This month I am writing about the threats and associated risks faced by computerized industrial systems and other control technology, particularly given the recently publicized attacks on critical national infrastructure (CNI), for example, at the Oldsmar, Florida water treatment plant.
These threats, of course, are uninvited intrusions into an organization’s IT systems and infrastructure, which, in turn, could give access to industrial control systems (ICS) – robots on a production line, for example.
Those threats could emanate from internet-based hacking activity, social engineering (a spear-phishing email that caused the release of malware), a call from someone masquerading as “IT support”, a USB stick left in the car park or reception area, or insider activity, such as an employee with a gambling or drug problem.
The risks, of course, are to an organization’s reputation, regulatory fines for customer data loss. Still, such attacks can be a significant source of disruption to a company’s production facility; for example, the subtle changing of the operation of production-line robots may, in turn, impact product quality. And there are parallels to be drawn from the disruption of parts of the CNI, say electricity or the banking system, and the disruption of a production facility.
What can an organization do to protect itself? First up, of course, are the bread-and-butter issues of maintaining any and all software to the latest supported releases and ensuring that security patches are applied in a timely way. This statement applies to the control technology itself and the whole IT infrastructure, from the interfaces to any and all external networks (firewalls, routers, and so forth) to the network Ethernet switches, load balancers application servers, printers, and so on.
It should not be forgotten that many systems and infrastructure components now utilize virtualization techniques, so any virtualization software needs to be maintained just as much as any server or application software.
Don’t neglect the BIOS (basic input/output system) in your various systems or the firmware that drives many infrastructure-attached devices, such as video cameras, building access control, printers, and air-handling equipment. These areas need maintenance just as much as your IT infrastructure.
What else can a CNI owner do besides this work? Not in any priority order, but I suggest:
- Staff skills maintenance (training, education, and awareness).
- Regular health checks of the IT infrastructure and all the attached components (similar to penetration testing and often carried out simultaneously).
- Regular penetration testing of all external network interfaces, not just the internet connection.
- Depending on a company’s size and IT complexity, run a security event management (SIEM) or security orchestration and event management (SOAR) system to identify anomalous events that could precursor a security incident. Read, study, and understand the output of these systems – it could be a life-saver.
- Ensure that all staff and contractors in an organization and all directors (both executive and non-executive) are given regular security awareness briefings.
- Ensure that the top of a company understands the importance of good security, supports it, and promulgates it down through the organization.
- Get help from the business in putting together budgets for IT and IT security. It’s no good saying you need “x” pounds to do the significant “y” project – you need to be able to articulate what the project does in business terms and, equally if not more importantly, the potential costs of not doing the task.
To quote Mark Twain: “It is easier to fool people than to convince them that they have been fooled.” Apply this to an organization and its security. The board and senior management must 100% support good, well-funded security. Without it, the organization’s future can be at stake.