Industrial Cyber Security in 2016
Industrial Cyber Security in 2016
“We are all going to die!” was the repeated phrase at a recent Cyber Security Conference Key note address by Eugene Kaspersky of Kaspersky Labs. He said it tongue in check as most of the presentations at Cyber Conferences are doom and gloom.
Cyber Attacks on Industrial Control Systems are increasing both in complexity and in frequency. All the statistics from the industry back this up. The attackers don’t need high complexity or advanced skill sets to attack most Industrial Control Systems. It’s almost child’s play.
Attackers used to be a wide range of groups from a script-kiddie to nation-states but now the primary volume of successful attacks are from organised crime. Crime gangs have widened their business models to now include Hacking-as-a-service HAAS where you can define your attack and target and strategy online with an Attacking Service and pay for the attack, delivery, telephone support and service level agreement SLA, all online, using PayPal.
Many conferences now are haranguing the audience as being ‘incompetent’, again tongue-in-cheek, but aiming at the people who do not implement Security-by-Design in their products and systems together with the industry as a whole who have not yet eradicated Cyber Attacks by Leap-Frogging the bad guys with innovative new defences and solutions.
We have got to stop talking about Stuxnet and start talking about Innovation and new ways of thinking. Keynote speakers are talking about the soft skills of the Cyber War. Cyber-attacks are made by humans, often exploiting human weaknesses as key building blocks of their attacks. The Cyber Defence industry must recognise this more and build Security Improvement Programs which include humans as the core to the solution.
The typical myths which bolster the prevalent inertia in organisation’s IT and ICS systems are well known and have been debunked a thousand times.
Myth: We are disconnected.
Fact: Most systems have at least 10+ information connections to the World.
Myth: Firewall protected.
Fact: Most firewalls set to allow ‘any’ on inbound and poorly understood by each department..
Myth: Hackers don’t understand SCADA/OT/ICS.
Fact: Increase of hackers specifically attacking ICS/OT/SCADA due to kudos of accomplishment.
Myth: We are an unlikely target.
Fact: Can be collateral due to proliferation of attacks and own supply chain e.g. Stuxnet variants.
Myth: Safety backup system will protect us.
Fact: Safety systems just as likely to be hit as control systems. Often similar systems deployed.
The myths are certainly well entrenched in Industrial Control Systems owners as the current systems work well and they have not seen lots of local news about their neighbours and competitors suffering the negative consequences of cyber-attacks. The cost of a Security Enhancement programme is seen as prohibitive by the Board and Senior Management. What is not so well recognised are the business and operational improvements a Security Programme will bring about. This is typically reduced insurance premiums, reduction in the cash safety float, improved operations and increased resilience. These business improvements are often enhanced by better staff moral and clearer understanding of Operational Technology and the current risks landscape.
Over 60% of Information breaches took months to be discovered, not days or hours or minutes.
Around 70% or respondents to a recent survey admitted being victims to a cyber-attack. Organisations are not reporting the attacks, the effects or the remediations carried out, due to strict corporate embargoes.
The steps to climb the stairway to security can be very high, certainly for organisations with extensive legacy systems, but the steps need to be climbed. The best approach is to build smaller steps, parallel steps, and think differently.
Remember that the bad guys are always improving, so it is essential for organisations to also keep improving but also looking for that giant leap ahead in defences. There is talk of new Secure Operating Systems, new Secure Trusted Computer Systems, and of the increased lock-down and monitoring of The Internet. All these advances are being made but are they appearing on the market quickly enough to make that giant leap forward in the Cyber Arms Race?
We all hope so as “We all want to live!”.
To be featured or find out more abOut Company Connecting:
e-mail us on email@example.com
call us on 0845 643 5375
or contact Janice on Linkedin
First published on Company Connecting October 2016