Complacent companies at highest risk of cyber attack

In a recent study conducted by the Ponemon Institute, it found that the average annualised cost for cyber-crimes against 36 British companies amounted to almost £3 million per year, an increase of 36% since 2012.

Speaking in London during October, Invensys EMEA senior cyber-security lead Jay Abdallah said that energy companies are at the highest risk of attack, being targeted approximately 10,000 times globally per month by hackers.

SCADA and Industrial Control Systems (ICS) are most commonly attacked within process automation networks. Process plants running these systems have seen attacks increase by 600% in the past three years, said Abdallah, speaking at an Invensys-led event on cyber security.

Unfortunately, even with the most advanced security systems in place there is still no silver bullet against cyber-attack

Jay Abdallah

The problem companies are facing, however, is not an initial attack that shuts a system down for a matter of hours or even days - it is the potential damage that can be caused by an extensive and undetected attack.

Although the Ponemon report suggested that the average attack takes 25 days to resolve, Abdallah explained that certain viruses can hack proprietary ICS and SCADA technology for five years before being detected, in which
time masses of data could have been infiltrated, copied, corrupted and destroyed.

He even suggested a sophisticated hack would be able to cause physical damage to a process plant.

“The Stuxnet virus, which attacked Iranian nuclear facilities in June 2010, was designed to force a change in centrifuge rotor speed,” said Abdallah. “In doing so it slowed Iran’s nuclear progress by about two years.”

He added that he believes the best way to combat these attacks is to create a security system at the core of a business, starting with vulnerability audits, network audits and system hardening.

Joel Langill, an industrial control system security specialist who operates under the alias ‘SCADAhacker’, tells Process Engineering he had hoped that the Stuxnet attack would have opened companies’ eyes and forced them to re-evaluate security measures.

Siemens was one company whose equipment was hacked during the Stuxnetattacks and Langill says they are one of the few companies to have actually implemented good working strategies against future attacks.

“Siemens learnt its lesson from what happened with Stuxnet,” says Langill. “They have driven a product road-map to fill in the gaps. Other companies that were targeted in the 2010 attack haven’t updated their systems in the same way, and that’s a problem.”

However, Langill adds that process systems are never going to be supplied 100% secure and the reason for that is that both the cyber-threat and regulatory compliance landscapes are continuously evolving.

“For energy utilities, in the US for example, they have to follow set security regulations,” says Langill.

“The problem is, whenever you force regulations on an entire sector, they will deploy technologies to meet the regulations. It’s inherently flawed as it’s not the optimal practice for those companies. They’re not doing what they should do; they’re doing what they have been told to do.”

Forced changes are meaning certain companies are creating security systems that are unsuitable and unreliable for their specific needs, he adds.

If there were more continuity between policy makers and heads of sector, argues Langill, then cyber-security measures would begin to evolve at much healthier rate.

However, as cyber-attacks are constantly diversifying, Langill says that aside from government regulations and outdated systems, firms must also consider risks posed by its own internal staff, such as engineering and maintenance groups.

“Firms often assume that the threats all originate from the outside,” he says. “One of the biggest threats to firms comes from the engineers themselves and people that operate with elevated privileges.

Similarly, a threat that nobody seems to discuss is that of breaking into an industrial system through the supply chain. A company has to ask itself: what’s my vendor doing to secure their intellectual property or code base or support portal?”

Instead of going directly at the target, says Langill, many attacks target a less obvious weak spot in the larger system throughout the typical project lifecycle.

“That’s how many of the high profile attacks are working today,” he says.

However, McAfee EMEA vice president & chief technology officer Raj Samani says that even though sophisticated forms of attack exist and there is always going to be some level of potential risk within an organisation, there is usually an option to stifle it.

“From a technology point of view, if you screen your system correctly you have better detection capability, have the ability to manage potential threats remotely and you’re able to make sure potential threats don’t impact other parts of the network,” says Samani.

But it may not always be economically feasible for a company to rip out entire systems, for example, or update a whole network because of the threat of cyber-attacks.

“Firms have to start small when addressing cyber-security,” adds Langill.

Forced changes are meaning certain companies are creating security systems that are unsuitable and unreliable for their specific needs

“It’s a cost-avoidance, risk management concept. Ultimately, they still have to still be able to manufacture goods that generate revenue with their current systems. After all, that is why we automated our manufacturing systems in the first place. To rip everything out isn’t economically or strategically viable for anyone.”

Both Langill and Abdallah agree that statistically, modern Distributed Control Systems (DCS) pose the least risk within process plants, but stress the fact that those risks are still out there.

“Unfortunately, even with the most advanced security systems in place there is still no silver bullet against cyber-attack,” Abdallah said.

However he added that with complete system monitoring and management companies can be sure the maximum is being done to keep their process plants running free from attack and the unnecessary “clean-up” costs after an attack occurs.

As the Ponemon report outlined, cyberattacks are costing British companies anywhere from £378,919 to £17 million each year per company - a cost that companies could avoid if the appropriate systems at their disposal are properly utilised across a company’s entire operation.

“The cost of doing nothing is always the calculation I show people,” says Langill. “You have to show people what it will cost if they don’t do anything and don’t put the correct systems in place.”