Industrial Cyber Threats

Processes and Protection for Industrial Control Systems

 Glossary

OT Operational Technology

IT Information Technology

IIoT Industrial Internet of Things

An air gap, or air gapping, refers to computers or networks that are not
Air gap/ connected directly to the internet or to any other computers connected to
gapping the internet.

COTS Commercial Off the Shelf

Industrial Control System(s), though often used as a general term that

ICS encompasses several types of systems and associated instrumentation
used for industrial control

SCADA Supervisory Control and Data Acquisition

DCS Distributed Control Systems

PLC Programmable Logic Controllers

SIS Safety Instrumented System

OES Operators of Essential Services

The principle that residual risk shall be reduced

ALARP to as low as is reasonably practicable

NIST National Institute of Standards and Technology

NIS Network and Information Systems

COMAH Control of Major Accident Hazards

HSE Health and Safety Executive (UK)

2 Copyright © 2020, Yokogawa Electric Corporation

Foreword
At one time, industrial environments were considered immune to cyber
attack. Air gapping was believed sufficiently robust to keep bad actors
from gaining unauthorised access to a facility. High-profile incidents
over the last decade, however, have proven this idea wrong, often to
destructive effect.

It is not difficult to see why the situation has changed. The digital
transformation of industry and adoption of ‘open’ technology facilitates
interoperability, unlocks unprecedented insights and the flow of
information across logical boundaries. This revolution is unequivocally
a good thing as it allows organisations to become more adaptive to
demand. Yet it has also unlocked a door that was once kept firmly shut.
Today’s hackers recognise this and are actively looking for ways to
compromise modern industrial control systems.

Keeping one step ahead is difficult, not least because cyber threats are
constantly evolving. Regulation rightly looks to maintain the pace but has
also made plant security a daunting challenge for most organisations.
This report simplifies that problem, bringing together all the information
necessary to develop effective plant security.

Copyright © 2020, Yokogawa Electric Corporation 3

 INDUSTRIAL CYBER THREATS

Introduction
Cyber attacks are no longer a rare occurrence. They threaten a world that is now defined
by, and reliant on, ease of access and connectivity. Statistics restate the need for action.
According to research from the Centre for Strategic & International Studies, the rate of
‘significant’ cyber incidents rose by 63% between 2016 and 2019.1

Often these attacks will target IT networks with the aim of stealing sensitive company data.
Others will look to disrupt by disabling servers and other digital assets necessary for day-
to-day activity. There are also attacks that extort targets by encrypting information and
holding it to ransom – the 2017 ‘WannaCry’ worm that temporarily disabled the NHS is a
notable example of this.2 While breaches of this type are clearly undesirable, they still figure
at the ‘lower end’ of severity when malware infiltrates an organisation.

Attacks directed at operational technology (OT) networks give far greater cause for
concern. OT is hardware and software that monitors and controls industrial equipment and
processes. It is found in facilities that manage energy generation, chemical processing, as
well as automated manufacturing, pharmaceutical processing, and defence networks. 3
OT is innately tied to production environments and therefore breaches in this space can
be profoundly dangerous. When an industrial control system (ICS) is successfully targeted,
serious damage to critical infrastructure and the environment are very real possibilities, as
is threat to life.

There are a growing number of incidents that demonstrate the impact of unauthorised
access to an ICS. In 2014, for example, a blast furnace at a German steel mill suffered
“massive damage” following an attack on the plant’s control system. It is believed those
responsible gained access by tricking staff via a phishing email.4 This type of attack typifies
how successful breaches now not only cause production downtime but physical, material
losses on the plant floor.

The stakes can be much higher. In December 2015, part of Ukraine’s central grid was taken
offline for six hours when hackers were able to remotely access the supervisory control and
data acquisition (SCADA) system of a regional electricity company. Thirty substations were
switched off during the attack, leaving some 230,000 people without electricity or heating.5

1. https://www.linklaters.com/en/insights/publications/2019/january/global-cyber-incidents-soar-by-63pc-in-the-last-three-years--linklaters-report

