Part 1: Why would anyone want to hack our factory?
Remarks on cyber security we hear on industrial sites
“Why would anyone want to hack our factory? We're not a nuclear power plant. Besides, our systems are segregated from the Internet, so we have nothing to worry about.” In this first blog of two we are going to respond to the most common remarks, which we regularly receive from personnel on site. We will provide new insights into the risks that are specific to ICS systems and display the level of ICS security awareness on the sites we have visited.
By Colin Schappin
While we’re executing security assessments on industrial sites like a chemical factory or a car production facility, the remarks we receive are not uncommon. Whereas the security of IT systems has gained a lot of awareness in the past years, the interest in security of Operational Technology (OT) systems has only started getting some traction. Furthermore, awareness of OT security is slowly catching up.
Part 2: Why would anyone want to hack our factory?
open in new window Read the second blog
“No one is interested in targeting us”
For a lot of industrial sites, this statement might be completely true. It could be the case that your particular factory is not a likely target for a cyber-attack, unlike some kinds of chemical factories or power plants which are a common target of environmental activists. Other possible threat actors could be environmental activists, competing companies, a disgruntled employee or nation states.
However, one important aspect that is often forgotten in this line of thought, is that not all cyber incidents are a result of a group of hackers actively targeting your company. Malware infections often happen by accident.
In June 2017 shipping terminals across the world began to shut down after a malware infection was spreading throughout the systems of a large container shipping company. The malware behaved like ransomware, software that encrypts all files on a system to make it unusable until the victim paid a ransom. However, in this case, paying the ransom wouldn’t work. The malware was simply designed to destroy. Moreover, the shipping company was collateral damage. The primary targets were companies in the Ukraine. The delivery method was Ukrainian accounting software, of which the company had an instance running in a small office in the Ukraine.
Accidental malware infection is a very important ‘attack’-angle to keep in mind and will come back in this blog while we’re discussing other common topics. Additionally, having a proper threat intelligence program in place will help identify the actual risks involved with targeted attacks, or other risks focused on one specific company, industry or location.
“Security does not increase our revenue”
When running the risk of not reaching production targets at the end of the month, it is understandable that your primary focus won’t be cyber security of production systems.
However, cyber security can help increase profit in the long run. We see an increasing trend of connecting existing ICS systems to the Internet and the use of so-called Industrial Internet of Things (IIoT), often referred to as Industry 4.0. Big data analysis can provide very useful insights in the production process and identify possibilities for optimisation. Production processes that don’t have to run at full capacity 24/7 can be up- or downscaled with the fluctuations of influx of raw materials or energy prices. Without increased connectivity these innovations won’t be possible.
When ICS systems are implemented and maintained in a secure way, cyber security can be an enabler that opens the door to many profitable new developments and to serve clients in a better way. This could be positioned as a commercial advantage. Without proper security it would not be possible to stay ahead of the competition without running unacceptable risks at the same time.
If you would like to know more on technical industrial cyber security, such as the possibilities and challenges involved in using virtualisation in OT environments, take a look at Dima van de Wouw’s blog post. For a higher level strategic view, on the needs for a security officer in industrial environments, take a look at Michel van Veen’s blog post.