Recent cyber-attacks have disabled and even shut down physical assets. Robust foundational security and training staff, able to recognize an attack can help mitigate the threat, as ABB’s Rob Putman explains.

Edge devices and data analytics

As cyber security specialists, we must navigate an ever-changing threat landscape, one that is made even more complex by the increased interconnectivity between Operational Technology (OT) and Information Technology (IT), as companies look to leverage edge devices and data analytics, as well as remote connectivity, in the wake of the COVID-19 pandemic.

As the threat surface evolves, the industry must guard against attacks on key physical infrastructure, carried out by a range of malicious actors, including nation states and criminals intent on blackmail.

The chemicals sector, a high-value target for cyber-criminals

Cyber-criminals view the chemicals sector, as a high-value target, because of the potential cost

In 2017, not long after a ransomware attack that targeted Maersk, the world’s largest shipping firm, made the news around the world. Another cyber-attack, this time targeting physical industrial assets, generated fewer headlines, and yet could have resulted in both real, as well as financial, damage.

Cyber-criminals view the chemicals sector, as a high-value target, because of the potential cost, both financial and reputational, to the operator, should production be interrupted or stopped entirely.

Cyber security vulnerabilities put physical assets at risk

The attack in question, a ‘Triton’ custom malware attack on a petro-chemical facility in Saudi Arabia, targeted a safety system, taking over system controllers. Bugs in the code triggered an emergency shutdown, but could have led to the release of toxic and explosive gases. It was a vivid reminder of how cyber security vulnerabilities are increasingly putting companies’ key physical assets at risk.

Two more-recent high-profile incidents illustrate my point. In February, a Florida water treatment plant was hacked. The malicious actor remotely accessed the system for three to five minutes, during which time they opened various functions on the screen, including one that controls the amount of sodium hydroxide (NaOH) in the water. The hacker changed the NaOH from about 100 parts per million to 11,100 parts per million, which could have resulted in a mass poisoning event.

Colonial Pipeline cyber-attack incident

Then, in May, the Colonial Pipeline system that originates in Houston, Texas and carries gasoline, and jet fuel, suffered a ransomware attack. Using a VPN, hackers targeted back-office IT systems, forcing Colonial to shut down IT hosts and network infrastructure, severing communication with those OT systems that are responsible for communicating ‘transactional data’ associated with fuel delivery.

In this instance, a single compromised password disrupted Colonial’s ability to invoice its customers. This dependency on OT data stopped pipeline and business operations, and the company was elected to pay the hackers an initial ransom of US$ 4.4 million, in order to restore operations. The Colonial attack was multi-dimensional, in that it not only impacted Colonial’s business, but also the wider US economy and national security, since the pipeline transports nearly half of the east coast's fuel supplies.

Outdated IT system elevates physical risk

The increased interconnectivity between IT and OT can also create vulnerabilit

Attacks such as these prove that, armed with little more than a laptop, an email account and access to the dark web, determined hackers can cause disproportionate damage to physical infrastructure.

As mentioned at the outset, the increased interconnectivity between IT and OT can also create vulnerability. Producers often want to know: Is it risky to connect a production asset or their operational environment to the Cloud? My answer is, if you do so without having done any risk audits around people, processes and technology, or without enhancing and maintaining that environment, then yes, that is risky.

For example, we often observe that the life cycle of a production asset far outlasts the IT systems that are used to run it. Take a cement kiln. Several generations of plant operators may have come and gone, but that asset may still run, using legacy software, such as Windows XP and why not?

Need to replace aging distributed control systems

Well, that’s fine, if you are not concerned about having that asset compromised, and all that entails. A ‘flat’ IT network, an aging distributed control system, and machines with legacy versions of Microsoft Windows, all these elements, which are still commonplace in many industries, make it much easier for attackers to find and infiltrate a company, without needing sophisticated tools.

The age-old mantra of not interfering with a piece of equipment or software that appears to be working, often applies to the individual assets. For example that cement kiln that are still controlled by the same Windows XP-based control software.

However, if we’re honest, things have changed quite a bit, not because something was broken, but because innovation came in. That same kiln control system is most likely connected to other systems, than when first commissioned and that opens it to exposure to threats that it was never designed for.

The human element

There is a misconception that IoT-connected devices can open companies to risk

There is a misconception that IoT-connected devices can open companies to risk, but many recent, high-profile cyber-attacks have been conducted from a laptop, by hacking someone’s VPN, or are a simple phishing/malware attack. In all these cases, the human element is partly to blame.

Take the Florida attack. The compromised computer at the water treatment facility was reportedly running an outdated Windows 7 operating system and staff all used the same password, in order to gain remote access via the Teamviewer app, which the hacker was then able to use.

