Make Cybersecurity A Journey

Simply ticking boxes as steps to a destination will not provide the cybersecurity you need, particularly in this day of ransomware threats.

By Benjamin Dickinson, ABB Energy Industries

In recent years, incidents of ransomware have increased by more than 500%. As a result, it’s a widely held belief within the cybersecurity community that it is now a case of when you will be exploited, as opposed to if. The clock is ticking, and organizations are now coming to terms with the risk and magnitude of the impact of a cyberattack. It’s the large operators and organizations that are being disproportionately (but intentionally) targeted.

Cybersecurity legislation and standards are certainly in place, especially for critical infrastructure, but these should only be seen as the foundation of any system. Simply ticking boxes will not adequately shore up your defenses. Instead, a more holistic approach is required, coupled to a real understanding of what’s behind each tick box and how your strategy should be configured, deployed, and maintained.

Looking at these targets, the energy and utility sectors are regularly in the crosshairs, with a recent report highlighting that 50% of our customers, during a two-year period, experienced a cyberattack that resulted in downtime to plant operation. A case in point is the recent U.S. pipeline ransomware attack, which is still painfully fresh in the minds of all who were affected—especially the oil-and-gas-industry executives.

Rather disturbing is that there is a new concept out there, which is most easily badged, “Ransomware as a Service.” Some criminals are actually leasing ransomware software; but they won’t give it to anyone. Potential users must prove they are hackers, and they must abide by rules, including only targeting organizations that can pay the ransom, as they have no intention of putting companies out of business.

Here’s where it gets bizarre. Many are also offering a support infrastructure, which will swing into action if malware victims choose to pay the ransom. They regularly explain that they’re not in the business of damaging systems and will provide the necessary support to recover from infections. They simply want their victim’s transition back to normal to be as smooth as possible.

Unfortunately, not only is hacking becoming more lucrative but, arguably, recent trends and shifts in technology are providing greater opportunities if the right cybersecurity controls are not implemented. This risk is something that the International Energy Agency (IEA), Paris, France (iea.org), points out in its recent report, Net Zero by 2050: A Roadmap for the Global Energy Sector. According to the report, “Cybersecurity could pose an even greater risk to electricity security, as systems incorporate more digitalized monitoring and controls in a growing number of power plants, electricity network assets, and storage facilities.”

Smart-device vulnerability

This potential threat is equally applicable to any large plant or geographically dispersed operation, as greater and wider connectivity—especially to smart devices—is being exploited for two-way data traffic for control purposes and extraction of operational data. This proliferation of new smart end points—and the networks connecting them—means hackers have greater opportunities to find entry points into IT and OT systems.

While smart technology is all about agility, flexibility, and efficiency, it is equally important to consider security. If companies build these new systems using a traditional or legacy approach, where security is not embedded, it becomes much harder to install and configure it retroactively.

The risks and their likely impact need to be addressed at a much earlier stage when an appropriate level of security can be defined. There must be a foundation, much like an office PC with anti-virus/malware and firewalls. This foundation must be maintained and strengthened with comprehensive and timely patch programs, updates, and back-ups, along with physical-security measures, such as managed switches, segregated networks, secure LANs, and firewalls.

Indeed, firewalls are a regular element of much of industry and government legislation concerning malware defense, but they’re also one of the box ticks. Simply having a firewall and ticking the box to say you have one isn’t enough. Firewalls must be programmed, configured, and maintained to ensure their efficacy as part of a larger security system. There cannot be any weak links.

Standards are starting points

In general, regulatory standards do not often go into the detail needed to prescribe hardened systems, because they try to suit the needs of too many organizations, are designed by committee, and/or influenced by lobbying. Regulatory standards should never be seen as a single solution to solving security issues. They are, however, a good foundation upon which you can base your planning and implementation. To a certain degree, the U.S. National Institute of Standards and Technology (NIST), Gaithersburg, MD (nist.gov), cybersecurity framework is excellent as a guidance document, as opposed to being a mandatory standard/requirement. As a publication based on recommendations, it could go into more detail, compared to IEC 62443, which contains elements of box ticking.

Cybersecurity is a journey, not a destination. With professional support and a thorough analysis of your risks you achieve a better understanding of where the destination may be. There is no prescribed path to take, as every journey will be different, but it’s safe to say that a threat assessment is a great first step. You need to consider how mature your security solution is, what risks you face, your current risk posture, and what you must do to adhere to regulations or legislation. It’s better to be a pessimist at the outset. Start at a 100% risk threat and use the potential outcomes to define critical objects, equipment, and/or attack vectors.

This assessment—which will be a core element, no matter what your risk level—will help set your position, form a foundation, and ensure you make initial investments in the right areas. Once this is done, additional security requirements and planning can be factored in, such as establishing inventories, creating application whitelists, undertaking system hardening, and defining strategies and policies to describe the program.

Training employees and contractors, and anyone else with access to IT/OT systems, is another essential part of the equation and is a great way to mitigate risk. It’s a fact of life that people often form the weak link in any security solution. Note that it’s rather rare that workers act maliciously. In most cases they’re simply trying to find easier ways of doing their jobs.

The latter stage (there is never really a final stage), as your cybersecurity program matures, is maintaining your systems. Patch it, upgrade it, replace it. Undertake all the evolutionary housekeeping exercises prescribed by software and hardware suppliers and you can be more assured that your security is being maintained.

Exploiting and deploying modern cybersecurity practices should be seen as an opportunity, as it counters threats, reduces operational risk and, as a result, reduces the likely impact of an attack and the resulting negative impact on the bottom line.

Recent events are a sobering reminder of what’s at stake and the implications of being on the receiving end of a ransomware
attack. Hackers don’t sit still. Neither should you or your suppliers. Standards and legislation certainly help at the foundation stage. To be more secure, you must build on this foundation, sometimes significantly. To minimize risk, start with regulation and then assess, implement, and maintain. If you treat security simply as a box-ticking exercise and then look at the statistical likelihood of being attacked, it really will not matter how many of the boxes are ticked. EP

Benjamin Dickinson is Global Product Manager for Cybersecurity at ABB’s Energy Industries in the UK. U.S. headquarters are in Atlanta (new.abb.com/process-automation/energy-industries). Dickinson leads delivery of cybersecurity services to help clients secure industrial systems. He previously worked at the UK’s National Cyber Security Centre, part of GCHQ, a world leader in the field of cybersecurity.