Rosa Richards looks at managing cyber threats as part of environmental risk management
First came steam power, followed by electricity and then the digital revolution. Now use of smart technology and the Internet of Things (IoT) to control processes in real time is driving the fourth industrial revolution, or Industrie 4.0. But, with every introduction of a new smart device or system the threat of a cyber-attack grows.
Cyber security incidents are often in the news and there is evidence that the frequency of attacks is increasing, although few have led to hazardous events. Nonetheless, environment managers may want to review the risk to their organisation's operations from cyber threats. At the same time those responsible for critical national infrastructure (CNI) and sites regulated under COMAH - control of major accident hazards - are advised to ensure procedures are in place and staff trained to deal any threat.
Growing problem
Uptake of smart technology is increasing year on year. Deloitte predicts that in 2015 one billion wireless IoT devices will be bought worldwide, 60% more than in 2014. ABI Research predicts that by 2020 more than 30 billion devices globally will be connected wirelessly to the internet. The increasing use by enterprises and industry of smart systems is accompanied by the responsibility for managing and protecting them.
Global cyber-attacks against supervisory control and data acquisition (SCADA) systems quadrupled in 2014 compared with 2013, according to Dell's annual threat report. The technology firm recorded 675,186 attacks in 2014, with Finland facing the largest proportion (202,322), followed by those in the UK (69,656) and the US (51,258). The high figures are likely to be due to increased awareness and detection, as well as the fact that SCADA systems are more common in these countries and more likely to be connected to the internet. Many attacks target operational capabilities in power plants, factories and refineries. These are political in nature rather than those that are financially-driven, such as credit card fraud or identity theft, but which receive more publicity.
The Health and Safety Executive (HSE) recognises the implications of cyber-attack on CNI, which includes energy, food, health, transport and water. It says: "Accidental failure or malicious attack on process control systems could result in loss of system-critical safety functions such as interlocking and emergency shutdown systems and disruption of control of the process, potentially resulting in serious risks to operators and possibly the public."
The Centre for the Protection of National Infrastructure (CPNI) advises large companies and organisations operating CNI to "take all necessary measures to prevent major accidents involving dangerous substances. Limit the consequences to people and the environment of any major accidents that do occur."
Operations using an instrumented control system that is electrical, electronic or programmable are bound by international standard IEC61508. This requires a hazard analysis to be undertaken but also a security threat analysis if malevolent or unauthorised action constituting a security threat is identified as reasonably foreseeable. The HSE says: "While it is good practice to isolate safety-critical control or protection systems from any connectivity to the 'outside world' this approach is being challenged by the changing nature of plant electronic control and management systems. This is leading to increased vulnerability of plant to electronic attack, while at the same time the threat level is increasing. The possibility of such electronic attack of control systems is recognised as a threat to the CNI."
A security breach can be caused internally simply due to human error - which accounts for about half, according to the UK 2015 information breaches survey, published by the government in June - or an intentional cyber-attack by a disgruntled staff member. Alternatively attacks can originate from malicious external third parties, including organised criminals, malware authors, activists and non-professional hackers. Poor IT security or a lack of control of vendors or third parties can present weaknesses. Breaches of technology were the third most common type of security breach after government and "other" in the first half of 2015, according to data from the Global Breach Level index.
In 2011, Stuxnet was the first-known virus designed to target critical infrastructure, such as power stations. It was transferred by USB to equipment physically isolated (air-gapped) from unsecured networks. Dragonfly was a less publicised virus, designed to sabotage energy supplies. It simply sent emails with information that the recipient opened. According to cyber security business Symantec, more than a 1,000 organisations in 84 countries were affected over an 18-month period.
Other cyber-attacks aimed at industrial control systems in 2014 include the Havex RAT - a cyber espionage malware campaign - and BlackEnergy malware attacks, which exploited vulnerabilities in products from GE, Advantech/Broadwin and Siemens.
Combating the threats
All employees need to be aware of cyber threats and how to avoid them; it is not just the responsibility of the IT department. They should understand the risks of spear phishing (a fraudulent email) across organisations and whale phishing (attacks on wealthier and senior people), which targets executives. Both make organisations vulnerable to cyber espionage by releasing sensitive information in response to cleverly worded emails (see case study, below).
Security control measures, such as firewalls, antivirus and vulnerability management can be put in place to prevent breaches, and threats can be monitored but these measures will not prevent all cyber-attacks. In the past, an organisation's internal network may have been "fenced off" from the web, but smart technology interacts with the internet. Previously the standards of security may have been higher for IT than for operational technology (OT), such as SCADA systems, due to the systems and knowledge bases being separate. This situation is changing with IT and OT working more closely together, such as in the utilities sector.
