Understand how cyber resilience has been redefined by the growth of ICS
Cyber-risk. It’s one of the most potentially damaging hazards that business leaders and risk managers face, with the World Economic Forum estimating damage in 2021 could reach $6 trillion – that’s equivalent to the GDP of the world’s third largest economy. The ability for a cyber incident to easily cross borders, damaging multiple operations and systems around the world, means that the impact of an attack can be unprecedented.
When we think of cyber-attacks we often think of data loss and theft. However, arguably one of the more concerning aspects of cyber-attacks is their potential to cause damage in the physical world. Physical impact can be significant, causing business interruptions and damaging equipment and/or property. The likelihood of this occurring has increased in recent years and continues to rise due to the growth of digitalisation. Specifically, the increased use of industrial control systems (ICS) within commercial facilities, and the connectivity these systems bring, has exacerbated the cyber threat.
ICS create a connection between the digital world and the physical world, by linking pieces of equipment and systems to the internet allowing greater visibility and control. Generally, they are used to optimise business processes. This can range from building automation systems, such as intelligent air conditioning, to improving complex manufacturing processes by allowing machinery to operate autonomously on production lines or in power plants. As the ICS offer greater inter-connectivity and operator convenience, the efficiencies they create can be very beneficial with a positive impact on productivity. However, there are two sides to every coin – as ICS bring with them an increased digital footprint and therefore an increased risk of cyber-attacks. So, what are the specific trends that have put ICS at risk?
Firstly, it’s important to understand the design of ICS. Although the adoption of widescale ICS may be a more recent phenomenon, some systems have been in place for a much longer period of time. Many of these systems, such as those used in power plants and waste management systems, were designed and installed before the cyber-threat was truly appreciated and understood, and as such security was much less of a concern than efficiency. The situation has now changed, as some devices are retrofitted to allow greater connectivity and remote management. ICS can also be very costly to upgrade with the latest security advancements, meaning that regular maintenance and review of the security systems is essential.
ICS are found in operational technology (OT) environments, and have historically been separated from an organisation’s main IT systems. However, the adoption of cloud computing, growth of data analytics and other automation systems are making the picture more complex, as more and more devices are connected and the convergence between OT and IT is increasing. This is one of the most critical factors behind the increased vulnerability faced by ICS. A vulnerability further exacerbated by the widespread use of remote working caused by the COVID-19 pandemic, since more people are looking to control operations and access systems remotely, potentially blurring the line between IT and OT even further. As IT systems and OT systems become more closely linked, the potential for a cyber-attack that damages one to adversely affect the other grows.
But what damage can these attacks actually cause? As mentioned above, ICS create a connection between the digital world and the physical world. This means that a successful attacker could cause real damage to individual pieces of equipment, potentially rendering an entire facility inoperable. Some of the most high-profile examples of cyber-attacks on ICS causing physical damage, highlight this – in one facility a furnace was caused to overheat by an attacker, causing major damage. At others, IT systems were accessed by an attacker, and through this the OT system was compromised with the attacker able to cause gas leaks, severely interrupting the operation of a facility and potentially endangering on-site employees. Although not every attacker will seek to cause such damage, instead perhaps, for example, blackmailing for profit, organisations always need to keep it in-mind as a possibility, and take actions to reduce the risk.
For organisations trying to reduce the exposure that their ICS face, the challenge can be very significant. Not only are they facing ever more complex systems, coupled with increasingly adept attackers, but also difficulties in securing the downtime for systems that need maintaining and updating. After all, these systems are often vital for the operations of the business and it can be very costly for them to sit inoperable for extended periods of time.
However, the biggest challenge that organisations face is a common one – people, often described as the weakest link when it comes to cyber security. Individual employees are often responsible for a cyber-attack occurring, as phishing emails pointing to bad links and infected files trick employees into downloading malware into a system, providing an access route for an attacker. Around 92% of attacks can be attributed to human error, with phishing being one of the most common methods of attack. Given so many of these attacks exploit human weaknesses and thinking, it can be incredibly difficult to stop all attempts, and it requires constant vigilance across the entire organisation.
Although the situation is complex, there are several security measures, grounded in good practice, that businesses can take to mitigate the risk their ICS face. These include implementing measures to ensure that IT and OT systems are kept as separate as possible – both in terms of connectivity and physically – as well putting in place systems that can identify and alert the organisation when a cyber-attack has been attempted. Firewalls and other VPN security measures are also vital, and it’s important that these systems are updated and configured to deal with the greater volume of outside traffic that COVID-19 may have caused. As always, the training of employees and anyone who may have access to secure systems is critical. Trainings through techniques such as fake phishing emails can be very valuable, as they highlight to employees the need for vigilance. Finally, should a successful cyber-attack occur on an ICS, organisations need to have plans in place for how they respond – both in the short-term when dealing with the attacker and the potential damage that might be caused – but also looking further ahead, to understand how the attack occurred and how to stop it from happening again.
With the 2020’s expected to bring with them ever more digitalisation, and with the growth of Industry 4.0 through the adoption of emerging technologies like artificial intelligence, Industrial Internet of Things and augmented reality, the cyber-threat that organisations face is only going to continue to change and become more complex. However, the efforts to reduce the risk are certainly not hopeless, and by grounding cyber-security measures in best practices, coupled with the training of employees, organisations can place themselves in the best possible position to minimise the likelihood of an attack occurring, protecting their operations and the associated revenue that they generate.