Trends in Security

visible on larger screens only

Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.

Type of Threat or Opportunity

Cyber attacks directed at operational technology can lead to physical harm and undermine the wider market and society

the existing standard of PGP presents various challenges that must be addressed:
1. lack of forward secrecy
2. lack of efficient group messaging/email mechanism 3. fossil cryptographic schemes in the standard
4. improper default security settings, e.g. compression before encryption
5. poor usability
6. problematic trust model and key management
7. rather naive design of the key revocation mechanism 8. insecure design of key IDs
9. asymmetric cryptographic schemes that would soon
become broken in the face of attackers who have access to quantum computers

More source info

Operational technology systems and the threats of cyber attacks

Angeli Hoekstra, PwC

A famous and scary example of the far-reaching effects of cyber attacks impacting operational technology systems (OT systems)
is Stuxnet, a malicious computer worm. Stuxnet attacks forced
a change in the centrifuge rotor speed of uranium enrichment centrifuges in Iran around 2010. It increased the spin rate of specific centrifuges for a few seconds. It waited 27 days and then reduced the spin rate of these centrifuges for a few seconds. By doing this it damaged the centrifuge systems and caused major damages to the Iranian uranium enrichment facilities. Furthermore, it caused damage to a number of other systems in other countries that utilised similar centrifuges. What made it especially alarming was that Stuxnet damaged the safety systems as well. It is terrifying that malware is actually capable of doing this, since it can create serious accidents and threaten human lives. In this article I will discuss the threats cyber attacks can cause to OT systems and I will show what companies can do to better protect themselves.

Black out in Ukraine

More recently we have seen incidents in Ukraine where malware influenced the power grid and interfered with the supply of electricity. A computer virus attacked one of the transmission stations and opened every circuit

breaker in this station. It caused a complete blackout. Fortunately it didn’t take long to get the system back into operation. This limited the damage caused by the attack. Clearly, incidents like this may have a disastrous effect on the functioning of society.

Chaos

I worked in South Africa for a number of years and I have experienced what happens when the electricity supply is disturbed for a longer period of time and the traffic lights stop working. It resulted in a complete congestion of roads and total chaos. There is a domino effect when the electricity system is not working. It impacts hospitals, train systems, telecommunication systems, office building systems (such as elevators, security, and air conditioning), manufacturing systems and air traffic systems. If not prepared with an alternative power supply (which later on was installed in South Africa by businesses and consumers of electricity individually), a whole country comes to a standstill and it also may result in loss of life. Thinking of the Netherlands, this brings to mind the water management systems. If they shut down, part of the country could be flooded.

A form of cyber warfare

It appears that many of the more sophisticated OT cyber attacks are initiated by nation states. It is a form of cyber warfare that is directed at operational systems of specific facilities and in the end may have dramatic consequences for the safety of large groups of people. The above examples affect countries on a national scale. But in recent years, private businesses and their operational technology (OT) have also been disrupted by malware that damages their operational systems. An interesting PwC report on this subject is The Global State of Information Security® Survey 2018 - ‘Strengthening digital society against cyber shocks’.

Business impact

For businesses, cyber security breaches can have far-reaching material and immaterial consequences. At PwC’s global OT Cyber Experience Centre, we have looked into a number of these cyber attacks and their impact on OT systems of companies. We observed that in some cases the malware had already been present in systems for years, only to become active when circumstances are perfect. This malware either intended to damage systems for a specific consequential purpose, or to threat with damage and demand a ransom. This can then of course also have consequences for the reputation of a business and the sense of trust in their products or services.

Distrust in the supply chain

The emergence of cyber crime and cyber attacks has caused distrust in the supply chain. Companies ask themselves: which component of which supplier
can we rely on to be safe without having to worry about embedded malware in its systems? Businesses and consumers wonder about the safety and cyber resilience of digital components they buy from their suppliers. This has become a point of growing attention for businesses.

OT security assessments

PwC has found that most companies are aware of the importance of cyber security for their IT systems. On the other hand, many do not know that a lack of OT security also poses a serious threat to their business. Performing an assessment of the OT environment to get a clear picture of the vulnerabilities in the OT environment is critical. During an assessment different aspects can be reviewed. For example, the workforce and the security culture of a company, third party risk management to establish the security of the supply chain and for example by screening third parties. But also to review preventative measures, such as anti-virus measures, password management, patch management and network segregation.

Incident response and crisis management

However implementing the necessary security measures in OT environments is difficult. Often systems are old and need to be up and running 24/7 and implementing a patch is not feasible. Because of this,
a focus on detection and incident response measures
is critical. The quicker a company can detect a change in the environment which is not authorised or shows abnormal behaviour, the quicker it can respond and limit the impact of a cyber attack. Incident response and crisis management are critical factors to mitigate risks.

Different threats for different companies

The threats companies and their OT systems are facing vary per company. Companies should ask themselves a number of questions. Where might attacks come from? What type of IT and OT systems do we have?

What are the consequences when our OT systems are damaged? Where are we in the supply chain? And there are also other factors a company should consider. For instance, does a company have publicly accessible OT systems used by contractors to do maintenance on the OT systems? Maybe the remote connectivity of these systems is insecure or maybe these systems are easily accessible physically. Companies should also check if they are missing vital security updates.

How to improve the protection of your OT systems?
So what can you do to improve the cyber resilience and the protection of your OT systems? First of all, you need to determine how to increase preventive measures without disrupting your production processes. Are
you setting up new facilities, like a new factory? In that case you can design and build prevention, detection and response mechanisms into the facility right from the start of the design process. However, most facilities are not built from scratch and are in use for years with numerous improvements. In that case you need to focus on understanding your design base, your OT assets, and determine your detection and response measurements based on your installed configuration.

Security operations centre

A good step your company could take is to build a hybrid security operations centre. Such a centre can collect different data from different sources and can help identify security incidents in an early stage and even prevent them. The centre can for example gather physical security data and combine the data with IT-related and OT-related security data.

A more advanced option is to build a ‘digital twin’. You can teach the digital twin what the ‘normal’ state of your operations is and that discrepancies from this normal state can be viewed as possible security alerts and not just for example as maintenance alerts (for which a digital twin is normally used). You can also consider building testing labs to test the security and behaviour of specific operational components before implementing them into production. Some of these measures could very well be established together with partners and stakeholders from the sector in which your company operates.

The human factor

Finally, it is important to consider the human factor if you want to improve the OT security of your company and create a secure culture. Often it is the intervention of people that malware exploits and which causes security breaches that otherwise could have been prevented.

First steps to take

So what can you do if you are uncertain about the OT security in your organisation?
It depends on your situation. However, with existing facilities as well as in many other situations: start with doing a quick scan to determine the current situation and its vulnerabilities and risks. This creates clarity. And based on the findings, determine the solution architecture, measurements and roadmap that are required to improve.

Date Trend snippet:

14 April 2021

Relevance date:

2020

Type of Treath or Oppertunity

Operational Technology (OT) security

Source:

Report

European Cyber Security Perspectives 2020

Cyber Security

Date published

04 March 2020

European Cyber Security Perspectives 2020