Cyber Horizons
Cyber Horizons

Industrial cyber security: why should you protect yourself?

Published on 19 December 2022
Stéphane Potier
By Stéphane Potier
The French National Cyber Security Agency (ANSSI) has warned about the risks associated with securing industrial systems. A rise in cyber threats targeting this type of environment is not just a figment of our imagination; the figures speak for themselves. How can we protect ourselves from cyber attacks in an industrial setting? What are the constraints and solutions to counter them? Read on for an overview and possible avenues of actions.

91%

91% of industrial organisations report having experienced at least one security issue in their OT environment in 2021 (Kaspersky ICS Security Survey 2022).

What is OT cyber security?

Operational Technology (OT) refers to all monitoring and control technologies. Not to be confused with IIoT (Internet of Industrial Things), a parallel field concerning connected devices within an industrial environment.

OT security is intended to ensure the safe and sustainable operation of industrial production tools and protect people and goods.

Industrial cyber security: Advens’ point of view

Industrial cyber security should cover a broad spectrum of markets and not be limited to industry in the strict sense of “factories”, as in the buildings themselves. It encompasses all types of physical flows.

Examples of areas of industrial cyber security
  • Logistics patterns and warehouses.
  • In smart cities: securing road signs.
  • In industrial buildings managed by local authorities: communal heating systems.

The management of a tunnel or an electric dam can have the same cyber security issues as a food-processing factory.

Why invest in cyber security in industrial environments?

OT environments are cyber attackers’ latest target

Attacking the IT sector is becoming more complex because information systems are increasingly well-protected. IT players today have a good level of cyber maturity: raising staff awareness, increasing cyber skills, deploying new generation solutions (EDR, NDR), etc.

And the direct consequence of their increased IT cyber resilience? Hackers are turning to a less secure business: the industrial environment.

Attacks on OT can cause collateral damage beyond the scope of a company, including a direct impact on its production line (an organisation’s main source of revenue) or damage to the environment and public health (e.g. radiation leaks or chemical spills).

The attack on the Oldsmar plant

In 2021, a cyber attacker hacked into the computer network of a water treatment plant in Florida. They increased the sodium hydroxide content of the water by a factor of 100, a dangerous and corrosive concentration. A technician detected an intrusion in the IT system and immediately reduced the concentration. The contaminated water didn’t reach the distribution system.

This is just one example of how vulnerable the industrial sector is, as it affects external factors related to the environment and public health.

Source: The New York Times, 2021

A larger attack surface due to equipment interoperability

The industrial operating model has evolved and changed over the last 5 or 6 years.
In the past, OT environments were very secure with respect to cyber security. They were also easy to monitor because the equipment was isolated and heterogeneous. But these technologies are now outdated and could be vulnerable if we digitised them today.

In the Industry 4.0 era, industrial equipment is data-centric: everything communicates and is connected. There is greater cohesion because everything revolves around IT technologies.

The convergence of OT and IT cyber security

The overall process of cyber security in OT is the same as in IT:

  • Identify the environment.
  • Find vulnerabilities (access, configuration, software defects, CVE, etc.).
  • Try to remediate them.
  • Where remediation is not possible, detect and contain the threat with the SOC.

It is essential to adapt the process to the particularities of the OT: the deployment of solutions will vary to fit the realities of the industry.

Three specific OT/IT features to bear in mind

#1 Life span of the equipment

Old OT systems were not connectable, and therefore not particularly vulnerable. Newer equipment is connectable but is not built to be resistant to cyber attacks. As a result, it has vulnerabilities that need to be dealt with and secured.

#2 Vulnerability management is different

The OT process is much more limited than in the IT world because OT systems must be operational 24/7. The windows of opportunity to update equipment are restricted to keep system downtime to a minimum.

The new equipment is connected, but comes with vulnerabilities, most of which remain in the equipment over time.

#3 False positives

False positive security alerts entail serious consequences. Since they require you to take action on operational equipment, they can impact the entire production line. Whereas in IT, the affected computer is disconnected from the network until the alert is confirmed.

To avoid any damage to the production line, the requirements for confirming an incident must be more thorough. Training may be necessary for those carrying out this work.

Two steps to secure industrial operating systems

The triad of “Prevention-Detection-Reaction” should be a reflex in OT as in IT. However, when deploying cyber security solutions, the constraints of the industrial environment must be considered: production stoppage, time limits, etc.

38%

38% of companies report at least occasionally having to deal with a cyber security solution that affects their production and automation processes (Kaspersky ICS Security Survey 2022).

Step 1: Prevent attacks

Constraints
Solutions
Map facilities
  • Time-consuming work
  • Listing every item on complex servers
  • Put sensors on the industrial system (shadow OT, active/passive tools)
  • Collect data to build use cases on
Segment the network to make the attacker’s progress more difficult
  • Potentially complex target architecture design
  • Time-consuming set-up of segmentation rules that may affect production
  • Set up firewalls, flatten the network to help contain the attack
Authentification
  • Complex password management: no keyboards, fingerprint readers (gloves), or voice recognition (noise)
  • Provide each employee with a badge
Harden equipment
  • Process may not have been implemented before
  • Disable unused services
  • Use secure services (SFTP, HTTPS, etc.)
Carry out updates
  • Limited time: can only be done during maintenance (1-2 times per year)
  • Segment servers until the next shutdown
 

Step 2: Detect attacks and react

A process inspired by IT must be established to detect and analyse abnormal and malicious behaviour. It should manage unaddressed vulnerabilities via:

  • A dedicated tool: specialised OT detection probes that run 24/7 are much less intrusive and are familiar with the protocols used in the industrial world (bacnet, profinet, modbus, etc.), such as Nozomi, Claroty, CyberMDX, or Microsoft Defender for OT.
  • A SOC organisation and process that detects, analyses and remediates attacks.

The constraints of the industrial environment may not appear to be conducive to the adoption of a cyber security policy. However, protecting yourself from and preventing attacks due to the interoperability of industrial equipment is essential to avoid the serious consequences that a cyber attack can have. There are ways to prevent these threats without stopping a production line (less intrusive detection methods, segmentation, staff awareness).

Lately in Cyber Horizons

See all
New Horizons

Looking past the hype: the reality of automation in operational cyber security

13 january 2023Cyber Horizons
Handling the threat

Ransomware attack: our CERT’s response in detail

09 january 2023Cyber Horizons
A day in CISO’s life

Advens & CESIN study on the role of Cybersecurity Director

21 june 2022Cyber Horizons