Cyber security wake-up call
03 July 2017
With cases like the WannaCry ransom wear being targeted at high profile organisations including the NHS, and more recently the latest version of Petya causing permanent and irreversible damage to disks in organisations stretching from law firms in the USA to construction companies in France hitting the headlines it seems as if the proliferation of cyber attacks is on a sharp upward trajectory.
While WannaCry wasn’t specifically designed to target industrial control systems, many manufacturers were among the 230,000+ computers it infected across 150 countries, including production operations of Nissan, PetroChina and Renault. Add to this, the latest version of Petya (dubbed NotPetya because it differed from an earlier iteration) taking out Ukraine’s power grid, railways and communications, and infecting pharma company Merck and food giant Mondelez International in the US, and the industrial sector really should be getting something of a wake-up call.
It stands to reason that, as Industry 4.0, IIoT and smart factories drive the convergence between the IT and OT parts of companies in the industrial sector, their vulnerability to cyber attack by malware intended primarily to target the business or infrastructure sectors will increase.
Plus, it’s not just ‘general’ malware that poses a risk: Perhaps an even more frightening prospect, Industroyer is the second known case of a virus built and released specifically to disrupt industrial control systems, the first being first was Stuxnet. Industroyer attacks electricity substations and circuit breakers using industrial communication protocols which are standardised across different types – from power, water and gas supply to transportation control.
A timely report from Crest, the not-for-profit accreditation body representing the technical information security industry, highlights a pressing need to improve cyber security in Industrial Control System (ICS) environments to avoid future breaches that could impact critical national infrastructure.
Its latest position paper, ‘Industrial Control Systems: Technical Security Assurance’ identifies a number of challenges and suggests that more technical security testing has a significant role to play in ensuring higher levels of security assurance are met.
Drawing on the diverse views of the Industrial Control Systems and technical security communities and the paper proposes a model for gaining greater assurance in ICS environments. It was based on the findings of a research project - which looked to set out the main challenges and possible solutions for protecting Industrial Control Systems, many of which are based on legacy technologies.
One of the key findings in the report is the absence of periodic standards-based technical security testing that is commonplace in many other industries. Because of this, asserts CREST, ICS environment owners and operators have no objective way of knowing whether cyber risk is being adequately managed and at present there is no definitive standard for testing ICS environments that is mandated by regulatory bodies. The fact that ICS environments are rapidly changing also leads to a higher degree of exposure.
“ICS environment owners require assurances that risk is being identified, assessed and evaluated. Above all else they need to know that there are appropriate measures in place to manage and mitigate risk,” says Ian Glover, president of CREST.