Cybercriminals have proven that they are more than ready to strike critical infrastructure, with potential examples of cyberattacks ranging from power facilities, transport systems and manufacturing plants, to water treatment facilities and defence systems, coming to the fore. It is clear that the chances of a cyber-related operational breakdown are higher than ever before, meaning that the time to broaden our understanding of relevant cybersecurity issues for industrial control systems and operational technology (OT) is now – we need to realise that it can happen to us and how to take the necessary steps to prevent these compromises.
This is according to Barak Perelman, CEO and co-founder of Indegy, a leader in industrial cybersecurity that protects industrial control system networks from cyberthreats, human error and malicious insiders. Indegy solutions are now brought to South Africa and throughout Africa by African value-added distributor, Networks Unlimited Africa.
“Indegy undertakes to protect industrial control systems from external cyberthreats, malicious insiders and human error, and all three areas of protection are just as important to our users,” said Perelman.
“People are very used to thinking about the possibility of external cyberthreats, and yet we have found that the most common cyber incidents come from within an organisation.
“These in turn can be broken down into the malicious attack, and operational breakdowns caused by human error. Of these, human error is the most common – we are aware that industrial systems often use old technology, and this allows for more room for mistakes.
“As far as intentional insider threats are considered, reasons for these can range from disgruntled employees or former staff members with an axe to grind, to people wanting to earn overtime and setting up the system for failure in order to return for additional work, and thus extra payment.
“External threats, including malware, are in our experience the least common cyberthreat to industrial infrastructure, but they bring the most risk potential. Human errors, which bring more delicate system failures, usually result in shorter downtime than external threats. In comparison, a well-planned cyberattack will usually cause a lot more damage, which can include physical damages, financial costs and reputational threats for the business.”
Stefan van de Giessen, General Manager: Cybersecurity at Networks Unlimited Africa, added: “In the past decade or so, factors such as the rapid introduction of the Industrial Internet of Things (IIot) connectivity across production and supply lines, and the way in which OT is automating the modern world, have opened up new vulnerabilities for industrial infrastructure. With the boundaries between IT and OT blurring, industrial infrastructure operations are now no longer stand-alone operations, but part of the connected, online world. These new vulnerabilities to both cyberattack and also cyber error mean, in turn, that cybersecurity has become critical for these systems.”
“Many industrial operations are running on old control systems and are very vulnerable to today’s cybercriminals,” said Perelman.
“I believe there are two main reasons why industrial technology operators are not paying more attention to cybersecurity, and these are a lack of knowledge and education around the risk to critical infrastructures, as well as the rapid pace of change.
“The cyber risk to critical infrastructure is a relatively new challenge. If we look at the situation five to 10 years ago, many of these systems were completely disconnected from the outside world – IoT technology was not yet in play and the systems were limited to operation within the company’s network. With the rapid pace of change, security operators did not always give much thought to cyber implications and were unaware of the growing risks. This has begun changing in recent years and OT security operators now understand that their operational technologies are connected to the operation’s IT systems or main network.”
Perelman also extends a cautionary note to sovereign states, noting, “Education is key. “Governments need to make sure that those in charge of industrial infrastructure in their countries are aware of the evolution of the cyberthreat landscape.
“Criminals today are no longer just targeting financial services – the 2015 attack in the Ukraine, when hackers took control of the country’s power grid and plunged over 225,000 homes and businesses into darkness for hours, is proof of this.
“The attack was widely regarded as being the first example of hackers shutting off critical energy systems and was followed a year later by another attack that cut power hundreds of thousands of residents in the country’s capital, Kiev.
“Governments therefore need to encourage the adoption of new knowledge in order to protect their power and water supplies, oil and gas operations, manufacturing plants, transport systems and so on.”
He believes that Africa as a region is quite vulnerable to critical industry attack, explaining, “Africa overall shows very fast adoption rates of new technology. This integration of new technology means that older facilities – once outside the reach of the internet and the world – are now open to threat. While internet-enabled communications allow for remote access and more efficiencies, the core message is the same: the risk is increased. We therefore need to bear this in mind.
“Indegy chose to partner with Networks Unlimited Africa to bring our solutions into sub-Saharan Africa, because we have found in them a local partner that is familiar with the region and its best business practices, across several key industrial markets. We were also impressed with the company’s approach, which is not only about cybersecurity, but also about guiding end users through the entire IT lifecycle, including digital adoption. In Networks Unlimited Africa we have found a partner that understands the entire landscape.”
Perelman extends a reminder that attitudes need to change. “People too often believe that ‘It won’t happen to us – but it can’,” he said.
“The world is used to thinking about the classic external cyberattack, and yet, when we ask our customers, ‘when did you last experience down time because of a person?’ we find that everyone has an incident to report within the last year or so, due to human error.
“Cybersecurity for operational technology is not only about external attacks, but also about insider threats and human error. OT operators, companies and governments need to understand the necessity of adopting the correct cybersecurity tools in order to holistically cover all eventualities.”