Standing up to Cyber threats isn’t just about building a taller, thicker, wall to defend against a marauding aggressor, peaking over the ever-increasing parapet builds a greater understanding of the types of threat.
Author: Dr Dorian Hindmarsh, Commercial Director, Proeon Systems Limited
NB: This article represents the thoughts and of the author. No AI generation was used in the writing of this article.
It’s a battle-field out there, we don’t like to admit it, but our appetite for technology and the connected everything is blurring our admission we’re at war. It’s not a conflict in the true sense of the word, with hand-to-hand combat and bombs, but it is a conflict that affects us all, it can damage people, business, finances and of course the environment.
By using digital technology as our basis for control, passing information and simplifying tasks we need to understand that there are new issues to content with. Historically, remote sites, offices or plants were communicated to via telephone lines, voices, people to people, direct instructions (and this does still happen in certain places). However as we start to rationalise, assess and review we see that technology has developed many answers to problems we didn’t know we needed solving, and potentially given rise to more problems.
Remotely controlling assets, processes and transactions, monitoring back at the head office, the remote sites and collating information are now the metrics of good business practice. Data often is more valuable than the product or process that’s being monitored.
The Energy sector is a prime example of this, a high value, high demand commodity, with many assets positioned remotely, and a requirement to gather as much detail as possible. Where risk is not just financial, but also impacts the broader dependants right up to governments.
The blurring of the terms Operations Technology (OT) and Information Technology (IT) into a confusing array of network switches, industrial PLCs and office PCs with a smorgasbord of interfaces, access levels functions, and communications platforms is seriously not helping unpick this either.
So, what’s the easiest option? We’re all human, we look for the easiest solution to a complex problem, the fastest way to take the problem away. Well, we typically build a wall. It’s easy, brick by process orientated brick we build up, protecting our valuable assets. Taller, to present an imposing barrier to the enemy. Thicker through complex passwords and procedures to slow down the advance from chipping away.
Defence is easy, use another brick, stack them high make it thick.
There must have been a point in history where the wooded Mot and Bailey fortification was replaced by a stone wall, and castellations, a moment in time where the stones were replaced by steel re-enforced concrete and bunkers, and now surface to air missiles and fast interceptor jets defend.
And just like evolution of our physical walls, defence technology is progressing, evolving with Digital 4.0.
The issue is defence, it is reactionary, it reacts to a new threat, adapts passively, slowly and with a different meter. And some may argue that is has no other choice. I beg to differ.
Let’s look at the aggressor, the protagonist, the lobber-of-stones, let’s not get specific with clichés over teens in back bedrooms mounting attacks on your operations for spite, we need to look at all aspects; from hostile governments, to financially incentivised groups in offices bigger than yours, terrorists and disgruntled employees.
Motivation is for another time, but let’s talk about scale and resource of the aggressor. In any war, generally, there are many battles, and many casualties, however the aggressor is not hanging around, waiting, counting the next shipment of bricks to arrive. They are dynamic, agile, entrepreneurial, scheming. Their quarry is breaking through a growing brick wall after all. The pace is different. Trying an attack on your defences with tight focus, there are no restrictions, no procedures to follow, no regulations to be audited against, they can literally try anything. Rather like a business entrepreneur they’re looking for a niche. High failure rate is a given, each attempt to gain access is a learning curve, (often shared to others), and useful knowledge gained into the height and thickness of your wall.
This attacking aggressor, for whatever reason will not rest till your wall is breached.
So what can you do?
Well conformance to a standard is a start. (ISO/IEC27001, IEC62443 etc etc) and that will tell you where to place your bricks, what type of mortar you need, and maybe even how to use a portcullis to allow staff in and out. These procedures will integrate into your business management systems and quality management systems and allow you to spot areas for improvement to obvious risk and this should be your first step!
However, they, the aggressors, know this too. That’s the issue with standards.. it’s a standard!
Thinking beyond that first step, perhaps you could consider technology changes, reduce risk through common mode failure reduction. One OEM might be a target for a would-be cyber ninja, and if your entire plant runs on that OEM’s equipment you may suffer.
Can you maintain the separation of OT and IT. Sure they use similar hardware, but failing to secure the rogue USB memory stick with that cartoon MEME that’s been going round the Finance office may be an epic fail for the engineering department later on.
Upgrades and latest tech, this is an area you should get to grips with, if each rouge opponent on the other side of the growing wall can try new things at each failing, so can you. Develop a strategy of continuous improvement (a term banded around a lot) but before initiating the latest tech on your fleet of offshore wind turbines, or your hydrogen plant, try building a model first. The adapted term is a “digital twin” and for many it means different things, but building a functioning digital model in a safe environment (sometimes called a “sandbox”) can enable you to quickly and efficiently test successes and failures long before you install on your plant.
This twin of your plant’s control process has many advantages, and when maintained in parallel can give you the ability to test OEM systems patches for compatibility, make changes to process for improvement, highlight challenges, and build a perfect staff training facility. All within the safety of an offline environment.
Why not? It’s what your aggressor is doing, except their sandbox is your real-life system.
Staff need to understand their roll and accountability in all aspects of cyber security, keeping them informed, trained, and onside is as important as your systems. No point building a castle and leaving the fire door open is there… people are most often seen as the most common point of failure for cyber security. But with the right mix of training, discipline, and knowledge we can mitigate against it.
And finally, layers of protection are often at the heart of any defence system, but do not discount the options to unplug it entirely, do you need to connect it? Can it be on its own island?
The above is designed as a thought provoking take on operational cyber security and the take-away is to think beyond simple defence, but ponder where you can strategically gain an advantage.
Author: Dr Dorian Hindmarsh, Commercial Director, Proeon Systems Limited
NB: This article represents the thoughts and of the author. No AI generation was used in the writing of this article.
For further information on Proeon please see contact information below:
E: Sales@proeon.co.uk T: +44(0)1953 859110