational Breaches
A security breach on an integrated IT/OT system can take many different forms. Being mindful of past issues can help companies understand the history of each breach, increase current understanding of cybercrime, and anticipate future challenges.
- The Stuxnet attack remains the poster child of industrial system attacks. The incident caused irrevocable damage to Iran’s nuclear program. Stuxnet was significant for many reasons, including the political nature of its target and provenance, the scale of impact, and the diversity of its effect on combined physical and cyber processes. It was the first truly digital weapon to destroy a physical target, potentially revolutionizing non-combat warfare.
- Industroyer was a 2016 malware attack against the Ukrainian power grid that cut energy supplies to much of Kiev. This was an important reminder that while the target may be industrial, the victims are often the people.
- Level One Robotics was an attack resulting in a significant breach of sensitive data and intellectual property carried out through industrial automation systems. As serious as data loss can be, had this attack reached its full potential and taken over control of automated processes, the results could have been indescribably worse.
- The Triton attack occurred after hackers gained external control of the safety features of a Saudi power station, in what was considered one of the most potentially lethal cyber-attacks ever.
- The Pipeline Ransomware attack occurred in 2020 after a natural gas compression facility fell victim to an email phishing attack that ended in greater harm. The hacker was able to infiltrate the systems, move latterly throughout the company, and eventually move from the IT infrastructure to the OT network. After infecting the devices with ransomware, the attacker was able to take the organization's systems down for two days resulting in considerable operational and financial losses.
The Consequences of Cyber Attacks Against Operational Technology
The Triton attack, in particular, shows how an operational security vulnerability can have almost limitless consequences, including a potential impact of human livelihood. It’s not hard to imagine how a malicious force in control of a power station could cause tragedy on a national scale. A security breach in convergent control systems could mean:
- Loss of control and safety impact – Overly automated and inadequate security protocols could pose an immediate threat to the health and safety of people in the affected areas when control of the system is lost.
- The financial impact – The effects of disrupted services often cascade. For example, the immediate incident management costs to the enterprise, the indirect costs of disrupted service, shutdown and restart of processes, and more increase the financial burden to the victim organization. There’s also a potential loss of earnings, litigation fees, insurance, and additional damages.
- The disruption to operations - A serious cybersecurity breach in OT can destroy goods and supplies. This could impact the organization's ability to deliver on its mission.
- Loss of trust – A breach could result in lost reputability and trust from the public, clients, and investors.
- Critical infrastructure impact - Where the target is part of critical infrastructure, entire communities could be at risk of loss of essential services and supplies.
- Data exposure – The loss of data in operational technology settings can expose industry secrets, intellectual property, classified information, and personally identifiable data on millions of people.
Growing Cyber Threats Impacting Operational Technology
Threats to cybersecurity are as varied as the technologies they target, and a chain is only as strong as its weakest link. No matter how secure a system may be, the most unpredictable vector of access is the user group. Cyber-threats come from people, and they come through people. Whether with malicious intent, through lack of knowledge, or sheer carelessness, it only takes one person to take an action that causes serious damage to OT.
Some of the most significant threats and vectors of attack include:
- Malicious insider threats: From small to large organizations, insider attacks have cost the economy millions. Insider threats are unpredictable and are influenced by numerous motivations, such as financial gain or retaliation. Since an employee may already have trusted access to networks, they are able to insert malware or cause problems with greater ease.
- Ransomware: Cybersecurity Ventures estimated that businesses will be hit with a ransomware attack every eleven seconds in the next year. Furthermore, it’s estimated that these attacks carry a global price tag of $20 billion. From attacks against hospitals to manufacturing facilities, ransomware remains a growing concern.
- Human error – To err is human, and allowing malware into a network may be as simple as clicking a link, disclosing a password, or leaving an unattended device logged in. A careless act or omission can be unpredictable, and so a robust security plan must anticipate human error.
- DDOS – Denial of service attacks against operational technology continue to disrupt businesses by restricting access to operational controls, sometimes bringing services to a standstill for extended periods of time.
- Advanced Persistent Threat (APT) – APT within operational technology settings can be quite concerning. This is an insidious attack in which hackers gain undetected access where they can spend time gaining valuable inside data and understanding of the systems before launching a targeted attack.
Mitigating Cyber Threats to Operational Technology
A robust, adaptable, and scalable security strategy can help address the cyber threat to OT, and should include:
- Security by design: Ensure robust security is inbuilt at every level of the ICS. This includes physical elements, such as machinery and employees, as well as digital. Updates and patches should be applied religiously throughout the system lifecycle. Also, networks for IT and OT infrastructure should be segmented and air-gapped where possible.
- User Entity Behavior Analytics technology: Behavior analysis is now an essential and integral part of a security strategy. Employee monitoring systems and smart analytics, such as Veriato Cerebral, can help track and predict both malicious and careless employee behavior. This enables organizations to effectively manage insider threats.
- Employee education: Provide regular mandatory security awareness training, which reinforces essential concepts such as password hygiene and updates on threats. Where possible, use creative education strategies such as gamification.
- Access management and authentication: Using a ‘need to know’ model with multi-layered or completely individualized access rights can help mitigate risk of both malicious and careless insider breach. A ‘zero trust’ policy combines strong authentication and personnel management. This may be increasingly essential in the climate of widespread remote working. Multi-factor authentication can also help reduce the risk of data and access breaches stemming from simple human errors like shared or leaked passwords.
- Ransomware protection: Ransomware can cause serious physical and practical issues when it affects operational technology and production lines. Ransomware protection requires a multifaceted approach, beginning with a frank assessment of the ways such malware is likely to enter the network and how the organization can respond. Next-generation technology, such as Veriato Ransomsafe, can help protect organizations from this threat.
- A strong security team: The value of a skilled cybersecurity team cannot be understated. This multifaceted line of defense can anticipate threats to operational technology, help maintain security systems, lead analyses, provide bespoke training, and more. While this might be challenging for small and medium-sized businesses to maintain, flexible cybersecurity team options can also help.
- Regulations and governing bodies are also an increasingly essential part of a larger cybersecurity infrastructure. These are designed to ensure some consistency as security management can vary widely from one organization to another, and from one geographical area to the next. A standardized framework such as ISA/IEC 62443 means cohesion and consistency in addressing vulnerabilities.
The novel and complex nature of convergent manufacturing automation requires a targeted, flexible, and scalable approach to cybersecurity. The scope of evolving threats, such as ransomware and insider attacks, combined with the potential for catastrophic real-world effects from operational technology breaches, means that security must be a priority. Next-generation solutions like Veriato Ransomsafe and Veriato Cerebral can help address these threats and more.