There is growing acceptance that breaches are inevitable so the emphasis in many companies is switching to securing sensitive data. Security experts recommend that firms take a data-centric view of digital threats. This includes setting long and strong passwords and installing multi-factor authentication and encryption so that if data is stolen it is useless. Data "tunnels" can be used so information being transferred is secure. Companies can hire ethical hackers, known as "white hat" hackers, to test the strength of their infrastructure. In addition, IT teams are recommended to establish roles and responsibilities, and to draw up plans for regular testing in scenarios that cover all possible outcomes.
Nick McLauchlan, business manager at the engineering business, Z-Tech Control Systems, warns: "There can sometimes be an assumption that smart devices are secure. If the original equipment manufacturer [OEM] is selling the device they must make it secure - right? Wrong, your data system is only as secure as the weakest link in the chain, and the OEM will generally assume that you are responsible for the security of your system." He recommends performing a full cyber-security risk assessment (see panel, below) at the design stage of any project. This should be followed by regular reviews throughout the life of the system, and staff should receive regular training on simple behavioural controls that will maintain security. These include instructions not to open attachments in emails from unknown sources and controlling the use of USB dongles. McLauchlan also advises organisations to refer to the guidance provided by the CPNI.
Severn Trent Water recently undertook a cyber-security review and improved its data security with guidance from the CPNI. John Skelton, chief technology officer at the utility company, said: "We took proportionate and appropriate action across people, process and technology to manage the risks. It was hard work at times, but we gained useful insights. There has been sweat, but no blood or tears - yet! We feel more confident that we are now more proactive to cyber threats rather than just reactive, and better prepared for the challenges ahead with increasing use of machine-to-machine [M2M] technologies." M2M refers to technologies that allow wireless and wired systems to communicate with other devices.
Organisations that have assessed their cyber-security agree that it has been a worthwhile exercise. Moreover, guidance is easily available on how to take proportionate and appropriate pre-emptive action. We are already living in the digital age and the system "surface" potentially vulnerable to cyber-attack will continue to grow with the types of threat likely to become more sophisticated.
Cyber-security risk assessment
A cyber-security risk assessment is the first step in securing process controls and SCADA. These steps are recommended by the CPNI:
- Undertake a cyber-security risk assessment to understand the business risk - a combination of credible threats, impacts and vulnerabilities. Questions to ask include: What information is at risk? From whom? How likely is this? How might attackers try to access the information? What impacts would there be? Who is responsible for this risk at board level? What security measures do you have and are they working? Is there an incident response plan? Can any improvements be made to improve security?
- Implement secure architecture according to the business risk. This should not rely on one single security measure, such as firewalls, for its defence.
- Establish response capabilities.
- Improve awareness and skills.
- Manage third-party risk from use of mobile devices, such as laptops and USB sticks, by implementing the Cyber essentials scheme, a government-backed initiative to help organisations protect themselves against common cyber attacks (bit.ly/1hkkmdz).
- Engage with all new process-control, system-related projects.
- Establish ongoing governance.
Your information risk management regime should comprise all of these components:
- Ongoing staff training and awareness-raising.
- A mobile working policy with training.
- Security patches.
- A policy for all removable media controls - for example, USB sticks.
- Account management processes - limit user privileges and monitor user activity.
- Incident management plans and reporting - see CiSP in useful resources below.
- A continuous monitoring strategy.
- Malware protection across the organisation.
- Network security measures.
Further advice is available at cpni.gov.uk. Other useful resources include: CPNI training in ICS security, which is free for CNI assets owners; Companies like yours video (bit.ly/1YLMJJS); Secure the breach - two-part video (bit.ly/1ODU7mU); The critical security controls for effective cyber defense, version 5.1, Council on Cyber Security (bit.ly/1o0RGIq); and the Cyber-security Information Sharing Partnership (CiSP) - a UK "community watch" scheme for cyber threats and vulnerabilities so that UK businesses are aware of current issues and can take steps to reduce their impact (bit.ly/1P3urzz).
Case study: Spear phishing attack at German steel mill
The German Federal Office for Information Security (BSI) reported in 2014 that a cyber attack on a German steel mill caused extensive damage to a blast furnace.
The attackers used spear phishing and clever social engineering to target key staff and trick them into opening emails.
The messages contained code that captured login details for the office network. This gave the hackers access to the plant's production systems. The attack led to parts of the control system failing, which resulted in the uncontrolled shutdown of a blast furnace and caused extensive damage.
The security services rated the attackers' technical skills as very advanced. To be capable of mounting the assault, the hackers would have had in-depth knowledge of IT security and technical knowledge of industrial control systems as well as production processes.
Attacks like this are reported to the national security services so that other operators of industrial installations are aware of the risks and threat level. In the UK, incidents are reported to the Cyber-security Information Sharing Partnership (CiSP).
