See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/307993809

Risk in the Fourth Industrial Revolution

Article  in  ITNOW · September 2016

DOI: 10.1093/itnow/bww073

CITATIONS READS
9 2,424

1 author:

Richard Piggin
Accenture
78 PUBLICATIONS   290 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Richard Piggin on 30 June 2019.

The user has requested enhancement of the downloaded file.

RISK IN THE FOURTH INDUSTRIAL REVOLUTION
Dr Richard Piggin, from the engineering consultancy Atkins, discusses operational technology cyber
security and considers the risks that exist in the fourth industrial revolution.

What started as a philosophical forward- looking research project in Germany has become a global
hot topic, simply labelled ‘Industry 4.0’ or the fourth industrial revolution. So profound is the
anticipated change and the benefit to humankind,it was the theme of this year’s World Economic
Forum in Davos. The original German Industrie 4.0 Working Group report (Recommendations for
implement- ing the strategic initiative INDUSTRIE 4.0, 2013) highlighted the reliance upon
networking and the critical integration of safety and security strategies and architectures; and the
development of standards to avoid harm. What are the risks?

A new frontier
Attacking operational technology (OT) systems can leave millions affected or cause millions in
damages. Physical losses are a growing concern in terms of severity and frequency according to the
UK government (UK Cyber Security: The role of insurance in managing and mitigating the risk, March
2015). The interconnectedness of cyberspace and the physical world are stressed in the report,
which specifically cites a new category of risk with industrial control systems in the energy sector.
New generation control systems are based on openness and interoperability, and use open
networking and commodity technologies. Connectivity between the IT and OT environments has
dramatically increased given the demand for business optimisation, facilitated by technology
convergence. Attacks can pivot from the enterprise IT, and then move laterally between the
previously isolated ‘air gapped’ environments. These cyber security risks are only just beginning to
be understood. Understanding OT cyber security threats should be explicit in an organisation’s risk
management programme.

Until recently, operational technology had little in common with information technology; often
isolated from other systems, running proprietary software with obscure control network protocols.
OT is used extensively in diverse sectors including utilities, energy, transport, logistics,
manufacturing and leisure.

Connectivity and risk

System life times are often measured in decades and, beyond enterprise IT refreshes, exposed to
changing threat landscapes with increasing vulnerabilities and evolving adversaries. Safety systems
used to monitor and prevent abnormal system operation have also become tightly integrated with
control systems. Security research undertaken for the US Department of Homeland Security and the
oil and gas industry emphasised increased risk through increased connectivity.

Traditional IT security approaches are not necessarily valid in control systems, and need to be
tailored for the operational technology domain. Mitigating controls may impact safety-related
operations, introducing security derived safety hazards. The engineering principles for cyber physical
systems focus on safety, reliability and availability. Protecting the function of the asset is the
overriding concern (availability and integrity), not necessarily the information within confidentiality),
which creates potentially conflicting corporate objectives. The human domain silos of IT and

Richard Piggin To be published in ITNOW September 2016

operational technology engineering are now being bridged by machine communications and
exploited by adversaries. These fundamental changes require a broader understanding and
management of organisational digital risk to successfully implement appropriate security.

The U.S. ICS-CERT 2015 year-in-review report (ICSCERT Monitor, November/ December 2015)
highlights a 20 per cent increase in the number of reported industrial control system incidents. It
also confirmed cyber-attacks against manufacturing companies have doubled, even in the face of
under-reporting by the affected entities. A significant proportion of the incidents (31 per cent) were
due to poor industrial control network architectures, including corporate and/or internet
connectivity.

Access control
Of particular concern is the growing evidence of intrusions into control systems and their
manipulation. ICS-CERT data also revealed an increasing variety of attack methods, beyond the
highly successful use of spear phishing used to gain entry. These include unauthorised access to
industrial control systems; exploitation of zero-day vulnerabilities in control devices and software;
malware infections in air-gapped networks; and lateral movement between network zones.

Intel (Holding the Line: Critical Infrastructure Readiness Report, September 2015) surveyed 625
critical infrastructure organisations in the US, UK, Germany and France. It highlighted
overconfidence in an organisation’s defence, with 27 per cent of respondents feeling very or
extremely vulnerable compared with 50 per cent three years ago.