Physical and human assets, key to robust cyber security

Discussion on the best way to mitigate the threat is often framed solely around specific technical solutions and ignores the fact that robust foundational cyber security is really driven by two very different, but equally important, types of capital: physical assets (e.g. production machinery), and human assets.

The truth is that smart digital software and industry-renowned cyber security applications, while critical, are in many cases, only as good as the weakest human link in the chain. Industry would, therefore, do well to ask itself the following question: Do we have a security problem, or a complacency problem?

At this juncture, it is important to point out that the majority of companies that ABB works with, are at least aware of the threat posed by cyber attackers, and the potential impact of an attack, on their revenues, reputation and bottom line.

User error and human-generated exposures

Making sure staff are aware of the threat and training them to respond properly, if they are targeted, is vital

However, user error and human-generated exposures are where most of these attacks occur. Those human failures are mostly not due to malicious intent from employees, but to the lack of training of the employees on secure behavior.

Making sure staff are aware of the threat and training them to respond properly, if they are targeted, is vital. However, there are also age demographics at play here. Much of the operations employee base is heading towards retirement and often, there is no plan or ability to backfill these people.

Need to invest in new digital and automated technologies

If you think you don't have enough people now, in order to stay on top of basic care and feeding of the OT environment, with regards to security, what is that going to be like in 20 years?

For this reason, there must be a major industry reset, when it comes to its workforce. Companies must invest in new digital and automated technologies, not only to ensure that they stay ahead of the curve and mitigate risk, but also to attract the next generation of digitally literate talent.

Robust cyber security is built on solid foundations

When we talk about foundational cyber security, we mean fundamentals, such as patching, malware protection, high-fidelity system backups, an up-to-date anti-virus system, and other options, such as application allow-listing and asset inventory. These basic controls can help companies understand their system setup and the potential threats, identify vulnerabilities, and assess their risk exposure.

The Pareto principle states that around 80% of consequences come from 20% of the causes. In the context of cyber security, that means 80% of exposure to risk comes from 20% of the lack of security. If companies do the foundational things right, they can manage out a significant amount of this risk.

Importance of maintaining and upgrading security controls

However, having basic security controls, such as anti-virus software in place, is just the first step on that journey. Equally important is having someone within the organization, with the requisite skill set, or the extra labor bandwidth, to operate, maintain and update those security controls, as they evolve.

Educating, training and recruiting existing employees, and the next generation of talent, along with forging partnerships with trusted technology providers, will ensure that industry can leverage the latest digital technologies, in order to drive business value, and secure physical assets against cyber-attacks.

Download PDF version Download PDF version

Author profile

Rob Putman Global Manager - Cyber Security Services, ABB Ltd.

In case you missed it

How Should End Users Measure The ROI Of Security Systems?
How Should End Users Measure The ROI Of Security Systems?

Traditionally, security has been seen as a cost center rather than as a profit center or a source of revenue in an organization. Therefore, end-user security managers have struggled to cost-justify their purchases of security systems: How can you assign value to preventing a catastrophic loss unless or until such a loss happens (which you’re trying to avoid!). Even so, security’s return on investment (ROI) picture is changing, with expanded system capabilities and technologies that provide benefits beyond the traditional security function. For the latest, we asked this week’s Expert Panel Roundtable: How should end users measure the return on investment (ROI) of security systems? 

Top 10 Articles Of 2021 Reflect A Changing Security Marketplace
Top 10 Articles Of 2021 Reflect A Changing Security Marketplace

