Towards the end of 2017, researchers from cybersecurity firm Dragos detected a foiled malware attack which, even though it wasn’t successful, had serious repercussions for anyone working in industrial environments.
The malware, known predominantly as Triton but also going under the monikers of Trisis or HatMan, targeted petrochemical plants in the Middle East. What marked it out from other attacks was that it focused on safety instrumented systems (SIS). SIS are the last line of automated defence for industrial facilities. If these aren’t working, the risk of catastrophic incidents, such as fires and explosions, increase dramatically.
What transpired was that the attack inadvertently triggered the emergency shutdown of the facility’s safety system, the Schneider Electric-manufactured Triconex. In August last year, Andrew Kling, director of cybersecurity and architecture at Schneider Electric, wrote about how “the presence of malicious attacks at this level is our new reality” and that “immediate, collective action” is required to build a resilient cybersecurity strategy across the enterprise.
For some though, action has not been immediate enough.
“I maintain that this year we’re going to see a significant cybersecurity incident that’s going to affect a safety-critical system,” says Nigel Stanley (left), CTO of global operational technology and industrial cybersecurity CoE at TÜV Rheinland. “We started to see that a year ago with the Triton attack. I think we’re going to see more of that which could lead to physical damage and/or injury, or even loss of life.
“We’re reaching the point now where there is sufficient activity and interest in this area of the market that [it] is likely to happen,” adds Stanley. “I think it is going to be fuelled by the fact that we don’t understand all of the inherent cybersecurity bugs and flaws within a lot of this industrial kit, and it’s very much open season to find out what those bugs and flaws are and to abuse them. I think we’re going to see the revelation of a flaw that we haven’t even thought about.”
Naturally, part and parcel of working in this space means thinking about the worst-case scenario. Yet isn’t some of the problem, IoT News asks, down to the fact that a major incident probably has to happen before the highest up do something about it?
“Therein lies the rub,” says Stanley. “I think that will drive the ‘something has to be done’, ‘lessons will be learned’ attitude, which will then put pressure on the politicians to start to implement appropriate legislation and start to enforce it.
“A lot of the so-called regulations are very much saying that you should do this and you should do that, rather than you must do something,” he adds. “It’s a bit like GDPR – we need to have that ability to have a big stick that you can bring out if necessary if people still fail to address these problems.”
For industrial environments, there are many caveats that need to be considered – with particular focus on the sheer disparity of systems which need to be protected.
Any collaboration for cybersecurity within operational technology has to be cross-departmental and multi-disciplinary – including HR, legal, unions, PR. It’s a real team sport
Stanley’s work with TÜV Rheinland covers what he calls a ‘huge’ domain, from electrical transmission systems, to autonomous vehicles, even to nuclear power stations. His remit is to be ‘involved in every project where a computer has some sort of a physical kinetic output’.
The promise of the Internet of Things (IoT) is to blur the lines between information and operational technology, but the difference to Stanley is clear. “I work very closely with colleagues in functional safety to help them address cybersecurity risks in safety-critical systems,” he explains. “It’s not IT; it’s stuff that can go bang.”
Despite the differences between industries – take oil and gas versus transportation as an example – Stanley notes that when it comes to cybersecurity a lot of the best practices are shared.
“The commonality could be making sure systems are patched, making sure you change default passwords, making sure that you only allow sufficient access to a system for someone to do the job they need to do so people don’t always get admin access,” he explains. “These common cybersecurity hygiene measures can often address 80% or so of the risk in whatever sector you’re operating in because there is a common thread emerging.”
These security best practices will be commonplace for those in IT and should be elsewhere – but it is an easy and often incorrect assumption to make. Back in 2014 this reporter spoke with Good Technology – now part of BlackBerry – after it rolled out a mobile working program at Amsterdam Airport Schiphol. Part of the move was a crash course in employee education, from videos across the building on what to do with regards to security as well as what the mobility provider curiously called ‘mobility posters.’
With these operational systems it can be a concern. “Often a factory floor worker would be forgotten about,” says Stanley. “You get your white collar workers up in the offices thinking about IT security, and they won’t even think that the people on the ground are dealing with high level intellectual property, complex safety-critical machinery.
“These are your frontline workers,” Stanley adds. “Any program, any collaboration for cybersecurity within operational technology has to be cross-departmental and multi-disciplinary, so it has to work with your HR people, your legal people, your unions, your PR people.
“Everyone has to be involved. It’s a real team sport, as it were.”
Stanley is speaking at the Cyber Security & Cloud Expo Global in London on April 25-26, focusing on cybersecurity systems of the transport industry as a case study. If there is one universal message to be taken from this, it is with regards to understanding organisational risk.
“To me the first step in any of this journey is to understand the risk,” he explains. “Just ask the question: do we understand the cybersecurity business risk that we face? Have we gone through an objective process of understanding our assets and understanding what those risks are?
“If they have done, and if they’ve created a risk register and if they’ve dealt with that, then that’s great and they’re a long way along the journey,” adds Stanley. “If the answer is no, then they need to rapidly get their arms around this and embrace the cybersecurity risk that currently is unbounded.
“Who knows what could be going wrong within an organisation?”