2. https://www.kaspersky.co.uk/resource-center/threats/ransomware-wannacry

3. https://ics.sans.org/media/IT-OT-Convergence-NexDefense-Whitepaper.pdf

4. https://www.bbc.co.uk/news/technology-30575104

5. https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

4 Copyright © 2020, Yokogawa Electric Corporation

 INDUSTRIAL CYBER THREATS

This incident is considered to be the first known successful cyber attack on a national
power grid. More recent events, however, have revealed vulnerabilities in other parts of
key national infrastructure. In November 2019, the Nuclear Power Corporation of India
confirmed an attack at the Kudankulam nuclear facility in Tamil Nadu. Investigation by
India’s Department of Atomic Energy found one user had caused the incident by connecting
a malware-infected personal computer to the plant’s administrative network. While no
critical damage was recorded in the production environment, some speculated that this first
breach could have laid the foundations for a more serious future incident. In the weeks that
followed, analysts reported that large amounts of data had been stolen from Kudankulam’s
servers. If true, it would be possible for bad actors to target the plant’s ‘air gapped’ ICS
more effectively at a later date. As the Washington Post reports, isolating production
networks can be effective against unsophisticated cyber threats but not against targeted
attacks that leverage witting or unwitting people in large, difficult-to-defend supply chains.6

Even with technical advances, risk remains high. In 2019, Kaspersky Lab released a report
on the state of ICS, confirming it had detected and prevented activity by malicious objects
on almost half of the systems it analysed. Contrary to the Washington Post’s assessment,
security researcher Kirill Kruglov believes that the main threat does not come from targeted
attacks but rather “mass-distributed malware that gets into industrial systems by accident,
over the internet, through removable media such as USB sticks, or emails.” However, as
Kruglov adds, the fact that attacks are successful because of a casual attitude to ‘cyber security
hygiene’ means they can potentially be prevented through staff training and awareness.7

Developing robust plant security is difficult for several reasons. First, cyber weaponry
is becoming more sophisticated, exploiting both technical vulnerabilities and human
fallibility. Secondly, security of OT is relatively immature when compared to IT. Twenty
years ago, for example, it was not possible to ‘see’ or monitor a physical asset on the plant
floor like it is today. Consequently, it is only in recent years that OT security has risen up
the security agenda as cyber threats have developed effects that rival, or even, surpass
physical attacks. Thirdly, new problems are emerging as IT/OT convergence gathers pace.
Finally, IT cyber security strategies cannot be copied and applied in the OT domain. OT
is principally concerned with safety and availability, while IT is focused on information
confidentiality. The security management principles required are therefore different.

Organisations can no longer rely on existing processes. Kaspersky’s latest report The
State of Industrial Cyber Security highlights the need for action. Less than 40 per cent
of businesses that took part said they had not experienced any cyber incidents in the
last 12 months, while 52 per cent were “aware of the need to provide more resource
for OT/ICS cyber security”.8 The last decade has shown the damage of a complacent
approach to security in industrial environments. While no facility can completely
eliminate risk, measures can be put in place to limit the extent of exposure.

This report discusses that process.

6. https://www.washingtonpost.com/politics/2019/11/04/an-indian-nuclear-power-plant-suffered-cyberattack-heres-what-you-need-know/

7. https://www.silicon.co.uk/e-regulation/industrial-control-systems-cyberattacks-242897

8. Kaspersky, The State of Industrial Cyber Security, 2019

Copyright © 2020, Yokogawa Electric Corporation 5

 INDUSTRIAL CYBER THREATS

Distinguishing IT and OT

Information Technology Operational Technology

Manage information, automate Manage assets and events,

Purpose
business processes control plant processes

Focus Confidentiality Safety and availability

Transactional, relational database

Event driven, real time,
Architecture management system,
embedded software, rule engines
publishing or collaboration

Sensors, system-specific and

Interfaces Web browser, terminal and keyboard
proprietary user interfaces

CIO, infrastructure, operations Engineers, technicians

Custodians
and apps professionals and plant managers

Corporate network, IP based, web Control networks, increasingly

Connectivity
based, mobile, wireless IP based and wireless

Integrated control systems,

safety systems, programmable
ERP, supply chain management,
logic controllers, human-machine
Examples CRM, email, enterprise asset
interfaces, data historians,
management and billing
truck loading system and
tank gauging system.

