Cyber incidents in industrial environments have been increasing significantly since 2010, but it is undoubtedly in the 2020s that these incidents have affected the general population or made the news.
There are several examples:
- 2015: Ukraine’s power grid was shut down after a worker opened a hoax email (phishing).
- 2017: criminals were apparently able to override the entire protection system of a petrochemical plant in the Middle East.
- 2021: the USA’s largest oil pipeline had to stop the flow of fuel for 8 days after a worker’s password was compromised and used to hijack the control system.
These are just a few examples of incidents that have occurred in recent years. As can be seen in many cases caused by employees’ actions.
Differences in approaches to cybersecurity
This is due to several circumstances, but the main one is due to a difference in the mentality associated with security.
In industrial environments, terms such as Anti-DDoS, two-factor authentication or other common expressions in IT security environments are not even unknown.
There is a difference in mindset and training related to cybersecurity between corporate and industrial environments
It is these differences that generate many of the drawbacks in implementing or enforcing security measures at the convergence between IT and OT (operational technology) environments. So, this provides a great lesson for security teams, where it is not possible for the security approach between IT and OT to be the same, making it necessary to clearly understand the root cause of these differences.
The vision of priorities in IT and OT
We have always talked about cyber security being based on three pillars, which are integrity, reliability, and availability. These are the same in any system that handles information, but the priority we give to them is different.
- Decision-making in corporate environments (IT) is fundamentally based on data, so data reliability is the priority objective.
- Very different in operational environments (OT) that, when interacting with physical environments, data is required in real time in order to have control of the operation, which orients cyber security to give priority to availability.
This change of focus means that processes such as automatic updates, micro-segmentation or any action that generates a delay in signals or a shutdown of the operation is not so simple to implement, because the priority of the operation and the problems that these detections generate are more important and prioritised than the implementation of a patch or a security requirement.
Calculating cyber risk
One of the first steps in cyber security is the calculation of cyber risk, which is why all standards and best practices show how to perform risk calculations and the importance of putting in place controls or mitigation measures to reduce risk.
It is always said that the probability of the attack by the impact it generates on the operation, but in operational environments it is said that these two are not the only factors to consider for industrial cybersecurity, but by having the aforementioned interaction with the physical world it is essential to place the parameter of the consequence within the equation.
This additional parameter in the equation drastically changes the risk assessment and includes valuable details for operators, whose main focus of security is on life or impacts on their environment, which are never taken into account in IT.
The importance of devices
In addition to the risk analysis, operational environments have clearly identified devices that are essential to the operation, which are often considered the “crown jewels” and which emerge from the process analysis.
Many of these “jewels” are often very old equipment, which from an IT point of view are obsolete, but within the operation are normal times and even within the warranty of the equipment, which shows that security and changes have different speeds between environments.
Cyber security concepts
Cyber security terms are new to the world of operations, which until less than 5 years ago (even today) relied on the fact that, because they are not connected to the internet, cyber threats do not affect them. That certainly no longer applies, but it brings with it the need to understand and manage concepts that are new.
Even the most common concepts of Cybersecurity have not yet permeated industrial companies with sufficient force
As we said at the beginning, concepts such as Anti-DDoS are not only unknown, but in some cases inapplicable, but also standards such as IEC62443, models such as Purdue or standards such as NIST, have not permeated strongly enough in industrial companies, so they are still concepts that are not known or are not fully applied.
This is a challenge for Industry 4.0, which is gradually being worked on, but which opens a window for cyber-attacks that affect many areas of society, as the interaction with physical elements in systems such as water treatment can affect millions of people.