A common misconception is that both cyberattacks and cybersecurity controls are sophisticated and complex.
“In fact, the methods criminals use to infiltrate industrial networks are often relatively straightforward,” warns Charles Blackbeard, business development manager at ABB Ability Digital Solutions.
Therefore, it follows that protection measures also often do not need to be overly convoluted, especially when implemented in line with a defined strategy based on a risk assessment and managed by a user-friendly application that enables everyone to be part of cyber security efforts.
Cyber criminals may gain access to a facility through insecure remote login software by exploiting disclosed vulnerabilities in the software or sending phishing emails to employees, who open them on a system connected to the plant network. Attackers may then take control of the mouse on an individual workstation and perform malicious tasks undetected in the guise of a control system engineer performing their typical job but remotely.
“While controls such as patching, malware protection and system backups offer essential protection from cyber-attacks, they need a solid foundation,” stresses Blackbeard. Suppose an industrial system is built on a poorly designed, indefensible network, where all devices are separated from the internet by a single firewall. In that case, additional risks are added to the mix and may even offset the benefit from the implemented security controls.
Combining this with an ageing distributed control system relying on unsupported Windows computers makes it much easier for attackers to find and infiltrate the operation without using sophisticated methods.
Implementing and maintaining even the most basic security controls upon a solid architecture significantly reduces the risk of being compromised. Over time, when the assessed threat changes, one may need to add more security to stay ahead and aligned with the company’s strategy and risk appetite.
According to the SANS 2021 OT/ICS Cybersecurity Report, 48% of organisations surveyed did not know whether their industrial control system (ICS) had been compromised. “That statement by itself is rather disturbing, but even more so when coupled with the evidence that most systems already are or have been compromised,” highlights Blackbeard.
This illustrates that the urgent need to secure operational environments is matched only by the need for cultural change. Leadership must understand and support OT cyber security efforts and instigate an organisational cultural shift to prioritise training and action. “Without culture and behavioural change, it is unlikely that any investment in technology or software will lead to long-term protection,” argues Blackbeard.
The threat posed by cyberattacks on industry regarding financial loss, production downtime and reputational damage cannot be underestimated. A total of 61% of factories report that they have experienced a critical cyber security incident, while 75% say an incident has halted production. The average cost of OT-specific malware attacks for organisations is $2,6-million.
Ransomware attacks carried out by criminals for financial gain account for around eight out of ten attacks. Industrial companies are viewed as easy, high value targets whose OT systems may be outdated, unprotected and exploitable, maybe even via the internet, making an attack even easier.
“The question industrial companies should be asking is not ‘Can I afford to implement a cyber security strategy?’, but rather ‘Can I afford not to?'” points out Blackbeard. Viewed in terms of business criticality, protecting internal systems from hackers is now a business priority, particularly when it comes to critical public infrastructure such as electricity or fuel and water supplies.
Defining return on investment (ROI) from cyber security is never easy, because you are effectively buying risk insurance, rather than tangible increases in revenue and production. However, companies are increasingly aware that security is not just about protecting critical assets: It is also about answering to investors and protecting their right to operate by complying with international best practices and standards.
Keep in mind that the yearly cost of implementing a robust cyber security strategy and controls -which can be upgraded to respond to evolving threats to OT production assets – in partnership with a trusted service and technology provider works out far less than the cost of an insurance policy. A well-implemented cyber security strategy may reduce the insurance premium to fund these cyber efforts partly or fully.