Source: Attila Cybertech, ICS/SCADA Cyber Security and IT Cyber Security 9

9. https://hitcon.org/2017/pacific/0composition/pdf/Day2/R1/R1-1.12.8.pdf

6 Copyright © 2020, Yokogawa Electric Corporation

 INDUSTRIAL CYBER THREATS

IT/OT Convergence
Until recently, IT and OT have remained separate silos with their own priorities and
structures. IT is overseen by CIOs and IT network specialists principally concerned with
access and integrity of data, while OT is the domain of plant managers and engineers who
will be looking to minimise injury, damage and downtime. Commercial pressure and wider
economic challenges, however, are now causing these two areas to integrate for better
responsiveness to changing market conditions.

What is IT/OT convergence? Why is it happening?

IT/OT convergence is the integration The disconnect between IT and OT

of information technology systems systems has delivered unreliable
used for data-centric computing with outputs. Engineers recognise that
operational technology systems that operational data has value outside of
monitor and control, events, processes the production environment yet do not
and devices within the production have the means to distribute it. IT is
environment. Convergence allows needed to leverage this information for
for greater control, monitoring and use across general business platforms,
analysis from anywhere in the world.10 like enterprise resource planning and
manufacturing execution systems.
IT professionals, on the other hand,
require the knowledge and support
of colleagues in the OT space to make
improvements throughout the entire
supply chain. IT/OT convergence is
seen as the best way of making an
organisation more productive and agile
in a time of intense global competition.

10. https://searchitoperations.techtarget.com/definition/IT-OT-convergence

Copyright © 2020, Yokogawa Electric Corporation 7

 INDUSTRIAL CYBER THREATS

The impact on ICS Emerging problems

Traditionally ICS development utilised At one time critical infrastructure did

specialised proprietary hardware and not connect with the internet. The ICS
software deployed as standalone family, which includes but is not limited to
platforms, isolated from corporate SCADA and distributed control systems
networks. Typically, ICS vendors developed (DCS), were designed and deployed within
their communication protocols to isolated networks where exposure from
communicate with devices on the plant cyber threats were limited. However,
floor. Initially these protocols were physical IIoT, which necessitates a move over to
serial communications but over time open source OS and adoption of standard
evolved to operate via ethernet networks. communication protocols, is making
Nowadays, more commercial off the shelf it easier for bad actors to reach ICS.
(COTS) IT technologies are integrated Manufacturing, power generation, oil
across ICS networks to support integration and gas, water, railroad and aviation are
and deployment of value-added solutions, just some of the critical industries now
like remote asset monitoring, predictive threatened. As the SANS Institute points
maintenance and ‘digital twin’ applications. out: “Internet connectivity has opened ICS
IT/OT convergence is seen as a key enabler network boundaries that historically were
for industrial initiatives – such as open closed, well-defined and documented,
process automation, IIoT or Industry resulting in the desire and need for
4.0 – and plays an important role in an visibility into critical communication links —
organisation’s digital transformation strategy. especially wireless extensions to the
ICS architecture”.11

Cyber attacks continue to develop in

number and sophistication.12 ICS threats
can be placed into four categories
depending on their intention. These
categories range from ‘opportunistic’ to
‘tailored-effects’. The former will have
broad targets with disruptive effects,
while the latter will have specific targets
with destructive effects. The ‘Stuxnet’
worm that damaged Iran’s nuclear
programme is a well-known example of
malware with tailored effects.13

11. https://radiflow.com/wp-content/uploads/2019/06/Survey_ICS-2019_Radiflow.pdf

12. https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-ics-white-paper.pdf

13. https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/

8 Copyright © 2020, Yokogawa Electric Corporation

 INDUSTRIAL CYBER THREATS

The four types of ICS threats

ICS Opportunistic
(General Purpose)

PETYA

ICS Themed
(Delivery Techniques)

HAVEX Dragonfly 1.0

ICS Tailored-Access
(Exploits & Modules)

BlackEnergy 2 HAVEX Dragonfly 2.0

ICS Tailored-Effects
(Payloads/Manipulation)

STUXNET CRASHOVERRIDE TRITON

It is important to note that risk exceeds what is reported in the media. High-profile incidents
like Stuxnet will occasionally make headlines but organisations are known to face a persistent
‘silent’ threat. Confidentiality and reputational damage mean these incidents are often not
publicly disclosed. This is worrying when research shows 70% of organisations believe an attack
on their OT/ICS is ‘likely’ and just 31% have an appropriate incident response plan in place.14

Industrial automation is improving the performance of critical assets by providing

wider access to data flows. The connectivity necessary to collect and share this
information, however, is now extending the boundaries of a once-autonomous system.
The size of the prize has subsequently increased for potential attackers.

