SamSam, Shamoon, Stuxnet and Triton are just some of the popular viruses that have been targeted at Industrial Control Systems (ICS). They have caused a lot of damage. Triton’s purpose was causing loss of life; now, that is serious. In the IT security environment, we do not hear about cyberattacks causing loss of life but in an operational environment it is different.
In the IT security world, we follow the confidentiality, integrity and availability (CIA) triad but in the operational technology (OT) security world this is reversed to availability, integrity and confidentiality (AIC). Availability of the control systems is an absolute priority. By having these control systems ‘talking’ and controlling one another ensures assets can maintain the safety of the equipment, while making sure the production is run with minimum intervention. The industrial control systems successfully run the national infrastructures, manufacturing units, energy, communications etc.
The US Department of Homeland Security’s Cyber and Infrastructure Security Agency (CISA) responded to 290 incidents reported by asset owners and industry partners in 2016. Out of these, 59 incidents were energy industry-specific and this number has been increasing year-on-year. The scope of incidents encompassed a vast range of threats and observed methods for attempting to gain access to both business and control system infrastructure. Many more attacks occur, but companies are reluctant to report or share that information because of the real fear of the loss of customer confidence.
What are the biggest threats and where do they come from? A threat requires both intent and capability to be credible. The biggest threat facing industry right now is employee awareness – around phishing emails, removable media usage, network segmentation, personal device usage, the control systems engineer’s knowledge of cyber security, the security engineer’s knowledge of control systems and how to protect them.
Lastly, external threats like hackers, terrorists, competitors, criminals and spies. Their intention might be to hold you to ransom, steal your Intellectual property, cause financial loss, reputational damage, or loss of life.
How do you protect your assets? Anyone that works in ICS cyber security will tell you that it is very different from conventional IT cyber security. For example, you cannot simply quarantine a file in the SCADA (supervisory control and data acquisition) system. That might bring the whole asset to a standstill and the cost of downtime will be a lot higher than the cost of recovery. The key here is prevention: preventing cyber incidents is the most effective way to secure ICS.
Here are five simple steps to protect your company assets:
Managing director Jai Aenugu established The TechForce shortly after being named Entrepreneurial Supporter of the Year at the 2016 Elevator Awards, following a career as IT manager for an Aberdeen-based oilfield services company.
The TechForce provides email phishing and security awareness training, next-generation antivirus software, vulnerability management and cyber essentials consulting for medium-to-large businesses. It was recently awarded Approved Cyber Essentials Practitioner (Advanced) status and secured a place on the Government’s G-Cloud 11 procurement framework for cyber security services.