Cyber threats are increasingly common requiring a sophisticated response to safeguard valuable assets. By Sanjay Aurora, MD, Darktrace (Asia Pacific)
In China, a nuclear power plant’s cooling system overheats and explodes. For reasons initially unknown, plant technicians were unaware of the problem, until it was too late. The explosion was later discovered to be caused by a hacker using malware to modify Programmable Logic Controller codes. He also manipulated the plant’s diagnostic systems, ensuring that the cooling system failure would go undetected.
The incident above is the opening scene of the 2015 action movie ‘Blackhat’. And while the film has been ridiculed on various levels (for the remote possibility of a hacker as good looking as Chris Hemsworth and its inaccurate visual portrayal of a nuclear power plant), such attacks are not a figment of real-world imagination. In June 2010, a ‘weaponised’ malware called ‘Stuxnet’ targeted the Natanz nuclear facilities in Iran with great precision, causing nuclear centrifuge equipment to wear out at a vastly increased rate .
Since ‘Stuxnet’, threats to industrial systems have grown rapidly in number and severity. Just last year, the reported compromise of a German steel mill resulted in massive damage to a blast furnace . In fact, data has revealed that cyberattacks against industrial control systems, also known as Supervisory Control and Data Acquisition (SCADA) systems, had doubled in 2014, as compared to 2013. Clearly, now is the time for us to take action to safeguard control systems against increasingly dangerous adversaries.
Facing A New Set Of Cybersecurity Concerns
As manufacturing and automation businesses become increasingly connected to corporate networks, the industry is facing the growing challenge of both internal and external cyber threats – perpetrators with both the motivation and capability to compromise industrial control networks and devices. These threats self-perpetuate once inside an operational domain, by making subtle moves to strategize and identify more systemic loopholes, before launching an eventual, full-scale attack. Technological solutions are therefore required to build resistance against or eliminate such risks.
SCADA systems are known as the heart of the modern industry, monitoring and controlling the rest of the organisation’s ‘bodily’ functions – complex processes and equipment. With many businesses dependent on the safe and reliable functioning of Operational Technology (OT), attacks to SCADA systems would bring catastrophic consequences, from immediate physical harm to long-term industrial espionage.
These systems, while designed to be interoperable and resilient, are not necessarily secure. They used to be ‘protected’, or rather, siloed from corporate networks. Security breaches were minimised through institutionalised processes for handling removable media and the implementation of precautions against human error.
But with economic pressure from intensifying international competition, machinery and equipment are now connected to the corporate network and the wider Internet. It is a well-known fact that OT and IT integration delivers numerous business benefits, such as the smoother transition of newly developed products into existing manufacturing operations, which significantly reduces a product’s time to market. Unfortunately, the connected environment has also made the manufacturing and automation industry more susceptible to network attacks than ever before.
Traditionally, control engineers did not have to be concerned about cyber threats from corporate IT systems, and IT security staff were not involved with control systems, or the physical equipment managed by these systems. But the situation has drastically changed.
The threats to control systems are amplified by the lack of information security staff with specialised OT skills, as well as the failure of legacy, rule-based approaches to cybersecurity – firewalls and passwords. With new vulnerabilities emerging at a pace difficult to keep up with, looking only for published historical attack types is an unsuitable approach for operationally important environments. OT-centric industries must now rethink their approach to cybersecurity.
Adopting An ‘Industrial Immune System’ Approach
First, for defenders of industrial control systems, it must become clear that any possible connection to the Internet opens a door for potential exploitation. Businesses must acknowledge that the total prevention of compromise is effectively impossible for the foreseeable future. The positive news is that detection and response to prevent a full-blown crisis from developing is an achievable cyber security goal, one that OT-centric businesses must pursue.
Second, de-risking the OT environment is a perpetual challenge that demands continuous insight and early warning. With new technologies that can be easily ingested into the integrated IT/OT environment, previously unidentifiable anomalies can now be identified. Similar to a biological immune system that self-learns and reacts to inconsistencies in the human body, such technologies will analyse data in real-time, creating a unique behavioural understanding or ‘pattern of life’ of each user and device within the network.
People and devices behave in a unique way, setting each individual apart from his, her or its peers. But with a solution that provides a visual overview of production environments and analysis of each user’s historical behaviours and patterns of change, subtle, yet abnormal activities become easy to spot and investigate.
While promoting ‘Blackhat’, Chris Hemsworth perfectly summed up today’s business challenges with the statement: ‘The moment you connect, you lose control.’ The increasing vulnerability of control systems might be a revelation to some and a bitter pill to swallow for others, but industrial immunisation is imperative and modern businesses cannot afford to skip a beat.
There’s no better time than now for manufacturing and automation businesses to consider an ‘immune system’ approach that enables early detection and response to emerging threats, regardless of whether they originate in the IT or operational domains, or traverse between them.