by Bharat Mistry
Critical national infrastructure (CNI) covers a wide variety of industries. But what most have in common is that they run industrial control systems (ICS) and other operational technology (OT). Increasingly, these are being enhanced by new investments in Internet of Things (IoT) systems, in a bid to improve efficiency. The problem is, as these legacy technologies are brought online and integrated with IT systems, they become exposed to new cyber risks, with potentially major repercussions.
A new global study reveals that 90% of CNI providers have suffered damage to their environment as a result of cyber-attacks over the past 24 months. To support business growth and minimise risk, CNI firms need to improve visibility and control in these OT environments.
CNI under attack
Of the 90% of CNI firms that claimed to have been damaged by an attack over the past two years, 62% had suffered twice or more, resulting in data breaches and disruption. Half said they’d suffered downtime. A lack of visibility into these environments was cited by 80% as the top barrier to preventing threats.
These findings chime somewhat with a new Trend Micro report detailing the growing cyber risk facing the manufacturing sector — an industry which uses a great deal of heavy machinery, OT and IoT. These environments have historically often been managed by OT teams, with a focus on availability, safety and reliability rather than the confidentiality and integrity which IT teams typically prioritise. This means platforms are often left running outdated operating systems and software, with regular patching side-lined over fears it could break mission critical systems, or at least put them out of action while patches are installed.
We found that 65% of manufacturing organisations are running outdated OSes, with almost double the number running XP machines than in any other sector. That may have been OK in years gone by, when many systems were air-gapped from the internet, but this is no longer the case, exposing them to attack by remote hackers. In fact, the human machine interfaces (HMIs) linked to ICS accounted for over 60% of reported vulnerabilities (61%) submitted to ICS-CERT last year.
CNI organisations are similarly exposed, increasing the risk of sabotage and extortion or theft of sensitive IP. With Russia and other state-sponsored attackers increasingly targeting CNI facilities in the UK, it’s time to refocus cybersecurity efforts.
What to do
In fact, since May 2018 the European NIS Directive has mandated “operators of essential services” in various sectors to put in place best practice security processes and controls to mitigate exactly these risks. The National Cyber Security Centre (NCSC) has released some handy guidance here. CNI operators should take note: although less widely publicised than the GDPR, the new law grants regulators the power to fine the same sums, up to £17m or 4% of global annual turnover, for serious non-compliance.
We’d therefore urge CNI providers to consider the following in a bid to improve baseline cybersecurity:
- Restrict user access and permissions
- Enforce domain/sub-network restrictions
- Disable directory listing
- Remove/disable unnecessary services
- Try to improve integration between IT and OT teams
- Map IT and OT assets
- Apply appropriate protection – patching promptly if possible (via isolated testing environment), or virtual patching, IDS, and app control to mitigate risk
- Improve end user education
To find out more, read our report, Securing Smart Factories: Threats to Manufacturing Environments in the Era of Industry 4.0.