Tom Westenberg, ICS/OT Security Consultant writes…

To the lay observer, the mantra ‘trust nothing, test everything’ probably sounds a little bleak. Paranoid, even. But when it comes to protecting Operational Technology (OT) – any industrial equipment which is connected to the outside world, essentially – there is no reliable alternative.

And if the equipment in question, regardless of when it was made, or by whom (as you’ll see in a moment), is deployed in critical national infrastructure, the necessity for a deep dive into potential security vulnerabilities jumps to a whole new level. 

It has become very, very clear that cyber-attacks against OT are on the rise. Not only is it an easier target than IT systems, but it brings the potential for operational disruption as well as data theft. And this isn’t just about legacy kit. Brand new equipment that’s still being produced by globally respected manufacturers can exhibit surprising vulnerabilities. I came across such a thing just a little while ago. 

Finding a way in

Some of my colleagues recently decided to see if it was possible to hack some equipment supplied by a major manufacturer in the energy sector. This wasn’t just idle curiosity. The kit – a substation automation equipment, some time clocks and some digital recording devices – is widely used by our energy customers around the world.

We discovered an attacker could quite easily take control of these components. That’s really worrying. If this manufacturer’s kit can be hacked then maybe everyone else’s can. 

We followed up the tests by writing them and suggesting a mitigation strategy. Of course, our findings were strictly confidential and only published after the issue was swiftly resolved with a firmware update. Only when the fix was sorted did we publish it to a wider audience. I believe – Thales believes – that it’s hugely important to get the message out to everyone, not just our own customers. We’ll do whatever we can to make that happen.

The energy market is not particularly diverse and there is a certain uniformity in CNI. This means that a vulnerability in one component can be exploited to attack multiple customers around the world. OT security has never been so important. Or vulnerable.

The problem with integrating OT is that assumptions – seemingly quite reasonable assumptions – are readily made by customers. They expect security as standard. That’s a terrible and dangerous assumption. 

The fact is that you can’t secure, critical national infrastructure without repeatedly attacking it, pushing the boundaries of security. It’s a mission without end. And it’s what we do at Thales.

I have to say that the manufacturer was thoroughly impressive when we delivered the bad news. It reacted quickly and confidently and with the utmost professionalism. Such a response gives me – and our customers – solid reasons to trust them. Except, of course, we won’t. 

Trust is a fine thing. But if you trust without testing you risk everything.