14. Kaspersky, The State of Industrial Cyber Security, 2019

Copyright © 2020, Yokogawa Electric Corporation 9

 INDUSTRIAL CYBER THREATS

Case Study Stuxnet 2010

Stuxnet is a malicious worm that targeted vulnerabilities in the Windows OS and is the first
known to attack SCADA systems. It was discovered in 2010 but thought to have been in
development since 2005, or possibly earlier. Stuxnet is believed to have ruined one-fifth of
Iran’s nuclear centrifuges, its primary target, yet it went on to infect over 200,000 computers
and caused 1,000 machines to physically degrade.15

The malware’s sophistication took computer experts by surprise. It exploited four ‘zero-day’
vulnerabilities that had yet to be discovered and patched by developers or antivirus vendors.
Researchers initially believed the worm was developed for surveillance purposes but soon
discovered it was designed to sabotage centrifuges at power facilities in Natanz, Iran. The
malware has three parts that work in concert: a worm, a .LNK file and a rootkit. Working
together, these three components allow Stuxnet to execute its payload, spread to other
machines and hide all malicious files and processes from detection systems.

Stuxnet specifically targets programmable logic controllers (PLCs) made by Siemens that are
commonly used to automate processes in the production environment. It was introduced to its
target via an infected USB stick, thus breaching the facility’s air gap. Once inside, it collected
information and caused fast-spinning centrifuges to spin out of control.

As David Kushner writes: “Stuxnet could spread stealthily between computers running
Windows – even those not connected to the Internet. If a worker stuck a USB thumb drive
into an infected machine, Stuxnet could, well, worm its way onto it, then spread onto the next
machine that read that USB drive. Because someone could unsuspectingly infect a machine
this way, letting the worm proliferate over local area networks, experts feared that the
malware had perhaps gone wild across the world”.16

15. https://www.mac-solutions.net/en/news/129-sheep-dip-your-removable-storage-devices-to-reduce-the-threat-of-cyber-attacks

16. https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet

10 Copyright © 2020, Yokogawa Electric Corporation

 INDUSTRIAL CYBER THREATS
Lessons learned
ICS are subject to human
nature. Defences can be
bypassed, particularly in
facilities with poor security
awareness, and lack of
effective policies
and procedures.
How STUXNET worked
UPDATE FROM SOURCE
1. Infection
Stuxnet enters a system via a USB stick and
proceeds to infect all machines running
Microsoft Windows. By brandishing a digital
certificate that seems to show that it comes
from a reliable company, the worm is able
to evade automated-detection systems.
4. Compromise
The worm then compromises the target
system’s programmable logic controllers,
exploiting ‘zero day’ vulnerabilities -
software weaknesses that haven’t been
identified by security experts.
All the necessary resources
exist today to successfully
engineer a specialised attack
against an ICS.
? 2
? ?
2. Search
Stuxnet then checks whether a given
machine is part of the targeted
industrial control system made by
Siemens. Such systems are deployed in
Iran to run high-speed centrifuges that
help to enrich nuclear fuel.
5. Control
In the beginning, Stuxnet spies on the
operations of the targeted system. Then it
uses the information it has gathered to take
control of the centrifuges, making them
spin themselves to failure.
Copyright © 2020, Yokogawa Electric Corporation
Stuxnet was believed to be
knowingly introduced by a
plant worker via an infected
USB stick, highlighting the
‘insider threat’ that can only
be combatted with a holistic
approach to plant security.
!
1
3. Update
If the system isn’t a target, Stuxnet
does nothing. If it is, the worm
attempts to access the Internet and
download a more recent version of
itself.
6. Deceive and Destroy
Meanwhile, it provides false feedback to the
operators, ensuring that they won’t know
what’s going wrong until it’s too late to do
anything about it.
Image Source: IEEE
11
 INDUSTRIAL CYBER THREATS

Frameworks,
Regulations
and Standards

Cyber security is governed by different frameworks and standards. This section details key
guidance, which is seen as best practice for supporting regulatory compliance in ICS.

