Professional Documents
Culture Documents
net/publication/307993809
CITATIONS READS
9 2,424
1 author:
Richard Piggin
Accenture
78 PUBLICATIONS 290 CITATIONS
SEE PROFILE
All content following this page was uploaded by Richard Piggin on 30 June 2019.
What started as a philosophical forward- looking research project in Germany has become a global
hot topic, simply labelled ‘Industry 4.0’ or the fourth industrial revolution. So profound is the
anticipated change and the benefit to humankind,it was the theme of this year’s World Economic
Forum in Davos. The original German Industrie 4.0 Working Group report (Recommendations for
implement- ing the strategic initiative INDUSTRIE 4.0, 2013) highlighted the reliance upon
networking and the critical integration of safety and security strategies and architectures; and the
development of standards to avoid harm. What are the risks?
A new frontier
Attacking operational technology (OT) systems can leave millions affected or cause millions in
damages. Physical losses are a growing concern in terms of severity and frequency according to the
UK government (UK Cyber Security: The role of insurance in managing and mitigating the risk, March
2015). The interconnectedness of cyberspace and the physical world are stressed in the report,
which specifically cites a new category of risk with industrial control systems in the energy sector.
New generation control systems are based on openness and interoperability, and use open
networking and commodity technologies. Connectivity between the IT and OT environments has
dramatically increased given the demand for business optimisation, facilitated by technology
convergence. Attacks can pivot from the enterprise IT, and then move laterally between the
previously isolated ‘air gapped’ environments. These cyber security risks are only just beginning to
be understood. Understanding OT cyber security threats should be explicit in an organisation’s risk
management programme.
Until recently, operational technology had little in common with information technology; often
isolated from other systems, running proprietary software with obscure control network protocols.
OT is used extensively in diverse sectors including utilities, energy, transport, logistics,
manufacturing and leisure.
Traditional IT security approaches are not necessarily valid in control systems, and need to be
tailored for the operational technology domain. Mitigating controls may impact safety-related
operations, introducing security derived safety hazards. The engineering principles for cyber physical
systems focus on safety, reliability and availability. Protecting the function of the asset is the
overriding concern (availability and integrity), not necessarily the information within confidentiality),
which creates potentially conflicting corporate objectives. The human domain silos of IT and
The U.S. ICS-CERT 2015 year-in-review report (ICSCERT Monitor, November/ December 2015)
highlights a 20 per cent increase in the number of reported industrial control system incidents. It
also confirmed cyber-attacks against manufacturing companies have doubled, even in the face of
under-reporting by the affected entities. A significant proportion of the incidents (31 per cent) were
due to poor industrial control network architectures, including corporate and/or internet
connectivity.
Access control
Of particular concern is the growing evidence of intrusions into control systems and their
manipulation. ICS-CERT data also revealed an increasing variety of attack methods, beyond the
highly successful use of spear phishing used to gain entry. These include unauthorised access to
industrial control systems; exploitation of zero-day vulnerabilities in control devices and software;
malware infections in air-gapped networks; and lateral movement between network zones.
Intel (Holding the Line: Critical Infrastructure Readiness Report, September 2015) surveyed 625
critical infrastructure organisations in the US, UK, Germany and France. It highlighted
overconfidence in an organisation’s defence, with 27 per cent of respondents feeling very or
extremely vulnerable compared with 50 per cent three years ago.
The Dragonfly/Havex malware targeted the OT environment in energy companies to exfiltrate data
in the previous year, and IT infrastructure attacks could impact OT systems. US and French energy
and transport organisations fear a serious cyberattack affecting critical services and causing loss of
life highly likely within three years. Yet, respondents to the SANS survey (The State of Security in
Control Systems Today, July 2015) felt that decision-makers’ concerns had decreased over the past
year, but perceptions of threats was rated high or severe.
Sophisticated attacks
The dichotomy suggests that security programmes are in place, but that decision makers are less
knowledgeable about the changing threat landscape and its significance. Fifty-two per cent of the
respondents, according to the Ponemon Institute (Critical Infrastructure: Security Preparedness and
Maturity report, July 2014), either did not know or were unsure about industrial control system
vulnerabilities. The same research and industry experience revealed that senior executives are less
likely to be briefed about security initiatives (54 per cent).
The sophistication of attacks is increasing, as is the likelihood that they might be physically
destructive, causing significant loss, as demonstrated by the massive damage to a German steel mill
reported by the Federal Office for Information Security, (The IT Security situation in Germany 2014,
November 2014). Recent breaches demonstrate increasing knowledge of control systems, and the
lowering of the technical barriers to entry for potential adversaries. Attacks need not rely on
sophisticated malware such as Stuxnet, which targeted the Iranian nuclear programme in 2010.
Instead, access potentially provided by criminals selling access-as-a-service, could
facilitate malicious use of control system functionality to create an undesirable event. The dramatic
increase in ransomware has also affected operational technology operators, including utilities, with
the potential not just to deny access to data, but cause production failures in real time systems
through denial-of-service, whether by generic infection or targeted attack.
Research for the U.K. Centre for the Protection of the National Infrastructure (CPNI) by Oxford
Economics (Cyber- Attacks: Effects on U.K. Companies, July 2014) highlights the increased frequency
of general (non-targeted) and targeted cyberattacks, and their sophistication and severity. The
report notes that the highest loss estimates were for damage to reputation/branding across all
business sectors, with a raw average loss estimate of £2.9 million. Correlations were observed
between reputational damage and share price drops in some cases, suggesting that publicised
cyberattacks have an impact on stock valuation and, hence, company reputation. Security
investments could therefore maintain shareholder value.
April 2016: Ransomware targeted US- based Board of Water and Light utility April 2016: Malware
discovered in Bavarian nuclear power plant fuel loading system
January 2016: Ransomware sent to Israeli Electricity Authority, compromising enterprise systems
and quarantined to prevent lateral movement
December-January 2015: VPN credentials used to open circuit breakers in three Ukrainian electricity
distribution companies, causing power outages. Control systems disabled
December 2015: Reported Iranian reconnaissance of New York Dam control system via GSM modem
in order to exfiltrate status information
June 2015: Alleged Chinese phishing campaign against defence, aerospace, technology, engineering,
telecommunications and transport sectors and used a remote access trojan effecting manufacturing