Hacked off

Flawed IT security costs British businesses £21 billion a year, discovers Malcolm Wheatley. So how much is your company losing?

In late September, Japan’s largest defence contractor, Mitsubishi Heavy Industries, acknowledged that its computer systems had been breached by hackers.

The cyber miscreants evaded firewalls and security measures to plant malware in 45 Japan-based servers as well as numerous individual PCs. Systems in the nuclear and missile guidance businesses at Mitsubishi were among those compromised by the hackers who certainly succeeded in obtaining IP addresses before the assault was identified. So far Mitsubishi has not discovered any actual data losses but has also been unable to identify the perpetrators of the attack. Chinese hackers are suspected.

This attack on Mitsubishi Heavy Industries is however, only the latest in a string of attacks on high profile organisations with the intent to thieve, damage or cause mischief. In May this year the world’s largest defence contractor, Lockheed Martin, succumbed to a similar invasion which raised serious concerns over the vulnerability of vital defence technology secrets. Lockheed, which manufacturers the F-22 and F-35 fighter planes liaised closely with the pentagon to try and identify exactly what data might have been compromised and to identify the hackers. Eventually it was discovered that the breach had been achieved using data stolen from another US defence company RSA Security but there the trail went cold as far as hard proof is concerned.

Despite advances in IT security in recent years, the past few months have repeatedly shown that the threats from hackers, ‘malware’ and other IT nasties is far from receding. What’s more, it’s clearly no longer purely organisations such as banks and online retailers that are on the front line.

For with their supply chains, administrative systems, and factory operations increasingly linked to the outside world, manufacturers too are more vulnerable than ever to breaches of their IT security. And the dangers are also more diverse than ever – ranging from outright fraud, to loss of intellectual property and damage.

Overall, in fact, a report undertaken in conjunction with the Cabinet Office by IT consultants Detica – a subsidiary of defence contractor BAE Systems – put the cost of cybercrime to UK businesses at a whopping £21 billion a year, with hi-tech manufacturers ranging from aerospace to electronics and pharmaceutical manufacturers most at risk.

Yet equally clearly, the IT security industry has a vested interest in over-hyping the risks.

Threat level

So just how real are the dangers lurking in manufacturers’ corporate networks? Where are the biggest areas of vulnerability? And what can manufacturers do to protect themselves?

The scenario at Lockheed Martin appears to confirm that the hype is probably justified. Indeed Bill Trueman, CEO of fraud specialists UKFraud.co.uk, says the hype from the IT security community largely serves to compensate for the all too common sense of complacency found in many organisations.

“The impact of a security breach on business can be catastrophic – and if over hyping the risk compensates for this complacency then so be it,” he stresses. “In general, most of the hype is justifiable, and in point of fact is probably best practice.”

It is certainly difficult to balance necessary warnings and alerts against the desire not to induce panic. In the wake of last year’s Stuxnet virus attack on the Siemens microcontrollers and SCADA systems operating Iran’s nuclear centrifuges, pundits were predicting that factories worldwide would be beset by all manner of doomsday scenarios.

In fact, the attack – which contained no fewer than four ‘zero day’ hacks, and which has been popularly ascribed to Israeli intelligence operatives – appears to have been a one-off. Certainly, there have been no similar attacks reported since. Were commentators playing a dangerous game of ‘cry wolf’?

Alex Ayers, director of operations at SAP security specialist Turnkey Consulting, denies this. He sees Stuxnet as “a shot across the bows of manufacturing industry”. And while microcontrollers won’t necessarily be the next target, he believes that it can no longer be assumed that ERP and other core corporate systems won’t be targeted in a similar fashion.

The bad news is that those attacks may have already have started – and manufacturers worrying about viruses, ‘scareware’ and ‘distributed denial of service’ attacks may be fighting yesterday’s war, not tomorrow’s.

Inside knowledge

Take a look at the details underpinning that £21bn cost of cybercrime to UK businesses – a figure endorsed by the Cabinet Office – and it’s very clear where the principal threats lie.

