Unmasking the weakest link in industrial systems
Connected industrial equipment under scrutiny as attacks on SCADA attacks escalate
Industrial systems could become the next major target for cybercrime, especially those hackers of a state-actor inclination.
Late last year, the media reported on a coordinated, multi-faceted cyberattack on a Ukrainian power company that left more than 80,000 people without power during Christmas.
The incident was most likely the work of state sponsored hackers who used highly destructive malware to gain access into the Supervisory Control and Data Acquisition (SCADA) systems used by the power company and cripple its distribution network.
With the Ukrainian attack as a backdrop, Eugene Kaspersky, CEO of Kaspersky Lab, last month issued a warning that a complete shutdown of society instigated by hackers taking advantage of unsecure infrastructure was possible.
Kaspersky said such attacks could lead to the collapse of urban facilities, water, internet and mobile networks.
Numerous other attacks targeting industrial or SCADA systems continue to simmer, albeit on smaller scale.
Andrey Nikishin, head of future technologies projects, Kaspersky Lab says that established manufacturing companies primary focus is on safety for their industrial equipment. With digitalisation, they start to connect their devices to the internet, but are still concerned about safety and not cybersecurity. As a result, their devices are safe, but not cyber-secure.
Unfortunately, for connected devices (cyber-physical devices), the risk in cybersecurity reflects directly on the safety of these gadgets. A good example is hacking of a connected car which can be taken over by an attacker and set to crash.
“As systems become increasingly cyber physical, security is needed to maintain safety, or what we refer to as ‘security for safety’,” says Nikishin.
Further, a lot of small companies are very eager to release products as fast as possible to market, but less concerned with security. The result is the existence of millions of vulnerable and potentially hackable devices, as the Mirai botnet attack of last year showed. “Because IT is not the core competence of some of these equipment manufacturers, they underestimate the risks involved,” Nikishin observes.
The solution ultimately is the development of a secure platform onto which all other applications can be built. Kaspersky has developed such a foundation with Kaspersky OS.
Kaspersky OS is designed to protect embedded connected devices or IoT. This is a specialised operating system designed for embedded systems with strict cybersecurity requirements. By design, KasperskyOS significantly reduces the chances of undocumented functionality and thus mitigates the risk of cyberattacks. KasperskyOS is now commercially available to OEMs, ODMs, systems integrators and software developers around the world and introduces a secure-by-design environment for the ever-growing and increasingly attacked embedded systems and IoT devices.
“If the whole ecosystem is secure, you have significantly lower risk,” says Nikishin.
However, in parallel, there’s still need to provide other products for IoT to secure existing infrastructure, hence the Kaspersky Industrial Cyber Security solution.
The challenge in securing SCADA lies in the fact that the industrial environment is much more complex than the office environment. For a typical office environment, one could install the security solutions within days. An industrial environment would require months. And this has to be done without disrupting the technological process, for instance the process of treating water in a water plant.
To property protect their environments, industrial systems included, security managers and CIOs need to develop a Threat Model. This is the formal process of how to assess potential threats. This should include a policy of not just finding threats, but also carrying out a risk analysis of where to find the probability of those risks occurring and the impact if the risks come to pass. “IT organisations need to understand that security is a process, not a project,” says Nikishin.
A good security manager is reasonably paranoid, Nikishin states. “They understand they are a potential target. It makes them a little bit more careful,” he says, adding, “Threat Intelligence is thus a very good additional level of security so that security managers can educate themselves and reasonably assess the possible risk.”