Our most popular articles in 2021 provide a good reflection of the state of the industry. Taken together, the Top 10 Articles of 2021, as measured by reader clicks, cover big subjects such as smart cities and cybersecurity. They address new innovations in video surveillance, including systems that are smarter and more connected, and a new generation of computer chips that improve capabilities at the edge. A recurring theme in 2021 is cybersecurity's impact on physical security, embodied by a high-profile hack of 150,000 cameras and an incident at a Florida water plant. There is also an ongoing backlash against facial recognition technology, despite promising technology trends. Cross-Agency collaboration Our top articles also touch on subjects that have received less exposure, including use of artificial intelligence (AI) for fraud detection, and the problem of cable theft in South Africa. Here is a review of the Top 10 Articles of 2021, based on reader clicks, including links to the original content: Smart cities have come a long way in the last few decades, but to truly make a smart city safe Safety in Smart Cities: How Video Surveillance Keeps Security Front and Center The main foundations that underpin smart cities are 5G, Artificial Intelligence (AI), and the Internet of Things (IoT) and the Cloud. Each is equally important, and together, these technologies enable city officials to gather and analyze more detailed insights than ever before. For public safety in particular, having IoT and cloud systems in place will be one of the biggest factors to improving the quality of life for citizens. Smart cities have come a long way in the last few decades, but to truly make a smart city safe, real-time situational awareness and cross-agency collaboration are key areas that must be developed as a priority. Fraud detection technology How AI is Revolutionising Fraud Detection Fraud detection technology has advanced rapidly over the years and made it easier for security professionals to detect and prevent fraud. Artificial Intelligence (AI) is revolutionizing fraud detection. Banks can use AI software to gain an overview of a customer’s spending habits online. Having this level of insight allows an anomaly detection system to determine whether a transaction is normal or not. Suspicious transactions can be flagged for further investigation and verified by the customer. If the transaction is not fraudulent, then the information can be put into the anomaly detection system to learn more about the customer’s spending behavior online. For decades, cable theft has caused disruption to infrastructure across South Africa Remote Monitoring Technology: Tackling South Africa’s Cable Theft Problem For decades, cable theft has caused disruption to infrastructure across South Africa, and it’s an issue that permeates the whole supply chain. In November 2020, Nasdaq reported that, “When South Africa shut large parts of its economy and transport network during its COVID-19 lockdown, organized, sometimes armed, gangs moved into its crumbling stations to steal the valuable copper from the lines. Now, more than two months after that lockdown ended, the commuter rail system, relied on by millions of commuters, is barely operational.” Physical security consequences Hack of 150,000 Verkada Cameras: It Could Have Been Worse When 150,000 video surveillance cameras get hacked, it’s big news. The target of the hack was Silicon Valley startup Verkada, which has collected a massive trove of security-camera data from its 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools. The data breach was accomplished by an international hacker collective and was first reported by Bloomberg. Water Plant Attack Emphasises Cyber’s Impact on Physical Security At an Oldsmar, Fla., water treatment facility on Feb. 5, an operator watched a computer screen as someone remotely accessed the system monitoring the water supply and increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million. The chemical, also known as lye, is used in small concentrations to control acidity in the water. The incident is the latest example of how cybersecurity attacks can translate into real-world, physical security consequences – even deadly ones. Video surveillance technologies Organizations around the globe embraced video surveillance technologies to manage social distancing Video Surveillance is Getting Smarter and More Connected The global pandemic has triggered considerable innovation and change in the video surveillance sector. Last year, organizations around the globe embraced video surveillance technologies to manage social distancing, monitor occupancy levels in internal and external settings, and enhance their return-to-work processes. Forced to reimagine nearly every facet of their operations for a new post-COVID reality, companies were quick to seize on the possibilities offered by today’s next-generation video surveillance systems. The Post-Pandemic Mandate for Entertainment Venues: Digitally Transform Security Guards At sporting venues, a disturbing new trend has hit the headlines — poor fan behavior. At the same time, security directors are reporting a chronic security guard shortage. Combining surveillance video with AI-based advanced analytics can automatically identify fan disturbances or other operational issues, and notify guards in real time, eliminating the need to have large numbers of guards monitoring video feeds and patrons. The business benefits of digitally transformed guards are compelling. Important emerging technology Why Access Control Is Important In a workspace, access control is particularly crucial in tracking the movement of employees should an incident occur, as well as making the life of your team much easier in allowing them to move between spaces without security personnel and site managers present. It can also reduce the outgoings of a business by reducing the need for security individuals to be hired and paid to remain on site. The city of Baltimore has banned the use of facial recognition systems by residents Baltimore Is the Latest U.S. City to Target Facial Recognition Technology The city of Baltimore has banned the use of facial recognition systems by residents, businesses and the city government (except for police). The criminalization in a major U.S. city of an important emerging technology in the physical security industry is an extreme example of the continuing backlash against facial recognition throughout the United States. Several localities – from Portland, Oregon, to San Francisco, from Oakland, California, to Boston – have moved to limit use of the technology, and privacy groups have even proposed a national moratorium on use of facial recognition. Powerful artificial intelligence Next Wave of SoCs Will Turbocharge Camera Capabilities at The Edge A new generation of video cameras is poised to boost capabilities dramatically at the edge of the IP network, including more powerful artificial intelligence (AI) and higher resolutions, and paving the way for new applications that would have previously been too expensive or complex. Technologies at the heart of the coming new generation of video cameras are Ambarella’s newest systems on chips (SoCs). Ambarella’s CV5S and CV52S product families are bringing a new level of on-camera AI performance and integration to multi-imager and single-imager IP cameras.

What Change Would You Like To See In Security In 2022?
What Change Would You Like To See In Security In 2022?

Here’s a news flash: 2022 will be a pivotal year for the security industry. As we enter the new year, continuing change is a safe prediction for any fast-moving, technology-driven marketplace. Recent history confirms the ability of the security industry to shift and adapt to changing conditions and to provide an ever-expanding menu of technology solutions to make the world a safer place. Given that the new year will bring change, what will that change encompass? More to the point, what should it encompass? We asked this week’s Expert Panel Roundtable: What is the biggest change you would like to see within the security industry in 2022?