NIST Cyber Security Framework

The NIST cyber security framework provides private sector organisations with a structure
to prevent, detect and respond to cyber incidents. It uses business drivers to guide cyber
security activities and considers robust digital protections as central to an organisation’s risk
management process. NIST’s framework consists of three main parts:

• Implementation tiers – The tiers describe how well an organisation’s cyber security risk
management decisions exhibit characteristics defined in the framework. Tiers range from
partial (1) to adaptive (4). Higher tiers reflect the degree of rigor and integration of cyber
security practices as part of wider risk management.

• Framework core – The framework core is a set of desired cyber security activities and outcomes.

• Profiles – Profiles reflect the alignment of an organisation’s requirements and objectives, its risk
appetite and resources available to achieve desired outcomes listed in the framework core.

12 Copyright © 2020, Yokogawa Electric Corporation

 INDUSTRIAL CYBER THREATS

NIST 5 FUNCTIONS

The framework core has five functions, which provide strategic

view of an organisation’s cyber security risk management.

Organisations must develop an understanding of their environment to

manage cyber security risk. It is essential to have full visibility of digital
and physical assets and their interconnections. Compliant organisations
1. Identify must also have defined roles and responsibilities, understand current
level of exposure and put policies and procedures in place to manage
those risks.

Organisations must develop and implement appropriate safeguards to

limit or contain the impact of a cyber incident. This means controlling
access to digital and physical assets, providing awareness education
2. Protect and training and putting processes into place to keep data secure.
Compliant organisations will also maintain baselines of network
configuration and operations to repair system components. Protective
technology should be deployed to improve cyber resilience.

An organisation must have the ability to quickly identify cyber

threats. Monitoring solutions that detect anomalous activity and
3. Detect other threats to operation are required to comply with this function.
Ongoing observation and cyber threat hunting are effective ways to
assess and prevent cyber incidents in the production environment.

An organisation must be able contain the impact of cyber

attack. Response plans must be created that define channels of
communication among different stakeholders. The organisation
4. Respond must also collect and analyse information relating to the attack,
eradicate any active threat and incorporate lessons learned into
revised response strategies.

Organisations must develop and implement an action plan that

5. Recover recovers service after a cyber attack. It is vital to coordinate
restoration activity with all affected parties.

Copyright © 2020, Yokogawa Electric Corporation 13

 INDUSTRIAL CYBER THREATS

4
Security Level

3
Protect against
Security Level
intentional attacks
with sophisticated
Protect against means and high
2 intentional attacks resources and
Security Level with sophisticated knowledge
means and
moderate
Protect against
resources and
1 intentional attacks
knowledge
with simple means
Security Level and low resources
and knowledge

0 Protect against
accidental errors
Security Level

No security

IEC 62443

IEC 62443 is seen as best practice for the security of industrial networks. It helps organisations
to limit the exposure of an ICS to cyber threats. The standard is published by the International
Electrotechnical Commission and much of the document has been developed by industry. The
standard provides best practice for every aspect of the ICS cyber security lifecycle, from product
development, risk assessment through to operations, and is applicable to many different sectors.

The standard acknowledges that not every system is equally critical. IEC 62443 thus defines five
security levels (SL) to reflect the level of security required for a particular organisation. These range
from SL 0 (no security) to SL 4 (resistant to nation-state attacks).

Due to the changing nature of cyber threats, IEC 62443 treats security as an ongoing process rather
than a final goal. It caters to the development of ICS components that are “secure by design” and
successful integration has to be governed by defence-in-depth policies and practices.17

17. https://www.tripwire.com/state-of-security/regulatory-compliance/isa-iec-62443-framework/

14 Copyright © 2020, Yokogawa Electric Corporation

 INDUSTRIAL CYBER THREATS

NIS Directive Operational Guidance Note 0086

European operators of essential services

(OSEs) – such as water distribution, power
generation, and oil and gas facilities – must
also comply with the Directive on Security
of Network and Information Systems (NIS
Directive). It was adopted by the European
Parliament in July 2016 and became UK law
in May 2018 as the Security of Network and
Information Systems Regulations. The NIS
directive has been fully implemented by the
UK government, though there are separate
provisions for the Republic of Ireland.
Operational Guidance Note 0086 (OG86) is used
by the UK’s Health and Safety Executive (HSE)
inspectors to assess the effectiveness of cyber
security in facilities regulated by Control of Major
Accident Hazards (COMAH), typically chemical
processing. While the guidance has mainly been
drafted for HSE inspectors, it is freely available to
COMAH operators. HSE also refers to OG86 when
inspecting OES in the energy sector.
Why was OG86 Needed?

