The cyber security landscape is changing and there are a number of challenges emerging for industry and businesses, particularly from an IoT perspective. Speaking at the Drives & Controls show in Birmingham, Andrew Johnston, a cyber security specialist with Cisco, highlighted the concerns.
He started off with an alarming quote from former Cisco CEO John Chambers, who made a statement to the industry around two years ago in which he warned that:
“There are two types of company: Those that have been hacked and those that just don’t know it yet.”
A statement such as that from a company such as Cisco, which has such experience in the cyber security arena, does on the face of it make for grim reading – particularly when you observe the development of the hacking landscape over the last two decades.
A growth industry
Cisco has also coined the phrase ‘The industrialization of hacking’ and this looks at the development of hacking since the low sophistication of phishing hacks in the mid-1990s, the point in the mid-2000s where hacking really became a global industry and on to the complex and sophisticated landscape we have today, which involves nation state attacks targeting critical infrastructure in other countries.
Despite this a number of security myths have taken hold among some organisations – the most common of which are:
The belief in these cyber security myths are even more disconcerting when the prevalence of targeted attacks are taken into account. In 2016 there were a total of 290 targeted cyber attacks around the world (compared to 74 in 2012 – which highlights the growth of hacking), and no sector has been left unscathed – from communications and critical manufacturing to energy and water providers. Hackers are going after everyone, irrespective of the size of the organisation, or which industry they happen to be in, and unfortunately the black hat hackers and the dark web are making things easier.
The motivations of these hackers are quite simple – it could be to do harm such as a nation state wanting to take over another’s infrastructure; it could be for financial rewards or it could be as basic as hackers having ‘fun’. Unfortunately for Cisco and its customers the hackers have the advantage.
Concerns for Cisco customers
- Operational challenges
- Device and user identity
- Vulnerability management
- Securing legacy devices
- Ensuring privacy of customer data
The unpalatable reality is that a hacker could quite easily launch an attack on your infrastructure, plant something, and that attack could lay dormant for some time until a particular vulnerability is opened up and that attack can take place – with devastating effects.
Targeted attacks – Actors and Effects
Anarchists / anti-capitalists
Destruction of plant / vessels
Injury or death
Share price depreciation
As a consequence cyber attacks are more damaging than ever and the risk is increasing. This is due to automation systems increasingly being connected to enterprise IT systems; enhanced third party access for greater troubleshooting and optimisation; the move from niche and proprietary systems to ubiquitous IP/Ethernet; a more ready supply of hacking tools and the fact that ICS protocols are inherently insecure.
This is not just scaremongering. There have been some significant attacks on a variety of installations over the past few years (some more high profile than others), which highlight the extent of the issue. A select few are outlined here and range in cost from $1.9m to $65m:
Back to basics
It’s vital to get the basics right when it comes to security, and to have defence in depth. It’s something that can’t be fixed by purely throwing a lot of technology at the problem.
The modern industrial environment has thrown operational technology and information technology together. The two have very different outlooks, but security must have a two pronged approach between technical and non-technical departments and personnel. Technical controls such as Firewalls, Group Policy Objects, Layer 3 ACLs and NACs must combine with a strong company ethos, rules for certain environments, policy and procedure, risk management, best practice, vigilance and attention to detail.
There’s an old joke where two men are being chased by a bear, and as the first man starts to break into a sprint the second man exclaims: “What are you running for? You can’t outrun a bear!” To which the first man replies: “I don’t have to outrun the bear, I only have to outrun you!”
Two men are being chased by a bear, and as the first man starts to break into a sprint the second man exclaims: “What are you running for? You can’t outrun a bear!” To which the first man replies: “I don’t have to outrun the bear, I only have to outrun you!
As such it’s important to remember that technology is only as secure as its weakest link so it’s important that employee best practice is enforced – there is no point in having a whole host of IT security in place if an employee then writes his or her password down on a post-it note and places it next to their terminal.
Cisco has established a number of industrial security techniques to assist companies with achieving their security goals. These can be seen below. In addition, The National Cyber Security Centre has recently published 10 steps to cyber security to help organisations get up to speed with their security challenges and frameworks.
So, cyber attacks are increasing rapidly and that is not likely to stop any time soon. The truth is that the odds are against you. However, if you assume that your organisation will incur a breach it does change the thinking and ethos of the company from essentially a reactive standpoint to a proactive one.
The potential consequences of an attack have been outlined here, so it’s important to have a comprehensive security strategy in place but as we’ve also covered that’s not just about products – it’s also a mix of people and technology spanning operational technology and information technology to achieve an integrated approach to your cyber security.