Operating Technology — The Next Front in Cyber Security
Industry 4.0, the digitization of product manufacturing, is transforming the way we make everything, from textiles to electric power.
While unlocking tremendous efficiency and profits for businesses, it also holds the latest emerging threat from cyber criminals that could make every cyber attack we’ve seen thus far seem like child’s play.
It is easy to see why operating technology (OT), also known as industrial control systems (ICS), is viewed as the new cyber security frontier. ICS encompass different types of control systems and associated instrumentation, which include the devices, systems, networks and controls used to operate and/or automate not only industrial processes but also things such as building security, lighting, environmental systems and more.
To extract efficiencies and increase profits, plant managers and engineers need real-time information about how those systems and machines are operating.
Efficiencies are driving further integration of information technology (IT) with OT to provide more mobility and ease of access.
Some offer the ability to go online and tweak operations remotely—even continents away. These systems are designed to enable access, not restrict it, and cyber criminals are now focusing their attention on these vulnerabilities.
In fact, both Kaspersky and Symantec predicted that 2019 will be the year cyber criminals target ICS through ransomware or malware denial-of-service attacks.
As if on cue, it only took until March 2019 before such predictions started to ring true. Norwegian aluminum maker Norsk Hydro had to halt some of its production after hackers infected IT systems using ransomware, which in turn impacted the OT running critical manufacturing operations.
The company refused to pay, instead relying on backups to restore operations. The company lost $40 million in the week immediately following the attack, according to news reports, which also had an immediate impact on global markets, boosting the price of aluminum (which had been flagging) on the commodities market.
The Norsk Hydro attack demonstrates the consequences can be severe. Industry estimates indicate the total cost of the attack could be as high as $75 million.
Organizations affected by a denial-of-service hack that impacts IT and ICS at a minimum can lose production time, revenue, market share and damage to corporate reputation.
The potential for business risk is only going to grow. Zion Market Research valued the industrial automation market at $207 billion in 2017 and is predicting it will grow to $321 billion by the end of 2024.
When it comes to making your organization more resilient to such threats, there is no one fail-safe solution especially because these multifaceted cyber attacks, when extended to a production environment, can also be the underlying cause of fires, explosions and equipment breakdown.
So, What to Do?
It is fundamental to understand cyber risk in the production environment and how it differs from traditional IT risk.
This understanding will dictate how to manage OT cyber risk in an environment that is designed for accessibility and up-time for production equipment, not security.
Unlike traditional IT risk, where concerns center on compromised or lost data, OT risk management must be concerned with the impact to physical assets such as production interruption, equipment damage, upset plant conditions, fire and product damage—all from systems that may be connected but not necessarily built with IT security in mind.
As such, in many cases the OT running these systems was built using legacy software and systems that could open a back door into your facility.
A cyber attack also can occur with equipment that isn’t connected to the internet. Think about who can gain access to your facility, such as consultants, suppliers and vendors.
Can someone walk into your plant, plug a thumb drive into a laptop and unleash a virus or ransomware?
Beyond those risks, look at how each machine that is tied to ICS can impact the entire production process if it were to be compromised.
What could the physical impact be of such a compromise? Is a machine making a critical component that can’t be made on another machine or sourced from another vendor? How integral is that machine to your supply chain?
It is critical that cyber risk be viewed through the lens of enterprise risk. When you manage IT and OT risks separately, it can create cyber security gaps and vulnerabilities in one environment that can be used to exploit the other.
Unfortunately, in many organizations, IT and OT are viewed as separate and distinct. Risk managers, plant managers, IT and OT all should be talking with each other to manage the risk holistically.
Cyber hackers are motivated by notoriety, profitability, disruption or destruction.
Risk transfer solutions will never be able to fully protect an organization from the threat of cyber criminals and the havoc they wreak. Focusing on a broad comprehensive approach to cyber security that includes the OT environment that runs your critical machinery will help make your organization more resilient when the time comes. &