In December 2015, an unprecedented cyber attack on the Ukrainian power grid saw sophisticated hackers remotely take over a control centre that distributes power to the western region of the country.
The hackers were able to control circuit breakers at a substation and take it offline. Thousands of residents lost power. Operators were unable to regain control as the cyber criminals had already changed security passwords, allowing them to take another 30 substations offline and two power distribution centres.
More than 230,000 residents were left without power. Experts believe the attack to have been politically motivated and highly organised, with the hackers having most likely found a way into the system weeks or even months before to learn how the control system worked and how best to take it down.
On the rise
While this event is spoken about due to its large scale impact, these kinds of cyber attacks on critical infrastructure are becoming more common.
Eugene Kaspersky, chief executive of antivirus software company Kaspersky Lab, has said that while cyber sabotage and cyber terrorism has been the most frequent kind of attack, criminally motivated attacks are also increasing.
In 2013, drug traffickers recruited hackers to breach IT systems that controlled the movement and location of shipping containers at the port of Antwerp, allowing them to hide cocaine and heroin among legitimate cargo on its way to South America.
Hacks of Supervisory Control And Data Acquisition (SCADA) controls are also not unheard of, with Kaspersky saying that cyber criminals have even able to change temperatures or weight displays to disrupt manufacturing processes.
Jalal Bouhdada, Internet Control Systems (ICS) security consultant at industrial cyber security firm Applied Risk, says the risks associated with unsecured ICS and SCADA systems can shift from “isolated, insecure, air-gapped systems, to a more interconnected and open infrastructure”. This means systems can become exposed to threats that could impact human life, assets, production, the environment and an asset owner’s reputation.
In order to combat these threats, Bouhdada says businesses must consider the numerous security risks that are associated with safety engineering workstations, controllers and communication protocol vulnerabilities, which are often overlooked by suppliers.
“Continuous security assessments must be undertaken and control systems staff must be provided with the security training necessary to effectively protect critical environments against attack.
"With cybersecurity incidents continuing to target industrial control systems, investing in cybersecurity measures should not be seen as a burden, but rather as an enabler that can save lives and enhance productivity."
Not prepared for attack
Software experts and engineering organisations came together at a recent panel discussion in London and warned that the world is not prepared for serious cyber attacks on critical infrastructure.
Speaking at the panel discussion, Kaspersky said: “Sometimes they use equipment that was never intended for external access, not to mention software that was created decades ago and has not been upgraded since.
"This is a very serious issue because not only is the continuity of the production process at stake; the environment and even human lives can be at risk.”
An added problem raised at the discussion is that the computer management systems running critical infrastructure are rarely checked with the rigour and regularity applied to physical components. The panel, which also included figures from the BMGroup and the Institute of Civil Engineering felt that this was largely the result of a lack of government regulation.
“Buildings are built with strict standards, regulations and penalties. Cyber-systems can be set up in whatever way they want,” said Kaspersky, adding that there’s a widespread attitude of “it works: don’t touch” towards computer systems.
In such a landscape he said that it was hardly surprising that the Paris airport of Orly was discovered recently to be partly managed by a 1992 version of Microsoft software. “It’s a mess,” said Kaspersky. “And it’s a mess that criminals can easily exploit.”
In a bid to tackle this Kaspersky Lab is also actively cooperating with manufacturers of automation systems in order to develop equipment that takes new cybersecurity standards and requirements into consideration.
Failure to invest
Manufacturers in the UK have recently been urged to take a test to check how cyber aware they are. The free test has been designed by the EEF, the manufacturers’ organisation, after new research revealed that companies could be unknowingly leaving themselves vulnerable to a cyber attack, with smaller businesses particularly at risk.
EEF’s findings show that just under half (46%) of manufacturers have failed to increase their investment in cyber security in the past two years. Amongst small manufacturers this rises to 56%. Two in ten firms (20%) are not actively making employees aware of cyber risks, while less than six in ten (56%) say cyber security is given serious attention by their board.
With the age of Industry 4.0 and smart, connected factories just around the corner it is likely that cyber attacks will become more sophisticated and common place, so let’s hope manufacturers listen to the early warning calls and get cyber secure sooner rather than later.