theere are many technical issues to

address in industrial cyber security

While industrial facilities are facing more cyber security challenges than they used to,
the good news is that awareness around these challenges is increasing. That said,
there’s still a marked difference between how well cyber security is understood in the
consumer and corporate IT worlds, and how well it’s understood in industrial
environments driven by OT.

In a sense that’s not surprising. After all, most well-publicised attacks have been in
consumer and corporate IT. But with attacks on critical industrial environments now
becoming more frequent, people are starting to wake up to the operational, financial,
reputational and even human and environmental damage they can inflict.

Awareness is one thing. But the fundamentals of cyber security are still not being
practised regularly. What are those fundamentals? In our cyber security work with
organisations operating critical infrastructures around the world in sectors including
power, oil and gas, water management, manufacturing and maritime, we’ve identified
the top five technical issues that need addressing.

Software is just outdated and vulnerable

In many industrial environments, the software behind control systems is obsolete.
This is due to a failure to patch operating systems and applications, as well as to
make essential upgrades to firmware when these become available.

All too often, we see poor patch management and the use of unsupported software.
That makes it easy for attackers with off-the-shelf tools to exploit weaknesses – as
we saw with the spread of the WannaCry ransomware that crippled many
organisations. In 2018 and 2019, other ransomware campaigns also directly
impacted industrial sectors. These systems should be upgraded, replaced or
properly isolated to communicate with only what is explicitly necessary.

Networks are ineffectively segregated

It’s essential that IT/OT systems are segregated correctly, but this isn’t happening
enough. Poor segregation of safety instrumented systems (SIS) from the rest of the
OT network is also a major issue, as this leaves employees exposed to a higher
level of risk.

And as OT becomes ever more closely integrated with enterprise and business
systems, the boundaries between OT and IT environments are often weak, as are
many firewalls. Attackers seeking to gain control of OT through the network are well
versed in the technique of exploiting poorly configured gateways and other
equipment to leverage weaknesses in the IT network, and that way enter the OT
environment.
Poor systems hardening
Systems hardening is key to reducing vulnerability to attack, through eliminating
possible attack vectors and condensing the attack surface of the systems. Yet many
device installations have either no or minimal hardening measures in place.

Vulnerabilities are created in systems when, for example, access credentials are left
in their default state or organisations use insecure protocols or permissive services.
If vendors don’t make patches and updates available, organisations may need to
upgrade, migrate or isolate a system from the network.

4. Weak access control

Access control in both the physical and logical sense are often poorly managed and
can undermine the security controls that have been put in place. Think of things like
managing joiners and leavers, managing account permissions and the use of weak
passwords.

These can be resolved by establishing and enforcing a strong password policy.

Storage of passwords is also a key consideration: a strong password is useless if it’s
stored on an unencrypted system that is accessible to other users.

Organisations should also apply the principle of ‘least privileges’ – only granting
permissions for user accounts to those who require them.

5. Insufficient logging and monitoring

Systems need to be monitored constantly and in real-time, in order to detect any
unusual behaviour. Careful monitoring also helps build up comprehensive system
logs that are of great use in the forensic investigation of any attack that does occur.

Recent developments in the IT world have shown that one of the most effective ways
to spot new and evolving threats is through host-based monitoring, such as with
Endpoint Detection and Response tools. These tools can facilitate effective incident
response processes. For OT systems that don’t allow host-based monitoring, there
are passive and active monitoring tools that can monitor the network. They are
improving hugely in quality.

Fortunately, most of these issues are all relatively easy to fix. It’s not a one-off job,
however. Sustainable cyber security is a never-ending process, with many moving
parts. To do it right, it’s vital to appoint people directly responsible for maintaining
security in the OT domain, and implement a ‘defence-in-depth’ strategy with multiple
levels of protection such as layered networks, strong access control, system
hardening and regular testing of all entry points.

DDoS Attacks

Distributed denial of service (DDoS) attacks have become one of the most prominent
forms of cybercrime over the last few years. While there’s no doubting they’ve
increased in frequency (2018 will set a new record for the number incidents), DDoS
attacks also make for splashy headlines when they manage to take down major
sites, even if they only manage to do so for a few minutes. The goal of a DDoS
attack is to overload a server with access requests until it ultimately crashes. These
attacks are usually facilitated by “botnets,” a fleet of computers infected by malicious
software and directed by a hacker to send access requests to a single target. Newer,
more intense forms of DDoS attacks involve a process known as “memcaching,”
which uses unprotected, open-source object-caching systems to amplify access
requests and inundate sites with more than a terabyte of traffic.

Malware

A classic form of cyberattack, malicious software can be introduced into a system

through a variety of methods. Email attachments, software downloads, and operating
system vulnerabilities are the most common sources of malware. Once installed,
malware disguises itself by attaching to legitimate code and spreading to other
systems. The goal of malware is generally to grant unauthorized access to a
computer or system. Ransomware, which denies user access to critical data via
encryption until a ransom is paid to unlock it, has been responsible for several high
profile cyberattacks in recent years. But new forms of malware, including Trojans,
viruses, and worms, are continuously emerging to threaten organizations and
individuals alike.

