Securing industrial environments and the risk of isolated PCs
It hardly comes as a surprise that the COVID-19 pandemic has pushed forward many digital initiatives worldwide. Businesses had to accelerate their digital plans, ensure employees could work from home and provide remote access to sensitive information – otherwise they feared missing out on lost business during what was already a trying financial time. However, this in turn has also led to an increase in cyber-attacks with threat actors looking to take advantage of businesses who didn’t have robust plans in place. While this shift and rush towards digitisation has affected almost every industry, it is critical that those in the industrial sector are paying extra attention, and now is the time to do so as organisations start to re-think their budget, plans and the solutions they have in place for 2022.
Up until now, the industrial sector has operated on the basis of closed systems. Now, however, migration to Industry 4.0 means that machines, applications, PCs and factories are being increasingly connected to cloud systems, using big data and artificial intelligence (AI) and interfaced with corporate IT systems. This convergence between industrial and standard computer technology is radically changing the game. However, along with the vast benefits to be enjoyed from a truly connected world such as enhanced productivity, sustainability, traceability and raw material optimisation, there is also a rising tide of security threats which, if not properly addressed, could spell disaster for the industry. In particular, improving security when it comes to PCs and laptops is something which needs to be addressed immediately. Just in terms of volume, there are far more laptops and computers in most environments and each one is a potential attack vector for cyber criminals. In addition, as more people start to make their way back into the office there is also increased cyber risk, some devices may not be patched, or they could be infected with malware. As the lines between our personal and professional lives continue to blur evermore, it is essential that businesses look to negate any cyber risk this brings.
It is now widely accepted that the wars of the future will take place less on the battlefield, and more in cyberspace – so security is not something that can be put on the back burner or traded off in favour of quick access. Instances of nation-state attacks have already been reported. Likewise, criminal attacks by individuals and small groups also take place on a regular basis. Events such as the 2017 WannaCry ransomware attack, the 2016 attacks on US water utilities, and more recently the Colonial Pipeline and Florida Water treatment plant cyber attacks clearly highlight the impact that cyber incidents in the industrial world can have – so securing every device in this industry is critical. So, what can the industrial sector do to prepare?
Industrial Systems: A favourite target for cyber-criminals
The industrial sector is one that never sleeps, with machines often working around the clock and warehouse staff up at dawn. However, the reality is that it can’t afford to especially when it comes to security – this sector is becoming a prime target for cyber criminals. So much so, that a recent study has revealed that half of UK manufacturers have been victims of cyber-crime in the last year.
In addition, we are also seeing more companies opting to work with suppliers in the industry that can demonstrate proven cyber security robustness. This combination puts industrial organisations under the spotlight and shows how extremely crucial a well thought out cyber security plan is. It is about protecting data and systems, ensuring operations can continue to run smoothly and it is also about ensuring they can prove robustness to prevent losing out on key projects and business along the way. This means quickly and effectively addressing the cybersecurity challenges facing the sector and proving that cyber risk management is taken into account in their solutions and business.
Furthermore, for the industrial sector this goes beyond business, as breaches could also result in physical harm, either to employees injured by a malfunctioning production line or to the public put at risk by system outages. As the Industrial Internet of Things (IIoT) expands, industrial equipment is increasingly connected to digital systems and needs to be protected from new digital threats. Without proper security in place, there is potential for such equipment to be manipulated by hackers and terrorists, or simply left exposed by negligence. This can result in anything from costly breakage through to contaminated services and harmful explosions – think of oil, gas and water suppliers.
The rise in threats is also combined with the fact that this sector is one of the most difficult to protect. The life cycle and the service continuity of industrial equipment only rings additional difficulty. Many industrial organisations rely on isolated PCs within their environment, and this means that these devices often have specific operating systems or applications which simply cannot be managed and secured with the usual IT infrastructure. As an example, for these devices traditional antivirus products simply won’t work unless they are connected to the internet. In addition, any end point device can easily become an entry point for hackers and ensuring industrial companies have the right security strategy in place is crucial.
The security trade off
One of the other key challenges is just how interconnected industrial systems are, an attack on one device or system has the potential to bring down the entire business. They are integrated to manage production, scheduling and remote access. Clearly, the integration of systems has introduced a great range of benefits such as reduced water and energy consumption, alongside with an increase in the overall equipment effectiveness, but as with most big developments, these benefits have come at a price. This means more entry points that businesses need to protect against, and a poorly secured system can provide an all-too convenient way in for threat actors allowing them to infiltrate the network.
In addition, an equally important factor to consider is that due to these recent integrations, what previously might have been viewed as an irrelevant security issue could now a major vulnerability – allowing threat actors to wreak havoc across the business – from bringing production lines to a halt through to threatening the use of security of equipment. With this interconnection and the convergence of IT and OT threats can infiltrate the network, giving potential attackers free reign over highly sensitive material and assets.
Up until recently, the very nature of industrial business has also presented a challenge. Unlike other sectors, in the industrial space there is a need for systems to run nonstop, and this must also be contented with the delicate balance of keeping facility costs low and availability high. What this has often meant it that priority has been placed on the availability and safety of equipment over cyber security.
A second area that IT teams need to pay close attention to is that many systems in this space where once traditionally isolated, before many digital initiatives began. Because many of these systems where essentially air locked from the outside world for so long, little attention has been paid to ensuring their security, leaving potential gaping security gaps as they become connected to the rest of the IT environment and IP-enabled.
A weak security system puts organisations, workers and the general public at risk when it comes to the industrial sector. From a workforce viewpoint, a cyber-attack can result in malfunctioning machinery and disrupted processes which can be extremely hazardous, with explosions, power surges and sudden changes in machine activity among the many dangers such a breach may cause. In addition, one of the biggest potential results of a cyber-breach is a full production shutdown. Not only is this financially detrimental, but it can have major reputational and public safety consequences as well. As an example, disruption to rail networks and traffic signals can cause damage to normal functioning of integral aspects of our built environment, as well as physical risk. A power grid shutdown, for example – such as the infamous attack in the Ukraine in 2015 – can have extreme impacts. Without gas, electricity or water, the consequences could be fatal. For the organisation itself, the financial cost of a cyber breach or attack is just the tip of the iceberg. Data leaks are hugely disruptive and put the organisation under great pressure from additional repercussions when it comes to compliance.
What can be done?
Ultimately, what this means it that organisations need to have a robust security system in place, which includes end point management and control over who has access to critical systems, when, and how they are permitted to use them.
While most attention is paid to the threat of attacks from outside sources, it is equally as important to secure the organisation from the inside and restricting and monitoring access will allow this. External attackers can piggyback on credentials from those within the organisation to execute their attack, a move that can be avoided, or at least mitigated, by having proper access management in place. Likewise, increasing reports of insider attacks highlight the need to minimise access to the least privilege principle.
In a world where connectivity across devices and systems is now ubiquitous, the necessity for organisations to arm themselves adequately against the growing tide of cyber threats is absolutely crucial. As the use of IoT grows across the industrial sector, the pressing need to secure all operational collateral, both physical and digital, cannot be underestimated.
To ensure business continuity and asset resilience, companies need to make sure that the access to their OT infrastructure is protected anytime, anywhere. Securing credentials usage, control privileges elevation or restrict network access, should be seen as a priority and not as a trade-off.
Privileged Access Management coupled with end point security plays a central role in securing these systems. Without effective controls over access to critical systems and data, the dangers to organisational performance, compliance, profitability and reputation are immense. Furthermore, any breach that threatens the safety of workers and the general public is inexcusable. It is time we took the security of Industry 4.0 seriously. There is too much at stake not to.