Darktrace’s director of technology, Dave Palmer discusses the importance of integrated cyber security across IT systems and production environments.
“The moment you connect, you lose control.” Thus opens the trailer for Hollywood thriller ‘Blackhat’, the story of a hacker recruited by authorities to pursue a cybercriminal that has baffled American and Chinese agencies.
The film opens as the cooling system of a nuclear power plant in China overheats and explodes.
A hacker has used malware to modify Programmable Logic Controller (PLC) codes and manipulate the plant’s diagnostic systems, ensuring that the cooling system failure would go undetected.
By the time the plant’s technicians realise there is a problem, it is all too late…
The film’s opening scenes portray a scenario that is all too real to imagine. It’s eerily reminiscent of the weaponised malware known as Stuxnet, which targeted the Natanz nuclear facilities in Iran, causing nuclear centrifuges to spin out of control to the point of destruction.
Reported to be a joint US-Israel project, the exploit expertly covered its tracks, subtly increasing the pressure on the centrifuges while showing the control room that everything appeared normal.
Since Stuxnet, threats to industrial controls systems (ICS) have grown rapidly in number and severity. Last year, cyber-attacks against ICS – also known as supervisory control and data acquisition (SCADA) systems – doubled, and included a serious attack against a German steel mill.
Manufacturing and automation businesses are increasingly connected to corporate networks.
Intensifying international competition and economic pressure have accelerated this convergence of IT and Operational Technology (OT) environments, which delivers numerous business benefits, including:
- the easy transition of newly-developed products into existing manufacturing operations
- cost control by applying similar technologies for OT and IT
- optimising data transferred across the two environments.
However, the connected environment has also made the manufacturing and automation industries more susceptible to network attacks than ever before, with around 25% of cyber security incidents estimated to occur in the manufacturing industry.
The industry is facing the growing challenge of not only external cyber threats, but insider threat too – perpetrators with both the motivation and/or capability to compromise industrial control networks and devices.
These threats self-perpetuate once inside an operational domain, by making subtle moves to understand and identify more systemic loopholes, before launching an eventual, full-scale attack. The consequences, from physical harm to long-term industrial espionage, are hard to underestimate.
SCADA systems are known as the heart of the modern industry, monitoring and controlling the rest of the organisation’s ‘bodily’ functions – complex processes and equipment.
While they are designed to be interoperable and resilient, they are not necessarily secure.
Engineers and operators know that the traditional ‘air gap’ between ICS and the IT network has long been compromised, and that good security training and best practises only go so far in protecting against the most sophisticated cyber-threats, as well as basic human error.
There’s also a cultural divide between OT and IT staff. Traditionally, control engineers didn’t have to be concerned about cyber threats from corporate IT systems, and IT security staff were not involved with control systems, or physical equipment.
This is no longer the case, and chief information security officers are today tasked with reshaping enterprise security practices, assuming responsibilities of OT cyber security without specialised OT skills.
Ultimately, a strategic, unified approach to cyber security must be taken, which takes account of the fact that any possible connection to the internet represents a potential exploitation.
Business leaders must acknowledge that the total prevention of compromise is effectively impossible, and radically new technological solutions must be embraced in order to proactively address the challenge.
The good news is that detection and response to prevent a full-blown crisis is an achievable cyber security goal, given the right processes, people and technology.
De-risking the OT environment is a perpetual challenge, which demands continuous insight and early warning.
New advances in machine learning and mathematics have made a big impact in this domain, with new technologies that are easily deployed into both IT and OT environments, and finely tuned to spot even the most subtle of attackers or breaches.
Anomalous activities that were previously impossible to find are now detectable using technology inspired by the human immune system, which self-learns and identifies behavioural anomalies in real time.
‘Immune system’ cyber security technology is transformative, automatically building up an understanding of the ‘pattern of life’ of every user and device – including industrial machines – within a network.
The more data it sees, the more accurate it gets at understanding what is ‘normal’ behaviour, in order to spot very subtle deviations in activity that indicate a potential problem.
As all people and devices behave in a unique way, in comparison to their peers, it’s virtually impossible to predefine in advance what type of threats you face, at any one time.
Machine learning techniques are capable of dealing with this uncertainty, drawing insights without knowing in advance what to look for. Instead, immune system-style defence proactively identifies suspicious events, allowing companies to investigate early-stage attacks or compromises, before they escalate.
The increasing vulnerability of industrial control systems is no surprise, and industrial immunisation is an imperative to all modern businesses that don’t wish to wake up to a Stuxnet-style compromise that they did not see coming.
Regardless of whether a threat originates in the IT or operational domain, it can and will traverse between both. Regardless of whether the threat is highly malicious or the result of negligence, the damage could be catastrophic.
Only businesses that are monitoring both environments in an integrated way, and are sensitive to the small changes of behaviour that indicate early-stage attacks, can be truly prepared in this new era of unpredictable threat.