Phishing Scams

A digital version of an age-old scam, phishing attacks consist of email messages that
use various forms of psychological manipulation and deception to convince users to
click on a link that sets them on a path to sharing their personal information. Modern
phishing messages are incredibly sophisticated, often posing as emails from
legitimate, trusted companies. And while most internet users know to be especially
wary of such requests, a 2016 Verizon report found that people were six times more
likely to click on a phishing email than a regular marketing email.

Internal Misuse

Even the best cybersecurity measures can prove ineffective when employees make
the decision to misuse their access privileges. While people leaking secure data to
public sources may be the most newsworthy example of such abuses, it’s far more
common for employees to simply take vital data and information without having any
specific plan for what to do with it. Recent research found that 85 percent of
employees took documents or information they’d personally created and 30 percent
took data they hadn’t created. This information included strategy documents,
customer data, and even proprietary source code. While employees sometimes took
data in response to being fired, 90 percent of them reported taking it because there
was no policy or technology in place to stop them.
Solutions
Predictive Analytics

In order to effectively counter cyberattacks, IT personnel need to know what an

attack looks like, when it’s likely to occur, and where it’s coming from. Predictive
analytics software driven by machine learning can gather huge amounts of data on
known cyberattacks and apply the results to existing security protocols. This is
especially useful for active DDoS mitigation because it allows cybersecurity systems
to identify threats and take proactive measures to redirect traffic before the system is
overwhelmed. Rapid response times are critical for avoiding the worst effects of
cyberattacks. The longer a breach goes undetected, for instance, the more data will
be compromised, which can be costly to companies of all sizes. Predictive analytics
can give remote hands teams the advance notice they need to actively combat
hacking attempts.

Back Up Critical Data

In the case of DDoS and ransomware attacks, it’s essential for companies to have a
data back-up plan in place. Having access to mission critical data can mean the
difference between getting systems and services back online quickly with minimal
downtime and suffering a catastrophic server outage. With a thorough back-up
strategy in place that frequently stores vital data and assets in a separate, and
preferably off-site system, companies can avoid the “all or nothing” risk of a
cyberattack causing prolonged downtime. Data centers can provide extensive back-
up solutions reinforced by multiple layers of cybersecurity and physical security.

SLA Assurances

Many organizations outsource portions of their IT infrastructure or data operations to

third-party companies. While this can reduce costs and logistical burdens, it also
introduces the potential risk of data exposure if the third party doesn’t have the same
level of cybersecurity measures in place to guard against threats. To avoid this
problem, companies should utilize service level agreements (SLAs) to stipulate the
security obligations of all parties involved in the relationship. While an SLA can’t
prevent a cyberattack by itself, it does provide legal assurance that third-party
providers must adhere to certain security standards or suffer serious financial
consequences for non-compliance.

Cyber Insurance

With hacking becoming an accepted risk across multiple industries, many companies
have responded by purchasing insurance plans to protect them against potential
financial loses. The cyber insurance market is expected to grow to $20 billion by
2025. Once merely an option attached to more general business plans, standalone
cyber insurance coverage has become so popular that many new insurers are
entering the market to capitalize on it. For industries like healthcare, which has
difficulty implementing robust security measures due to compliance laws, insurance
is fast becoming a necessity to protect companies financially from cyberattacks on
their own systems or those of their suppliers and partners.
“Bug Bounties”

Identifying vulnerabilities in software code can be a tedious and time-consuming

process. Many organizations simply don’t have the resources to subject their
programs to the rigorous scrutiny necessary to identify every single bug or loophole
that could be exploited by hackers. In recent years, however, companies have
decided to outsource this task through “bug bounty” programs. These programs
encourage well-intentioned hackers to scour web-based software for vulnerabilities
and errors, delivering a cash payout when confirmed bugs are identified. Both private
companies and government agencies have implemented “bug bounty” policies to
help shore up their software security.

Training and Awareness

Many data breaches result from phishing scams that introduce malware into network
systems. Educating employees regarding the latest tactics used by scammers can
help reduce the likelihood that they will click links that expose them to malicious
software. Implementing basic data security policies that explain how to properly
handle company data is also key to reducing the threat of internal misuse.
Organizations should also be more strict about who has access to sensitive data in
the first place. These strategies can greatly reduce the impact of human error on
cybersecurity measures.

While cyberattacks remain a serious threat to organizations today, there are several
solutions that can bolster efforts to safeguard data and maximize service uptime. By
keeping up-to-date with the latest risks, companies can implement more effective
cybersecurity strategies to protect both themselves and their customers from harmful
data breaches and other threats.