Companies urged to bolster infrastructure cyber defences
Simply sign up to the Cyber Security myFT Digest -- delivered directly to your inbox.
Hackers have traditionally focused their attention on computer software, resulting in a mushrooming of cyber security companies that promise protections for office-based clients.
But there is another, less well-known hacking threat: cyber attacks on big corporate operations, such as manufacturing facilities or power plants, as well as other vital infrastructure.
Such attacks are becoming more commonplace, fuelling concerns that companies should ramp up their efforts to guard against them.
This is no small challenge. For companies with operational technology — the computerised systems used to control industrial operations — the risks of a breach are plentiful; disruptions to machinery processes could dent revenues or cause an accident.
For those involved in “critical infrastructure” — the dams, energy, oil and gas facilities required for society to function smoothly — the risks are more dramatic and may attract nation state hackers, not just those seeking financial gain.
“Our economy will disappear, society will collapse — and these things are possible,” says Sujeet Shenoi, professor of computer science at the University of Tulsa, who has been involved in multiple government-led critical infrastructure projects. “There’s never been a war in human history where the critical infrastructure hasn’t been damaged.”
He notes that some 80 per cent of critical infrastructure in the US is privately run. “These companies are not prepared for [a cyber attack]. You need extremely well trained people,” he says, noting the many former government experts are moving into the sector.
Historically, critical infrastructure and operational technology were kept separate from the computer networks typically used in corporate headquarters. However, those worlds are now converging as outdated analogue systems have become increasingly digitised.
“Systems that have been developed over 30 or 40 years are having the internet introduced to them,” says Casey Ellis, founder and chief technology officer at Bugcrowd, a cyber security group.
But retrofitting systems that were never intended to be on the internet creates new opportunities for hackers, he says. “The attack surface is expanding rapidly.”
As with normal IT systems, ransomware and malware can be used to infect operational technology and critical infrastructure. The most high-profile worm was the 2010 Stuxnet malware, which targeted Iran’s nuclear facilities. Operations at the food company Mondelez and drugmaker Merck were disrupted by the ransomware dubbed NotPetya in 2017.
Ukraine has suffered a spate of attacks on its power grid system recently, and earlier this year, Norwegian aluminium maker Norsk Hydro had to freeze operations earlier after it fell victim to ransomware.
While the marketplace for cyber security companies offering support to such groups is smaller than the traditional IT security space, experts caution that companies should take action.
Moves might include assessing company systems to ensure staff know what devices are connected to the network, testing and monitoring those systems, and devising a plan for worst-case scenarios.
Above all, companies should isolate the most critical systems to ensure they can keep them operating no matter what, says Pedro Abreu, chief product and strategy officer at online security company Forescout, who dubs the process “containing the blast area”.
“If a WannaCry [attack] happens, I want to [be able to] shut down that facility or country” while the rest of the network remains running, he says.
Various sectors are equipped differently, experts say. Where deep-pocketed energy, and oil and gas groups have been able to pour investment into bolstering their protections, others, such as the water sector, are thought to be lagging.
To their advantage, Michael Fabian, principal consultant at Synopsys, notes that operational technology systems are “very restrictive”, meaning that “some expertise is needed to hack [them]”. By comparison, “people providing consumer services have a massive attack surface,” he says, citing the likes of Citibank, Target or Amazon.
Nevertheless, operational technology systems have their own nuances. First, testing them for vulnerabilities can be difficult because the systems are too sensitive or essential to pause.
“There are things that are ultra critical that we can’t put at risk by testing them, but we are doing just that — putting them at risk — by not testing them,” says Charles Henderson, global head of IBM’s hacking unit X-Force Red.
This means cyber security companies may have to test for vulnerabilities against a less reliable reproduction of an actual system.
And if a problem is uncovered, it is harder to fix. “The life cycles of those systems in the field is extraordinarily long,” says Eric Cornelius, chief product officer at BlackBerry Cylance, a cyber security group.
Moreover, even if cyber security companies offer solutions, it can be many years before a system can be updated. For example, many companies would opt to rebuild an offshore gas plant once it has finally stopped running, rather than upgrade at great cost, Mr Cornelius says.