Consequences of a cyber-attack in industrial environments

Jorge Rubio    17 January, 2023

Industrial environments can be found in any type of sector we can imagine, whether in water treatment, transport, pharmaceutical, machinery manufacturing, electrical, food or automotive companies, among others.

The differences between an industrial environment and the typical corporate or IT (Information Technology) environment is that industrial communication networks or OT (Operational Technology) are designed for a specific task and use equipment and systems that do not change over time, i.e., the same communications between the same devices are produced continuously, in a cyclical manner, unlike the corporate world in which a multitude of different equipment is connected at different times, such as laptops or corporate mobiles, for example.

Another major difference is that these industrial devices are more likely to have vulnerabilities in their firmware or software because they are outdated equipment that is not usually updated or patched, as they are not compatible with the latest operating systems on the market or because replacing them could be very costly for the company.

In addition, it is common to use unencrypted network communications or insecure protocols that allow vulnerabilities to be exploited or passwords to be obtained in clear text.

The most serious implications of an industrial system being breached are the impact on the physical safety of people.

This state of industrial environments, coupled with the increasingly pressing need to connect industrial processes and factories to the corporate world, the cloud or the internet, increases the risks of a cyber-attack on such facilities.

The most serious implications of an industrial system being breached are the impact on the physical security (safety) of people, as well as economic losses or damage to the company’s image, which is why it is vitally important to try to protect this equipment against any cyber-attack.

Cyber-attacks that have occurred in the past in industrial environments

Over the years, various companies and organisations in all types of industrial environments have been attacked, both through technical and social engineering attacks, as well as through carelessness, laziness or lack of employee awareness, such as the use of USB keys between OT equipment and IT systems.

The following are some examples of the different types of cyber-attacks used to attack companies in a variety of sectors with industrial environments:

  • Malware in industrial or field devices.
  • Communication hijacking and man-in-the-middle attacks.
  • Denial of service.
  • Spear phishing.
  • Database espionage.
  • Supply chain attacks.
  • Improper or malicious device updates.
Photo: Greg Rosenke / Unsplash

And these are not isolated cases – attacks on industrial infrastructures are in the news all the time! Some of the most relevant are the following:

  • Worcester Airport in the United States (1997): A hacker hacked into the communications of the air traffic control system and caused a system failure that rendered the telephone system completely useless, affecting the control tower and different areas of the airport (fire brigade, meteorology, etc.), which had a major economic impact.
  • Saudi Aramco (2012): An attacker gained access to the industrial network through one of the employees and deleted the content of all computers. This resulted in the management of supplies, oil transportation, contracts with governments and business partners being done on paper. If it had been a smaller company, this attack would probably have bankrupted it.
  • Maersk (2017): A cyber-attack using the “NotPetya” malware caused outages in all of the shipping company’s business units, bringing its container shipping operations around the world to a standstill for weeks. The losses generated by this attack are estimated to be as high as $300 million.
  • Oldsmar water treatment plant (2021): A group of attackers gained access to the SCADA (Supervisory Control and Data Acquisition) systems used to control the chemical treatment of Florida’s water and altered the levels of caustic soda in the drinking water. Thanks to an operator who identified the unauthorised access and was able to detect the manipulation, this did not have serious adverse effects on the population.

These are just some of the examples that have been reported in the media, but there are many others that we will never know about.

How to avoid or mitigate the consequences of an industrial cyber-attack

To minimise the risks of suffering a cyber-attack in an industrial environment, network visibility must be minimised to reduce the attack surface, increase staff training to avoid social engineering attacks, generate new cyber security procedures and policies, and deploy technologies appropriate to the environment to prevent or mitigate the effects that could occur.

One of the key aspects is the monitoring of industrial networks using dedicated tools specialised in OT communications protocols that analyse anomalous behaviour once they have learned the normal or baseline behaviour of the network, such as Nozomi Networks’ probes

Visualisation of the network through an industrial monitoring tool. Source: Nozomi Networks.

As well as generating alerts when malicious action is found, these tools also provide great visibility into the industrial network by providing an inventory of connected devices, which can help companies discover unidentified equipment that could be a gateway for future cybercriminals.

But what should be done with all the information obtained by these industrial monitoring probes? One of the options could be to integrate them with a SIEM (Security Information and Event Management), so that all alerts are aggregated in the same place and can be correlated with each other.

In addition, it is necessary to establish an incident response procedure that determines what actions to take according to the type, severity and location of each of the alerts. But all of this cannot be done without dedicated personnel specialised in these monitoring and industrial incident response tasks.

The importance of cyber security in industrial environments

Industrial cyber security risks continue to grow over time as industrial networks become increasingly connected and exposed to IT networks or even the internet, and the number of threats grows exponentially.

Cyber threats can have a major impact on personal and corporate reputation (loss of customer confidence), financial operations (fines for non-compliance) and business (unscheduled production downtime), as well as potential legal liabilities (legal consequences for non-compliance with laws and physical and environmental security standards).

This is why it is crucial to implement, manage and improve cyber security measures in industrial environments in order to maintain and increase their effectiveness against any cyber attack.

Featured photo: Umit Yildirim / Unsplash