Why was OG86 needed?

• It provides guidance which did not exist before publication.

• Provides structure that can be used to train specialist HSE inspectors.

• Offers proportionate risk reduction and a means to demonstrate ALARP, which other
guidance does not cover.

• Consistent with other available guidance

OG86 covers both NIS and COMAH requirements so only

a single inspection from HSE is required. It also acknowledges IEC 62443 as best practice.

Copyright © 2019, Yokogawa Electric Corporation 15

 INDUSTRIAL CYBER THREATS

The Cyber Security Journey

Technical barriers are important but they do not define effective cyber security. Indeed, organisations that
blindly adopt a solution without addressing other key areas will likely find their security is inadequate. This is
because technology should only be considered one of the defences in a production environment.

Notable attacks on ICS demonstrate this idea. Major breaches are often initiated when someone in the
corporate domain innocently opens a phishing email. This foothold provides hackers with access to
corporate networks and then the ability to move laterally into control systems.
The TRISIS attack in the Middle East is a typical example of this. These kinds of human error, even when not
maliciously intended, open a window to critical assets in the OT domain.

It is difficult to stop bad actors gaining access, particularly as IT/OT convergence gathers pace, but there
are measures that can stifle the opportunity to cause harm. However, this can only be achieved when an
organisation takes a holistic approach to cyber security, incorporating people and processes alongside
technology. A resilient culture, in other words, is essential for an organisation looking to combat today’s
evolving cyber threats.

This section explains the necessary

steps for developing effective plant
Yokogawa’s Plant Security Programme security controls.

1. D EF I N I N G T H E PR O B L EM 2. TR A INING

It is important for an organisation to first define Security awareness helps employees to

tolerable risk. What is deemed acceptable will
differ depending on the industry and nature
of an organisation’s business. It is useful to
consider the following question: How and
to what extent do I have to invest in cyber
security to have a risk exposure that is deemed
acceptable for our organisation?
Some might argue why this exercise is
necessary when so much industry guidance
exists. IEC 62443, for example, can help
organisations understand what compliant
facilities look like but it will not explain how it
is achieved. Regulation also cannot account
for the countermeasures required at each
site, which will have different resources,
budgets, workforces and assets. Organisations
therefore need to determine priorities based
on their individual needs. Once this is clear
they can begin developing an appropriate
plant security programme.
understand their roles and responsibilities
while recognising common risks and
dangers. It also helps to secure ‘buy in’ at
every level of an organisation, culturing a
sense of collective responsibility. The CIO,
for example, might not visit the production
environment but it is still useful for them
to understand how certain threats can
infiltrate different parts of an organisation.
Cultural diligence will ultimately lower
the potential for human error.
• Executives who are responsible for
governance, compliance and define
the strategy and level of investment
• Security professionals who initiate,
implement and monitor security measures
• Users who rely on systems
to carry out their tasks

