This article originally featured in Teiss.

Over a decade ago, a computer virus or 'worm', henceforth known as 'Stuxnet', aimed to physically disrupt a nuclear power plant in the Middle East. Those responsible attempted to hijack the computer system with this virus to seize control of the entire plant. With potentially disastrous consequences at play – look no further than the fallout of the Chernobyl and Fukushima disasters - there were big learnings to be made when it comes to the cybersecurity of operational technology.

Indeed, as the first major disruptive cyberattack on critical infrastructure, there was a prevalent fear of reoccurrence following Stuxnet. Yet 12 years on, and numerous similar attempts later, many factories and critical national infrastructures are making the same mistakes today. With cybercriminals’ techniques becoming increasingly sophisticated, and with surging numbers of smart factories and IoT technologies to infiltrate, there’s arguably no better time to take a better look at our operational cyber resilience.

So, what must businesses learn to safeguard against the potentially catastrophic risks that operational technology-focused attacks pose, to ensure this never happens again? Tony Burton, Managing Director – Cyber Security & Trust at Thales UK shares his insights...

Disaster vs. Disruption? Take Both Seriously 

Whilst a nuclear disaster is arguably the most catastrophic potential impact faced by a cyber breach, the risk of disruption is arguably just as much of a threat for businesses – and a more likely one. In fact, inflicting operational disruption is far easier for perpetrators, and therefore more of a commonplace occurrence.

Businesses nowadays, especially in the past 12 years, have increasingly relied on automation and focused on enhancing efficiency, resorting to advanced technologies to enable them to do this. 

Today, many factories dealing with raw materials, for example, will use an enterprise IT system and employ AI software and predictive analytics to observe the status of stock and assess when and where to automatically order in new materials. 

Whilst this is incredibly beneficial for operations, this integration between IT and operational technology has made them incredibly complex, highly diverse, and inter-dependent technologies. This means that if any one of these interlinked systems goes wrong or is compromised, the entire system of operations and supply chain comes to a halt. This makes them fragile and easy targets to intercept – and often with huge knock-on effects to be felt. 

The subsequent disruption to ‘business as usual’ means operations become fractured. This happened with oil firm Saudi Aramco in 2012, when cybercriminals deployed a virus to infect around 35,000 of its computers within the space of a few hours. Compromising Saudi Aramco’s IT infrastructure ultimately meant they couldn’t perform operations, putting the supply of the world’s oil at risk by default. This reportedly took two weeks to recover, but the far-reaching implications no doubt waned on far longer.

Lesson: the threat of disruption should be taken seriously, and its implications are greater than just inconvenience – they can impact you operationally, financially, and reputationally. 

Risk Reduction: Go Back to Basics

Major US gas pipeline, Colonial Pipeline, was hacked just last year in 2021, leading to widespread shortages across the East Coast. This large-scale attack was tracked back to a single compromised password from one of their employees. This very scenario of human error serves as testament to the importance of cyber hygiene across the entire business and ensuring seemingly innocuous habits are up to scratch.

Lesson: You cannot underestimate the importance of training employees, running risk assessments, stress testing risk breach attempt scenarios, and promoting good cyber hygiene as standard practice, including the following:

•  Prepare for the threat: Create, maintain, and test encrypted, offline backups of critical data. Develop and exercise both a cyber incident response & communications plan. Make digital asset management a key competency for your organisation. Create and maintain a cybersecurity awareness training program for your users
• Harden your systems: Keep systems up to date, consistently maintained, and use appropriate tools and security teams to regularly test and evaluate your environments. For those critical systems where updates are challenging, make sure to add layered defences and threat detection capabilities to further protect those systems from attack
• Implement multi-factor authentication: Verify users and system components using multiple factors (not just simple passwords) and according to the risk associated with the role, requested access or function
• Implement the least privilege principle: Allow users only the minimum necessary access to perform their job — nothing more. System components should be allowed only the minimum functionality required
• Segment your network: Logically & physically divide your network infrastructure into smaller parts to make it more manageable to protect and contain the damage if one part is compromised
• Encrypt all your data: Protect all your data, whether stored or transmitted. In the event of a data breach, the encrypted data will be of little value to the attackers

Shift to a Resilience Mindset

While reducing the likelihood of compromise is important, cyber breaches are the inevitable price you pay for doing business nowadays; it’s a matter of when, not if. So, while you can do all you can to prevent their occurrence, when compromises do occur, businesses need to be well equipped to ensure full scale destruction and mass disruption does not. In other words, we should move away from the ‘no compromise’ approach to more a resilient, realistic approach to cybersecurity. It’s not just about being able to detect threats, it’s about being well-positioned to get back on your feet and make a full recovery after a successful breach attempt.

As an industry standard, businesses should look at their business operations and identify the highly consequential risks that they simply cannot afford to happen (i.e., the likes of high impact destruction) and safeguard the entire gateway of those associated systems so it’s impossible for cybercriminals to reach those targets. 

Once satisfied from a destruction and safety perspective, there’s still a massive amount of surrounding disruption risks to contend with. So, what can be done?: 

• Undergo regular tabletop exercises to simulate attacks on your operational technology, reflecting on your preparedness to sufficiently deal with that impending threat
• Adapt where you prove weak or fragile and introduce additional resiliency measures and security controls where needed
• Think beyond yourself – look at your vendors and IT service providers. They may well be the source for infiltrating your operational technology, too
• Continue to monitor proactively, rather than being reactive. Stuxnet was effective because the employees had no idea it was a cyberattack at play, rather than something physical – it flew under the radar because they weren’t on the lookout
• Don’t rely on efficiency. While it’s incredible beneficial, have back up plans for your operations should a highly dependent system be taken down

Lesson: It’s not all about risk reduction. In today’s landscape, it’s about ensuring you’re best prepared to tackle breach attempts head on when they do strike, with a robust response plan in place to mitigate the severity of the impact.

It may be 12 years since Stuxnet, but it’s not too late for businesses to take a hard look at the cyber resilience of their operational technology and learn from others’ mistakes in the process. With far-reaching implications a very real possibility – whether they be destructive or disruptive in nature – and operational technology increasingly at risk, businesses need to keep their wits about them to ensure Stuxnet isn’t repeated.

Read more about how you can protect your organisation’s operations at the Thales OT security page.