Where business systems meet process control systems; the cyber security weak spot

09 April 2019


 

High profile cyberattacks which impact across the targeted organisation’s operations hit the headlines every now and then, one of the latest being the ransomware attack on Norsk Hydro in March which impacted operations in several of the company’s business areas. Perhaps the highest profile cybersecurity incidents over the past ten years include the Triton and the Ukraine electricity blackout cases, which hit the OT networks. But how many more incidents go unreported? Industry statistics indicate that 40-60% of companies were aware of having some form of cyberattack last year. How many more had an attack but were unaware?

The cyber threat to critical industrial assets is no longer speculation. Cyberattack is now an international concern. High value industrial assets are a prime target for criminal gangs and politically motivated or nation state attackers alike. Asset deprivation costs money and may cost lives. The owners of those assets need to look at protection in depth by all means available: physical, technical, procedural and behavioural. We have seen several high-profile instances where malicious actors have successfully impacted operations.

In the UK the regulator, the Health and Safety Executive, has carried out trial inspections of cyber security at a number of industrial sites and, following the adoption of the NIS Directive, is now in the process of inspecting sites both for cyber security and critical infrastructure implications, with the prospect of significant penalties for failures in the very near future. Putting the technical solutions in place has to go hand in hand with having the right management structures in place. Separating operational networks from the corporate and external networks, such as the internet, is an obvious ideal solution but organisations are increasingly integrating them. In order to get the most benefit from their process control systems, organisations are increasingly integrating them with their Enterprise Resource Planning systems, such as stock tracking, order handling, and even HR software. This represents a potential means of ingress, and a tempting target, for hackers and cyber saboteurs. However, the vulnerabilities of such systems and the routes into the OT network are rarely discussed. EEMUA’s annual Cyber Security Seminar on 23 May will include this issue.

Many people are aware that they have a cyber security problem, but until they understand the extent of the problem, putting a complete solution in place will elude them. In the EEMUA seminar we’ll be attempting to cast some light into some of the darker corners of cyber security, how worrying are the issues and what are the remedies. It should be of interest to anyone who works on industrial sites where complex control systems are installed and are critical to safe and effective operation.

I look forward to seeing you on 23 May. Book your place today!   

Edward Kessler
EEMUA Technical Executive