In the BBC’s recent drama series, McMafia, a hacker accessed files and take control of Mumbai Port’s IT network through a vending machine with poor security credentials. At first glance, this may appear implausible, but the threat to critical infrastructure is very real. As more devices are connected the ability to compromise a corporate network through an unpatched IoT connected device poses a real threat.
It is predicted that there will be 20.4 billion connected devices in existence by the end of 2020. It’s evident that connected devices will continue to increase, posing many benefits, but also presenting growing security risk. As networks become more dynamic and continue to grow, it gets harder to identify and manage all the devices connected to them.
Unfortunately, critical infrastructure such as the Mumbai port shown in McMafia is particularly at risk. Some concerning examples of similar compromises include multiple water supply plants hacked between 2011 and 2016, and the US power grid that was infiltrated 17 times in just 2 years. But perhaps the most worrying of all occurred in 2016 when a nuclear plant was hacked.
The 4th Industrial Revolution represents an extraordinary growth opportunity for manufacturing in general, however, by its very nature brings with it increased risk. A recent report highlighted that almost 50 per cent of manufacturers have fallen victim to cyber security, with a quarter suffering some financial loss or disruption.
Manufacturing is now the third most targeted sector for attack behind Government systems and finance. However, unlike the connected device examples above, much of this vulnerability arises from industrial systems installed on plants that have built up and been modified over several years and, in some cases, decades. Whilst there is no change to the data collected, collated and used, the data management systems differ, resulting in an integration challenge to produce real time, meaningful information whilst protecting the asset.
Notable Industrial & Automation Control Systems cyber security trends
Looking beyond the headline-grabbing cyber security incidents of recent years, threat intelligence gathered from the National Cyber Security Centre and global chemical companies, along with the insights and examples by the Health & Safety Executive (HSE), has exposed key Industrial & Automation Control Systems (IACS) cyber-security threats including Watering Hole; Triton, WannaCry, State-sponsored attacks and of cause, human error.
A recent watering hole example occurred on a COMAH site following ‘spear-phishing’ email sent from a supplier’s system and contained Malware that gave the attacker command and control of a corporate desktop PC. The attacker then spread laterally across the network, securing access and acquiring information and knowledge needed to penetrate deeper into the control system. In this instance, the attacker intercepted and modified MODBUS over TCP/IP communications between the tank farm PLC and DCS and overrode the safety instrumented system (SIS) that resulted in material being covertly pumped to overfill the jetty tank.
In 2017 a malicious cyber-attack was carried-out on a petrochemical plant in Saudi Arabia that resulted in the attackers gaining control over a safety system that was critical in defending against catastrophic events. Malicious software, dubbed Triton, allowed the hackers to manipulate the devices’ memory and run unauthorised programs on the system by leveraging the previously unknown bug.
Another example in 2017, saw WannaCry hit the headlines when attackers held the NHS to ransom for its patient data, causing outrage and chaos in equal measure. The WannaCry cyber-attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented had basic IT security best practice been followed.
In recent years allegations of state-sponsored cyber-attacks have occurred within the Middle East region with probably the Saudi Aramco attack being the most well-known. The Saudi Aramco cyber-attack was carried-out in 2012 using a virus known as Shamoon. The virus disrupted computers by overwriting the master boot record, making it impossible for them to start up.
While ransomware cyber-attacks continued to make the headlines, accidental breaches caused by employee error or network-breaches prompted by third party suppliers continue to be a major threat to the effectiveness of IACS cyber security within the chemical-processing industries.
One chemical-processing company – with sites across the globe – came up against a major failure that would have impacted 80 servers and 200 database systems following an accidental incident that occurred as two of its plants were in the middle of a turnaround. An incident was raised with a vendor regarding unsupported hardware and while the vendor supplied replacement hardware, they also provided incorrect procedures for its installation. This in-turn caused a major hardware failure and data corruption and although a disaster recovery was implemented, this was further hindered with issues with backups. The complete loss of plant functionality was avoided in the main through effective communication and restoration for key systems taking place in order of importance.
Health and safety executive response
Two years ago, the HSE recognised that the number of malicious and accidental cyber security incidents was increasing rapidly, both in the UK and globally. The HSE’s response was to draft and release new Operational Guidelines for IACS which would be followed up with on-site cyber security audits that came into force in 2018 in plants across the country.
The key objective of the HSE’s IACS Operational Guidelines was to offer a baseline from which organisations could implement cyber security processes, standards and training to successfully manage the health and safety risks resulting from a cyber security incident.
However, while there is no doubt there is a real and present need for the new guidelines, and that some in the chemical processing industry have responded positively to the HSE’s actions, there is a number of significant challenges that lay ahead for the majority. The HSE plans to update its operational guidelines later this year following recent trials across a range of sites.
A collaborative approach
To tackle this challenge, NEPIC sat down with Wilton-based Tekgem earlier this year to discuss how best to educate those working within the chemical-processing industry and help them to address the issues associated with IACS cyber security. The answer, we both agreed was they needed to hear from the source.
In March, the HSE’s leading cyber security inspectors visited Wilton to outline the cyber security threats and discuss the key points within the guidelines. The HSE, along with SABIC, Tekgem and Frazer Nash addressed an audience that ranged from Instrument & Control Engineers to IT/OT Support Technicians, Automation & DCS Managers to Engineering Directors and HSE managers, all of whom are currently working on chemical-processing plants.
The event was the start of an IACS cyber security journey for all parties and participating member companies made it clear that they saw real benefits and agreed that an open and collaborative approach was needed to effectively manage the ever-evolving threat of cyber-attack, whether malicious or accidental. In fact, the high levels of knowledge shown by those at the event is a great reflection on the true professionalism that exists within the industry.
Aware of the high-profile ransomware cyber-attacks, guests also recognised the risks posed by accidental breaches caused by employee error or network-breaches prompted by third party suppliers and represent a major threat to the effectiveness of IACS cyber security within the chemical-processing industries.
However, a cultural change is required within all organisations going forward to ensure that, despite not witnessing the effects of a cyber-attack first hand, we fully understand the size, scale and scope of the potential risks and be prepared and accountable could an incident occur. The first question that needs to be answered is who is responsible. And if you’re that person it is better to respond to your cyber security threats now, rather than think the unthinkable won’t happen.
Help it at hand and the HSE have provided some simple steps to improve security of IACS systems and the guidelines provide more detailed support. Also, expertise is available from organisations like Tekgem with their ‘Defence in Depth’ strategy.