It’s a company’s worst fear to have its information technology (IT) system hacked, sensitive documents leaked, websites altered or data wiped. The government’s recent proposed Cyber Security Bill for public consultation is a strong step in the right direction and is further evidence that discussions on cybercrime are more vital than ever, especially as attacks on critical information infrastructure (CII) systems that manage essential services (i.e., utility plants, transportation networks and hospitals) have become more frequent, and with resulting disruptions that could cripple economies and lead to loss of life.
While the focus is often on data protection at the IT level, the silent threat is, in fact, on the operational technology (OT). This is the ‘nuts and bolts’ machinery that keeps Singapore’s biggest industrial networks running smoothly. Think manufacturing, electricity, water organisations or energy networks. In our increasingly connected world, OT is now prevalent in most businesses—from simple lighting and cooling automation, to complex motor control. Ergo, the implications of critical infrastructure at the operational layer – particularly with the proliferation of the IoT (Internet of Things) – is one conversation that should be making further headlines.
The risk of cyberattack becomes even more serious as organisations increasingly use smart technology to connect industrial devices. To give perspective on the impact, research organisation Research and Markets estimates the IIoT (Industrial Internet of Things) sector to reach $151.01 billion by 2020. Further, there has been a 2100% increase in industrial cyberattacks over the past three years, and the typical financial impact amounts to US$3.62 million in a single cyberattack.
Make no mistake, the protection of business operations beyond information is an essential frontier which must be reinforced. Organisations need to act on the threat of cyberattack before they implement new technology, not after. This isn’t just a theoretical idea either; the world has seen some very real consequences.
In late 2015 and early 2016, hackers accessed the computer network used to control the power grid in Israel and the Ukraine, shutting down portions of the grid during a bitterly cold winter. The attacker entered the operator’s compromised password and opened multiple circuit breakers taking entire substations offline in an instant.
The attack was the first known successful cyber intrusion to knock a power grid offline. Although it is the first known such attack, it certainly isn’t the only one, and it isn’t the last.
Preparing for Bolder Cyberattacks
As attackers target power infrastructures at an alarming rate, the need to be proactive about cyber intrusions for critical systems is increasing. Unfortunately, the simple antivirus solutions that most power systems employ are not enough. Planning and implementing cyber security management to a power Supervisory Control and Data Acquisition (SCADA) system can significantly reduce the probability of vulnerabilities in the system. On the other hand, the fact that people are the most valuable asset in an organization is a Catch-22, as social engineering or “hacking humans” is the easiest method to gain access to an organization and the hardest to prevent. Therefore, training users to be aware of social engineering attacks is paramount to securing a system, to mitigate the risk of attackers gaining access to target systems via simple social engineering attacks against unsuspecting victims.
At the heart of it, we believe securing critical power monitoring and control systems starts with training your users to spot social engineering attempts and prevent malicious access. Complement this by enforcing well-defined security policies and remain diligent with audits and system monitoring and updates. Finally, deploy a security-driven architecture to minimize vulnerabilities to the critical systems.
Staying One Step Ahead of Cyber Threats
We must continue, as a nation, to openly discuss OT protection. While the government’s strategy touches on the topic, there is always more that can be done for the protection of operations. When protecting the OT, it isn’t the information that is most precious, but continued operation. Without key OT operating, businesses cannot function. Further conversations around this need to happen now, rather than later. We need to grow awareness, and make cyber-security part of our ongoing business culture.
The game has changed. Leaked documents can’t be our foremost concern when addressing the cyber security threat. Hacking one piece of industrial equipment can now be the same as attacking a million. And when considering the types of organisations at risk, the scary part is that millions of people can be directly affected.
Singapore has robust knowledge of IT protection and experts in the field that have long worked to keep the nation safe, and Schneider Electric shares the same vision. We have long taken safety and cybersecurity seriously, and thus developed a 3-tier approach to secure Industrial Control Systems. We are aggressively adding cybersecurity features to core products, as well as cybersecurity services to provide our customers the support that they need. The third tier involves the selection of best-in-class security technology partners to enable an optimum secure system. With such accessibility, now it is time to further bring IT and OT together and provide industrial protection at all levels.