Cyber attacks can happen any time, anywhere. Secolve CEO Laith Shahin details how to be prepared.
As Australian businesses scramble to defend themselves from the devastating impact of coronavirus, they are at increased risk at falling victim to another virus, one with the power to disable their entire operation with a single key stroke.
While IT data and privacy breaches have become commonplace, more concerning is the rise in the number of cyberattacks on businesses’ OT—the operational technology that governs and manages their industrial control systems.
And the effects could be catastrophic.
According to Laith Shahin, founder and CEO of OT-specialist cybersecurity consultancy Secolve, industrial sectors such as mining, energy, manufacturing, transport, construction, water, and waste have become high-value targets for cyber attackers, with potentially deadly results.
“OT attacks can cost businesses many millions of dollars in lost productivity and reputational damage, but more than that, attacks on these sorts of industries can result in possible loss of life and leave populations stranded without essential services such as food, power, and water,” Shahin said.
Recent examples include a ransomware attack that shut down a US Honda manufacturing plant earlier this year, and a series of strikes against US-based power grids. A single attack on one Ukraine power facility left 200,000 people in the dark, while a German steel mill sustained extensive damage when a cyberattack on a control system prevented a blast furnace from shutting down.
“Businesses would be wrong to think these sort of things couldn’t happen on Australian shores,” Shahin said.
In fact, a recent Secolve survey of more than 2000 Australian risk, compliance, and security specialists found 78% of those responsible for their organisation’s industrial control systems were concerned there would be an attack on their business in the next 12 months, with 45% “extremely concerned”. Fear was greatest among large companies and those operating in industries such as mining, energy, and utilities.
Despite this, many of the businesses were not actively testing or upgrading their OT systems. Only one third of respondents with OT responsibilities said their business had implemented new OT technology in last two years, and just 31% had used a third party to test their OT security. Worryingly, one in 10 businesses hadn’t undertaken any reviews or updates in the last two years.
Shahin said while technological advancements and IoT devices had enabled businesses to achieve efficiency and scalability, it had also opened the door to new cyber threats.
“Not only do these advancements create opportunities for organisations, they also create opportunities for adversaries, be it nation states, large hacking corporations, or disgruntled employees,” he said.
Businesses with legacy industrial control systems built decades ago with little or no thought given to security are particularly vulnerable to attack, typically relying on proprietary operating systems that have not been subjected to security hardening or testing.
“Most organisations tend to avoid assessing the security of their industrial control systems because of the impact it can have on the business in terms of downtime or unavailability of critical systems. But as has been proven time and again, the cost of ignoring the issue is a fraction of the millions of dollars businesses stand to lose in lost revenue in the event of a system shutdown,” Shahin said.
Businesses’ increasing reliance on technology has also exposed their operations to new avenues of attack.
“Industrial OT environments have traditionally been more isolated, but that has all changed with the shift to digitalisation and automation. This convergence of IT and OT environments has created opportunity for an attacker to now gain access to OT systems by compromising an IT network,” Shahin said.
As well as a lack of preparedness, Secolve’s survey also revealed a lack of awareness of OT systems among businesses, with only 9% of businesses with OT systems having a dedicated OT team or staff member. Most businesses absorbed OT into the responsibilities of other departments, typically IT.
“A common challenge faced by many organisations is drawing the line in terms of the management between OT and IT environments, so they often end up being lumped together under one team. But it’s really important to draw the distinction: IT supports business functions, whereas OT is the business itself, and requires a unique understanding and response,” Shahin said.
It was this lack of awareness and business preparedness that led Shahin to create a specialised OT cybersecurity consultancy, helping organisations to identify and address OT risks and threats.
“In many instances there is little alignment and synergy between IT and OT. Secolve’s role is to fill that gap by working closely with OT teams to understand the environment and then collaborate with IT and security teams to increase the cybersecurity maturity around the OT environment,” he said.
“For issues such as cybersecurity, where the majority of attacks are external to the business and becoming more sophisticated by the day, it is vital to have an external assessment of business practices and systems to identify vulnerabilities—you can’t protect what you don’t know, and it’s our role to tell businesses what they don’t know.”
Have a Plan
Secolve assists organisations to undertake an asset inventory and conducts a review to help educate the organisation on the architectural design, traffic, and components that communicate with each other within the environment, developing a road map, and areas of priority focus.
They also help businesses to document an incident response plan, charting critical steps to be followed in the case of an incident.
“It is surprising that many businesses don’t do this or regularly update their plan,” Shahin said. “It is essentially an instruction manual documenting what systems can be rebooted and who is responsible for what to ensure that in the event of an incident, the response is swift and controlled to restore operations with minimal downtime and any threat to personal safety.”
The need for businesses to adopt a cybersecurity war footing to protect against attack was more critical than ever given more staff are now working offsite, he said.
“Organisations need to ensure that any remote access to the environment is well secured and monitored, creating a demilitarised zone to protect the internal network from inbound access.”
Shahin said it was understandable that businesses could sometimes feel daunted by the complexity of the issue and forensic response required to repel attacks.
“And that’s where we come in. Secolve has the expertise to work across any OT environment to develop a tailored response that allows organisations to continue their day-to-day operations, safe in the knowledge they are fully protected.”