16 Copyright © 2020, Yokogawa Electric Corporation

 INDUSTRIAL CYBER THREATS

3. R I S K A S S E S S M EN T
Three risk assessments are recommended
to determine current level of risk. Yokogawa
Consultants with OT and cyber security
knowledge conduct these assessments based on
industry best practice as outlined in
IEC 62443.
• Operational risk assessment, which will assess
the security management system for risk
mitigation and security assurance.
• Business risk assessment, which determines
the value of information types between
the IT and OT domain, and the business
continuity impact of a security breach in the
production environment.
• Technical risk assessment, which will detect
vulnerabilities for individual assets and
determine the risks in the OT domain.
These three risk assessments are the cyber
security baseline and mark the start of an OT
cyber security program development.
6. D E S IG N PR I N C I PL E S
4. P O L IC Y, PR O C ED U R E S
A N D D E S IG N PR I N C I PL E S
Once assessments are complete, and the baseline
is determined, policy, procedure and design
principles then need to be defined. Policies and
procedures are the crucial link between people and
technology, and the processes described serve as
the foundation of security assurance.
Policies are high-level statements translating
company targets and objectives into clear
guidelines. The procedures define how the
policies are achieved and the different roles and
responsibilities found across an organisation.
Procedures may also refer to other existing policies
or standards adopted by the organisation.
5. B US I N E S S C A S E
The business case will document the justification
for undertaking an OT security programme. It will
rationalise the required investment and define the
plan and scope of work.

In accordance with set policies, this stage will

determine the appropriate system architecture for 7. I M PL EM EN TAT IO N
the OT domain to reduce the risk to an acceptable
level. The ideal design can be considered
Once design has been finalised, technology will
a blueprint for other sites run by the same
be installed where appropriate and management
organisation. However, it may not be possible to
principles set to govern its use. On existing
implement the complete blueprint at a different
sites, upgrades will take longer as implementing
site for availability or economic reasons. In this
all changes at once will be too disruptive.
case, a waiver is applied and documented with a
Organisations need to be extra vigilant during
higher acceptance of risk. Often this is a temporary
measure until the full design is implemented. this transition period.

8. M A N AG ED S ER V IC E S

Without proper managed services, the complete cyber security program will gradually deteriorate.
Yokogawa’s managed services package provides ongoing support to maintain security of industrial
assets. It is tailored to each customer’s needs, either as a single or enterprise-wide solution.

Service includes: Key benefits include:

• Endpoint security, for secure and controlled access to • Minimised risk of unplanned downtime
critical data at any time and from any location and production losses
• Emergency recovery • Audit trails for compliance
• Asset inventory and monitoring, for preventative and • Business continuity in the event
predictive maintenance of a security breach
• Remote operation from a centralised control room
• Expert threat intelligence
• Remote security update, which automates and
standardises delivery and management of vendor-
approved Windows operating system patches and
antivirus signature updates
• Help desk for incident response, available at all times
• Compliance and reliability monitoring

Copyright © 2020, Yokogawa Electric Corporation 17

 INDUSTRIAL CYBER THREATS
IT
DMZ
Process
Control
Network
SIS
Network
Engineering
Station
Case Study
1. WWW
Although not confirmed a phishing attack
is suspected as a possible infection vector
which provided attackers access to the IT
network.
tation
2. IT
The attacker further penetrated the IT
network using well-documented and
easily-detected attack methods.
3. DMZ
The attackers moved to the OT
(Operational Technology) network
through custom backdoors in IT and OT
DMZ right before gaining access to the
PCS engineering workstation.
4. Operational Technology (OT)
Network and Process Control System
(PCS)
Once on the OT network, the attackers
were able to access the PCS Engineering
and Safety Engineering workstations,
where they injected a sophisticated
Remote Access Trojan (RAT) for the Safety
Instrumented System (SIS).
5. Safety Instrumented System (SIS)
Networks
Physical safety and security controls were
bypassed since the SIS safety controller key
switch was left in the PROGRAM mode,
therefore allowing the attacker to download
and execute SIS program changes from the
engineering workstation directly to the
safety controller, causing a plant shutdown.
18. https://www.cyberscoop.com/trisis-ics-malware-saudi-arabia/
19. https://tech.newstatesman.com/security/xenotime-triton-power
18 Copyright © 2020, Yokogawa Electric Corporation
1. WWW
Although not confirmed a phishing attack
is suspected as a possible infection vector
which provided attackers access to the IT
network.
RDP Station
2. IT
The attacker further penetrated the IT
network using well-documented and
easily-detected attack methods.
3. DMZ
The attackers moved to the OT
(Operational Technology) network
through custom backdoors in IT and OT
DMZ right before gaining access to the
! PCS engineering workstation.
4. Operational Technology (OT)
Network and Process Control System
(PCS)
Once on the OT network, the attackers
were able to access the PCS Engineering
and Safety Engineering workstations,
IPC1 IPC2 Physical where they injected a sophisticated
Process Remote Access Trojan (RAT) for the Safety
Instrumented System (SIS).
Engineering Sensors and 5. Safety Instrumented System (SIS)
Actuators Networks
Station
Physical safety and security controls were
bypassed since the SIS safety controller key
switch was left in the PROGRAM mode,
therefore allowing the attacker to download
and execute SIS program changes from the
engineering workstation directly to the
! safety controller, causing a plant shutdown.
TRISIS 2017
TRISIS, sometimes known as ‘Triton’, is malware that
injects malicious code into the programmable memory of
the Triconex Safety Instrumented System (SIS). SISs are
responsible for the safe operation of production facilities
and executing an emergency shutdown sequence in the
case of an unsafe event. Malware targeting this specific
area of the OT network is concerning as a successful attack
could lead to dangerous plant conditions. TRISIS is the fifth
known variant of malware that specifically targets ICS.18
In August 2017, TRISIS forced a petrochemical facility in
the Middle East to shut down unexpectedly. Subsequent
research revealed the hacker had gained access via the
remote desktop protocol and was eventually able to reach
the plant’s safety controller as the safety key had been left
in ‘program mode’. While no explosion was reported, the
incident highlighted the often-porous approach to cyber
security in production environments.
TRISIS code has now been discovered at a second facility.
The latest incident saw attackers gain a foothold in the
plant’s corporate network, where reconnaissance was
conducted to infiltrate the OT domain. Xenotime, the team
believed responsible for developing TRISIS, have also
probed oil and gas companies across Europe and North
America in search of “vulnerabilities ripe for exploitation”.19
 INDUSTRIAL CYBER THREATS

