A Shifting Focus to Business Disruption & Physical Damage

We have witnessed an alarming increase globally in high-profile cyber-attacks on manufacturing businesses and critical infrastructure providers like Honda and Enel Group in recent months, potentially signalling a shift in motive to business interruption and physical incapacitation of business operations along with more common data theft.

Honda manufacturing plants went offline on June 9, 2020 after a cyber-attack compromised some of the Japanese automaker’s facilities. The same logic appeared in a separate attack at the same time targeting Edesur S.A., a company belonging to The Enel Group who confirmed its internal IT network was disrupted due to a ransomware attack, which was caught by antivirus software before the malware could infect.  Both companies had machines with Internet-accessible Remote Desktop servers, which is a favourite infection method among attackers nowadays.

Production at Lion, one of Australia’s largest brewers, was severely impacted in recent weeks as a result of a ransomware outbreak.  In Israel, it was reported that a cyber-attack very nearly successfully poisoned the water supply with the attackers attempting to overload the water system with chlorine, and in recent days, a fire and explosion at an Iranian nuclear plant is suspected of being caused by cyberattack.

These sample Cyber threats are very real, and appropriate investments in cybersecurity should be made by companies and municipalities that own or operate critical infrastructure, properties (including places of public congregation, retailers and others) that are rapidly deploying a suite of  operational technologies, and businesses in the manufacturing sector.

Operational Technology (OT) is the backbone of modern industrial operations and is a network of multiple computing systems to perform operations including production line management, operations control and industrial monitoring. OT can further include specific computing systems like Industrial control systems (ICS) which is a collection of control systems used to operate and/or automate industrial processes.

There are several types of ICSs, the most common of which are Supervisory Control and Data Acquisition (SCADA) systems, and Distributed Control Systems (DCS).

When such industrial systems and end user products like smart TV, smart AC, smart CCTV, smart vehicle, etc. are connected together by a common network and can be accessed over the internet, it gives rise to the Internet of Things (IoT).

In OT security, the focus is much less on information, but more on the industrial process that technology controls. Hence, availability and integrity are often more important than confidentiality.

Any organization employing Operational Technologies should employ continual risk-based assessments of their cyber security posture to prioritize and tailor recommended guidelines and solutions to fit specific security, business, and operational requirements. 

How it works

A big issue with OT is that a lot of the technology in place is over 20 years old and therefore was not designed to provide the security capabilities required to face cyber threats in 2020.  Therefore, legacy technology often requires legacy hardware and software to support it – much of which is end of life and unsupported by the vendors (for example, consider SCADA systems still reliant on Windows NT or older Unix based systems, which have not been supported by their vendors for many years).

OT systems have also been damaged as unintended side effects of problems starting in corporate networks that took advantage of increasing connectivity, proving clearly that the standard PCs that now form part of a typical organization’s IT environment are in turn used to manage OT systems and become a major vector for such cyber-attacks. Major power outages have been publicly attributed to this; the Davis-Besse nuclear power station (Ohio, USA) when safety systems were crippled by the Slammer worm which disabled a safety monitoring system for nearly five hours. The Browns Ferry nuclear power station (Alabama, USA) being manually scrammed as a result of a drastic increase in network traffic, and the Hatch nuclear power station (Georgia, USA) due to a faulty software update on a business network machine that communicated with the control network.

Additionally, the 2017 WannaCry ransomware attack that affected the IT systems of organizations across multiple verticals and geographies caused severe disruptions to Honda’s manufacturing facilities. Such incidents demonstrate that indirect compromise pose as significant a threat to operational environments as successful targeted attacks against OTs.

What are the risks?

When it comes to OT, safety and reliability are the primary concerns as attackers aim to disrupt the critical services industry and their customers rely upon. Given the increasing propensity of connecting OT systems with corporate networks for ease of management, and IoT systems being in growing use, the likelihood of such systems being affected by vulnerabilities exploitable over the network is increasing exponentially.

For almost every business – not just critical infrastructure providers – most technologies we deploy include connectivity to the internet.  Not knowing what systems and external access to these systems that your business is introducing in its everyday technology investment creates significant risks to the broader business operations.

Who does it affect?

OT systems are versatile and can be found in all kinds of industrial settings and infrastructures like smart buildings, oil and gas, energy generation/distribution, mining, waste water treatment/distribution, manufacturing, food production, consumer devices and transport.  In fact, almost every business in 2020 have an element of IoT within their operations.

Why does it happen?

The most common causes of why OT attacks are successful:

  • Unauthorized access to internet-facing systems (e.g. deploying an IoT with the default username and password);
  • Employee introduces a compromised device (e.g. USB stick) to the environment and infects the network;
  • Exploitation of zero-day vulnerabilities in control devices and software;
  • Propagated malware infections within isolated computer networks (i.e. The attacker can place a receiving device to make contact over a channel that can propagate across the isolated network);
  • SQL injection via exploitation of web application vulnerabilities;
  • Network scanning and probing; and
  • Lateral movement (i.e. inadequate segmentation which results in attackers being able to move between systems, groups of systems, network zones and even geographical locations.

How can it be prevented?

The mitigation cannot rely solely on the organization building security around the deployment nor can it be a reactive approach to fixing vulnerabilities in production as they are identified. It begins with the OT vendors building security within; however, as with most IT systems and applications, this will evolve over time.  For example, there is a movement in Australia (driven by the IoT Alliance Australia (IOTAA) to introduce a ‘Trust Mark’ for IoT devices that pass a certification process for security and privacy in product development.  This is targeted to launch in September 2020 but will take many years to gain real traction. Thus, for the foreseeable future, the best operational outcomes must be planned and managed by the consumers of the technologies.

Here are the best practices to reduce exploitable IoT weaknesses and attacks occurring in your business:

  • Maintain an accurate inventory of Operational Systems and eliminate any exposure of these systems to external networks;
  • Establish clear roles and responsibilities for your organization and your vendors, to ensure cybersecurity risk is being addressed and managed throughout the OT lifecycle;
  • Implement network segmentation and apply firewalls between critical networks and systems.
  • Use secure remote access methods;
  • Establish Role-Based Access Controls (RBAC) and implement system logging;
  • Use only strong passwords, change default passwords, and consider other access controls (especially for any elevated privileges) such as multi-factor authentication, privileged access management solutions, etc.;
  • Establish threat intelligence feeds from your OT vendors and security vendors to ensure you remain abreast of new vulnerabilities, software/firmware patches and threats targeting systems you employ;
  • Develop and enforce policies on mobile devices, including strict device controls for any device connecting to OT systems or network zones;
  • Implement an employee cybersecurity training program;
  • Establish and maintain rigorous testing & patching program including vulnerability assessment and penetration testing;
  • Implement measures for detecting compromises and develop a cybersecurity incident response plan with specific focus on responding to a disruptive attack on your OT environment; and
  • Maintain up-to-date Business Continuity Plan that can be deployed rapidly in response to a significant disruption.

© 2020 MyEmpire Group Pty, Ltd All rights reserved

Managed Security