The Dragonfly/Havex malware targeted the OT environment in energy companies to exfiltrate data
in the previous year, and IT infrastructure attacks could impact OT systems. US and French energy
and transport organisations fear a serious cyberattack affecting critical services and causing loss of
life highly likely within three years. Yet, respondents to the SANS survey (The State of Security in
Control Systems Today, July 2015) felt that decision-makers’ concerns had decreased over the past
year, but perceptions of threats was rated high or severe.

Sophisticated attacks
The dichotomy suggests that security programmes are in place, but that decision makers are less
knowledgeable about the changing threat landscape and its significance. Fifty-two per cent of the
respondents, according to the Ponemon Institute (Critical Infrastructure: Security Preparedness and
Maturity report, July 2014), either did not know or were unsure about industrial control system
vulnerabilities. The same research and industry experience revealed that senior executives are less
likely to be briefed about security initiatives (54 per cent).

The sophistication of attacks is increasing, as is the likelihood that they might be physically
destructive, causing significant loss, as demonstrated by the massive damage to a German steel mill
reported by the Federal Office for Information Security, (The IT Security situation in Germany 2014,
November 2014). Recent breaches demonstrate increasing knowledge of control systems, and the
lowering of the technical barriers to entry for potential adversaries. Attacks need not rely on
sophisticated malware such as Stuxnet, which targeted the Iranian nuclear programme in 2010.
Instead, access potentially provided by criminals selling access-as-a-service, could
 facilitate malicious use of control system functionality to create an undesirable event. The dramatic
increase in ransomware has also affected operational technology operators, including utilities, with
the potential not just to deny access to data, but cause production failures in real time systems
through denial-of-service, whether by generic infection or targeted attack.

Research for the U.K. Centre for the Protection of the National Infrastructure (CPNI) by Oxford
Economics (Cyber- Attacks: Effects on U.K. Companies, July 2014) highlights the increased frequency
of general (non-targeted) and targeted cyberattacks, and their sophistication and severity. The
report notes that the highest loss estimates were for damage to reputation/branding across all
business sectors, with a raw average loss estimate of £2.9 million. Correlations were observed
between reputational damage and share price drops in some cases, suggesting that publicised
cyberattacks have an impact on stock valuation and, hence, company reputation. Security
investments could therefore maintain shareholder value.

Integrated security strategies

Evolution of the industrial internet of things continues to create new opportunities through
increasing connectivity of IT and OT, but may also create unforeseen consequences. OT incidents
arising from threat actors, nation states, criminals, and insiders, have significantly increased, whilst
previously less knowledgeable adversaries, including hacktivists, may obtain capability with freely
available resources and tools. To address these threats, organisations need to undertake
collaborative cyber security programmes to understand the vulnerabilities, threats, risks and
business impacts of OT incidents. This process will develop an integrated OT security strategy with
appropriate priorities, which are led by governance and underpinned by policies and procedures.
These need be to incorporate OT incident response and the application of OT-focused mitigations.
Securing third-party access to industrial systems and security of data will be crucial to successful
implementation of the industrial internet of things paradigm.

Recent operational technology attacks – BOX OUT

July 2016: Ransomware discovered masquerading as control system firmware update

July 2016: Four nation state intrusions into UK rail reported

April 2016: Ransomware targeted US- based Board of Water and Light utility April 2016: Malware
discovered in Bavarian nuclear power plant fuel loading system

January 2016: Ransomware sent to Israeli Electricity Authority, compromising enterprise systems
and quarantined to prevent lateral movement

December-January 2015: VPN credentials used to open circuit breakers in three Ukrainian electricity
distribution companies, causing power outages. Control systems disabled

December 2015: Reported Iranian reconnaissance of New York Dam control system via GSM modem
in order to exfiltrate status information

June 2015: Alleged Chinese phishing campaign against defence, aerospace, technology, engineering,
telecommunications and transport sectors and used a remote access trojan effecting manufacturing

2015: CryptoLocker ransomware phishing attack of US American Electric Power

View publication stats