Don’t forget to lock the back door: Building resilience in industrial control systems

Published on Thu, 10/09/2020 - 20:10

Cyber-attacks are one of the most potentially damaging hazards that business leaders and risk managers face, with the World Economic Forum estimating damage in 2021 could reach $6 trillion - that’s equivalent to Japan’s GDP. Tiago Dias, Cyber Consultant, Cyber Hazards at FM Global, highlights how protecting industrial control systems (ICS) must not go under the radar.

When we think of cyber-attacks, we tend to think about data theft, manipulation and destruction. However, cyber-attacks also have the potential to cause damage in the physical world, to machinery and facilities - redefining the exposure that organisations face from the hazard. Physical damage can have significant cost implications, especially if the business offers critical services such as power or other utilities.

As the nature and complexity of the cyber threat has evolved, so too have the methods used by criminals to target systems. Technological advancements and the rise of digitalisation bring with them a greater capacity for hostile actors to cause damage and disruption. Specifically, the growing use of industrial control systems (ICS) within commercial facilities, and the connectivity these systems depend on, has complicated the cyber threat for many companies. As well as increasing the potential for damage from a cyber-attack these systems can offer a back-door route in for criminals.

ICS are used to optimise business processes. This can range from relatively simple automation systems, such as intelligent air conditioning, to sophisticated systems enabling machinery to operate autonomously on production lines, creating an era of customised products and individual pricing.

The risks created by the greater use of ICS are exacerbated by the original design and implementation of many of these systems. ICS were often designed primarily to enhance efficiency and were rarely designed with resilience in mind. Many ICS may be functioning on older operating systems, constructed without a key focus on how connections between systems and sometimes to the internet create risk and a security soft spot. For example, a Wi-Fi router for an air conditioning unit may look innocuous, however, it has the potential to give a criminal a back-door route into a business’ main IT systems. These are risks that no one anticipated having to deal with.

The critical function of many ICS from a business efficiency perspective, means that costs accumulate quickly if they are taken off-line. ICS can also be very costly to upgrade with the latest security advancements, meaning that regular maintenance and review of the security systems is essential.

As well as offering criminals a back door to main IT systems, attacks on ICS themselves can be incredibly significant. Although rarer than other types of cyber breaches, such attacks can seriously disrupt a company’s operations, damaging important commercial property and/or equipment. The impact of such an attack may also be felt beyond the initial disruption.

Even if the intention behind an attack may simply be to interfere with or damage automated systems, a successful attack has the potential to damage adjacent equipment or even potentially the entire facility, as a fire could follow from machinery not operating as intended or breaking down. Such fallout is clearly severe and highlights the importance of securing every potential vulnerability.

For organisations trying to reduce the exposure that their ICS face, the challenge can be complex, and the risk is constantly being redefined. Not only are they facing ever more intricate systems, coupled with increasingly adept attackers, but the number of back door routes into IT systems is rising.

The pandemic has accelerated the growth of home working. Many businesses are arguably more exposed than ever before, as organisations now need to manage a digital workforce working away from on-site protective environments.

Although the situation is complex, there are several security measures, grounded in good practice, that businesses can take to build resilience. These include implementing measures to ensure that IT and OT (operational technology) systems are kept as separate as possible - both in terms of connectivity and physically - as well putting in place systems that can identify and alert the organisation when a cyber-attack has been attempted.

Traditional measures such as firewalls and VPNs continue to be vital for every point of entry, and it’s important that these systems are updated to deal with the greater volume of outside traffic that changes in working practices that COVID-19 may have caused.

As always, training and educating employees about risks, such as phishing emails, is crucial as they highlight to employees the need for vigilance. Finally, should a successful cyber-attack occur on an ICS, organisations need to have plans in place for how they respond - both in the short-term when dealing with the attacker and the potential damage that might be caused - but also looking further ahead, to put in place preventative actions to stop a similar attack happening occurring again.

With digitalisation and process automation set to grow further in the 2020s, organisations will continue to face highly sophisticated cyber-threats. Being resilient will be a continuous process and organisations will need to identify and manage risks not just at the front door but at the back and side doors, windows and cracks.

Tiago Dias, Cyber Consultant - Cyber Hazards at FM Global (pictured right), presented an Airmic LIVE webinar on Protecting Industrial Control Systems in a COVID-19 world on 29 June. You can watch that webinar here.