Lessons learned

It is possible to target TRISIS used social Organisations should

specific assets in the
production environment that
are responsible for safety.
Special attention should
be given to these assets to
ensure a layered security
approach is implemented for
full protection.
engineering techniques look to build a culture of
to gain a foothold in the security that accounts for
IT domain. Escalation of complacency.
privileges meant attackers
were then able to access
and manipulate industrial
assets. Organisations need
to understand how this
journey is possible and
what can be done to limit
attackers’ opportunities.

Yokogawa’s Advantage Conclusion

Consultancy forms the foundation of Yokogawa’s
unique approach to plant cyber security,
integrating people, processes and technology to
create a culture of resilience. Risk management
strategies are informed by an in-depth knowledge
of the OT domain across different types of
industry. This work has allowed Yokogawa
to calculate accurate budgets that reflects a
customer’s unique needs and understanding of
tolerable risk. It has also allowed the company to
develop more than 30 best practice policies and
procedures ready to be shared with customers.
Recognising that no plant is ever completely
secure, the company also provides ongoing
managed services to ensure policy and practices
keep pace with emerging threats.
No system is impregnable and
vulnerabilities will continue to be discovered
across the OT domain. Even with generous
investment, no plant can completely
eliminate its risk exposure. It stands to
reason that a holistic approach to cyber
security is the only way to keep pace
with the latest generations of malware
tailored to ICS. Doing so will create a
safe production environment and ensure
business continuity.

Copyright © 2020, Yokogawa Electric Corporation 19

For further information about Yokogawa’s Advanced Solutions,
please contact your local representative at one of the locations below:

YOKOGAWA UK LIMITED
Stuart Road, Manor Park, Runcorn, Cheshire, WA7 1TR, UK
Tel: +44 (0) 1928 597100
Email: uk-marketing@uk.yokogawa.com

YOKOGAWA UK LIMITED
Unit 33 Abercrombie Court, Arnhill Business Park, Westhill, Aberdeen, AB32 6FE, UK
Tel: +44 (0)1224 914777
Email: uk-marketing@uk.yokogawa.com

YOKOGAWA IRELAND
Unit 411 Grants Park, Greenogue Business Park, Rathcoole, Dublin 24, Ireland
Tel: +353 (0) 1 4577454
Email: info@ie.yokogawa.com

Trademarks
All brand or product names ofYokogawa Electric Corporation in the white paper are trademarks or registered trademarks
of Yokogawa Electric Corporation. All other company brand or product names in this report are trademarks or registered
trademarks of their respective holders.

Subject to change without notice

Copyright ©2020, Yokogawa Electric Corporation