How connectivity can compromise critical national infrastructure (and how to avoid the pitfalls of Industry 4.0)
When news of a cyber-attack against a water treatment plant in Florida reached our CNI cyber-security experts recently, it was received with a sense of weary inevitability. The same mess; a different day.
The hack was an attempt to poison the water supply of 15,000 people with caustic soda. The motive is unknown and the perpetrator hasn’t been found. Sadly, that’s entirely normal. What made this attack unusual was the fact that an operator saw it happening and managed to thwart it before anyone got hurt.
This time, the good guys got lucky. Most of the time, they don’t.
Our cyber specialists at the National Digital Exploitation Centre (NDEC) are experienced in helping CNI and large enterprises defend their operational technology (OT) – defined here as automated production, processing and industrial control systems – from the most determined cyber-attacks. And they’re getting busier all the time.
According to research by Kaspersky ICS CERT, an estimated 47% of industrial control systems were attacked by malware software in the first half of 2018. Some analysts believe that the true number is higher; some say it is lower, but it’s a realistic average. And in a recent report ‘ICS threat predictions for 2021’ Kaspersky made three worrying predictions:
We expect to see new and unconventional scenarios of attacks on [OT] and field devices, coupled with ingenious monetization schemes.
Cybercriminals have had more than enough time and opportunities to develop them.
Cybercriminals have developed a fondness for industrial companies because they tend to pay ransom. This means that the attacks will continue.
There is a high chance that a WannaCry-like scenario will be repeated in the very near future. And industrial enterprises may be among the hardest hit.”
WannaCry, you’ll recall, was the 2017 ransomware attack which paralyzed the NHS, forcing thousands of operations to be cancelled. Fixing it cost around £92 million. Astonishingly, the NHS wasn’t even the primary target. It was merely collateral damage – an accident, essentially – as the virus raced across the world, jumping between seemingly unrelated systems.
WannaCry is still out in the wild.
Kaspersky is probably right. If you’re not protected, it is only a matter of time before you suffer some sort of attack. It’s entirely possible that hackers have already invaded your network, silently exploring, and perhaps offering your vulnerabilities for sale on the dark web.
Wherever your automation and production technologies are connected to the outside world – either directly or through your IT systems – each of those connections (and most factories have thousands) are discoverable. They can be secured, but where on earth do you start?
Here’s the problem. It is unrealistic to expect IT experts to have a deep knowledge of engineering and operational technology. And you can’t expect an engineer to know about IT and cyber security. But if you’re connecting OT to IT these areas of expertise are equally important. Then, to bring it all together, you not only need people who understand both fields but leaders who also understand digital transformation, the risks, and the rewards. That’s what NDEC is all about.
A matter of national importance
I left government to work directly for NDEC, but my remit is still to make sure that we address the wider societal and economic needs that were identified even before the foundations were laid those few years ago.
NDEC does far more than protect CNI and corporates. We are preparing Wales for a digital future. We are getting into the classrooms and lecture halls, educating students from 5-years-old right the way up to university. We are promoting degree apprenticeship schemes and fighting the gender imbalance. We are educating SME’s, too, on how they can play a part in the digital transformation and the journey to Industry 4.0.
If ever there was a diamond to be found in the coal dust, this is it. NDEC is a driving force for economic regeneration.
A glimpse of the future
Plans are well advanced for the second stage of NDEC. I can’t say too much about it yet, but we are exploring the use of additional facilities and resources, partly for education but also to explore the broader challenges of various sectors more deeply.
Take automotive, for example. Autonomous, self-driving cars are on the near horizon and need to be protected against any possibility of being hacked. But the vehicle is just one part of the equation. Securing the infrastructure -traffic signs, lights, sensors, controls, and the charging network – is just important.
Digital transformation and the journey to Industry 4.0 will affect everything, everywhere. This isn’t just about Wales. It’s not even about the UK. The fourth industrial revolution is ultimately a global event; a huge journey which can only be navigated with the proper skills and resources.
Poorly implemented connectivity is a train wreck waiting to happen; perhaps literally. It has the potential to collapse businesses and compromise critical national infrastructure. But with thought and care, and by educating businesses where the pitfalls are and how to avoid them, we are bringing the fourth industrial revolution in reach of the Welsh economy.
Leanne Connor was a driving force behind the conception of the National Digital Exploitation Centre (NDEC) in Ebbw Vale, Wales. She joined NDEC having helped to secure the site and define its role and responsibilities. Today, Leanne divides her time between promoting the capabilities of NDEC and ensuring that key performance indicators are met, reporting back to the Welsh government. Leanne has more than twenty years’ experience of business management and economic development.