A whopping £9.2bn comes from the theft of intellectual property (IP), with a further £7.6bn coming from industrial espionage – which can involve IP theft, but which can also include snooping to identify how companies might bid in tender auctions, for instance, as well as the identification of about-to-be-published information that might affect share prices. Add in the £1bn attributed to the theft of customer data, and it’s clear that the financial consequences of outright fraud, extortion and ‘scareware’ are relatively minor in nature.

“There are growing instances of cyber criminals offering their services to manufacturing firms,” says Detica’s technical director, Henry Harrison. “There’s no question that there are a fairly large number of incidents taking place: what’s less clear is where the information is going.”

And a widespread blind spot prevents many manufacturers from waking up to the risk that they face, adds Christian Toon, head of information security at information management specialist Iron Mountain.

“Companies generally have very little idea of what they possess in the form of intellectual property,” he stresses. “They think ‘patents’, and stop there. They don’t think about equally valuable information such as customer lists, supplier details, bills of material, process routings and sales statistics, for example. In the right hands – or rather, the wrong hands – all of these are potentially very valuable.”

Nor need the threat to intellectual property come from outsiders hacking into manufacturers’ systems.

“The biggest threat is always the internal employee, either inadvertently or intentionally leaking data or bringing security risks into the environment,” warns Robert Rutherford, chief executive of QuoStar, a specialist provider of IT services, consultancy and support to UK manufacturers. “We’ve seen a director leave a company, and start up his own competing business just down the road – and getting sales databases and designs sent to him by existing employees.”

So what can manufacturers do to protect themselves from intellectual property theft?

Start by putting in place security policies and procedures to govern who has access to specific pieces of information, advises David Emm, a senior security researcher at security specialists Kaspersky Lab.

“You have to consider levels of access, and levels of connectivity,” he advises. The logic? If people haven’t got access to data, they can’t leak or steal it.

And don’t just pay lip service to policies one they are put in place, adds QuoStar’s Rutherford: audit, monitor, and enforce compliance.

“The simplest and most cost-effective way to boost security is always a strict policy, backed by clearly explained sanctions in case of breaches,” he stresses. “Employees have to know that you mean business.”

That said, he adds, employers can do a lot to make it more difficult for employees to accidentally or deliberately leak data.

“USB sticks make it easy to copy material, but these can be prevented from working on employees’ computers by end-point device controls, which render inactive specific ports on employee machines – or which send alerts when people do try to plug them in,” he says. “Similarly, it’s easy to set up corporate e-mail systems so that e-mails containing specific key words – such as ‘quote’ – or attachments such as Excel spreadsheets are sent into quarantine for checking.”

Nor should employers always rely on their security policies and practices operating successfully, adds Detica’s Harrison – especially in the case of intrusions by external hackers.

“Don’t just focus on preventing access,” he warns. “Assume that sometimes you’ll fail, and go looking for evidence that an intruder has gained access. Having a compromised machine isn’t the same as instantly losing data to intruders able to drill down and find the specific pieces of information that they are looking for: sometimes it can take an intruder weeks or months to locate the specific pieces of information that they want.”

Finally, say experts, a new generation of security and assessment tools makes it easier than ever for manufacturers to obtain objective assessments of their vulnerability to security threats – without relying on the opinions of security solution providers with a vested interest in finding such threats.

“It is now possible to access a vendor independent, product agnostic service that allows manufacturers to measure their risk from security threats quickly and effectively,” says Stephen Smith, co-founder and chief operating officer of Invictis, a security benchmarking provider.

Invictis’ own approach to benchmarking, for instance, uses a proprietary methodology and mathematical algorithms to generate a security profile of the business in a variety of contexts – and also embraces external factors such as security standards, legislation, regulation, and best practice.

And among manufacturers, hi-tech companies are especially keen on regular benchmarking, says Smith, owing to the perceived threat of loss of intellectual property.

“Security risks don’t stay static: they change over time, and evolve,” he warns. “And as the threat doesn’t stand still, neither should manufacturers.”

In short, the price of freedom from data theft is eternal vigilance. Just ask Lockheed Martin.