In a series of blogs, David Sylvester – SeniorSecurity Consultant, asks whether senior executives really understand the nature of the cyber security risk to their business, and whether they are doing enough to reduce the potential impact of an attack.
Cyber Security – Where’s the risk?
The digital revolution of the mid-20th century marked a significant change in the way that businesses operate, and individuals carry out their day-to-day tasks. The advent of digital computers meant that more information than ever before could be stored and processed in ever shorter timeframes; communication also became significantly easier, with higher volumes of data being transmitted, almost instantaneously, around the world using the internet and mobile technologies.
We are all aware of the impact that IT has had on the home and office environments. However, the technological revolution wasn’t only limited to home and office, as complex electronic devices, capable of sensing and causing changes in their physical environments, made their way into industrial settings.
Known as Operational Technology (), these devices are often deployed in areas as diverse as water treatment plants to cargo ships, traffic signals to air traffic control systems, and chemical plants to hospitals. In fact, there are many places where we routinely interact with these systems without even knowing it. The systems and services we rely on for providing energy to our homes, for moving goods around the world, and for providing vital services when we need them most have become increasingly intelligent and interconnected.
In the latest National Security Risk Assessment [Ref 1], published by HM Government, the threat from cyber-space was identified as a Tier 1 risk to the UK, alongside terrorism, international military conflict and instability overseas, public health crises, and major natural hazards. We have seen this threat play out in more recent years, with foreign governments, the public and private sectors, and individuals all being affected in some way by cyber-attacks.
As we continue to connect our systems and services to the internet and other global communications networks, be that directly or indirectly, we are opening ourselves and our businesses up to the online environment, where the threat is rapidly evolving. Actors ranging from hacktivists and foreign intelligence services, to business competitors looking to gain a commercial advantage, all mean that the cyber-security risk is real and applies across the board – it is not only government departments and critical national infrastructure that are at risk.
In the past, businesses believed that protecting their corporate (IT) networks was all they had to worry about – why and how would anyone want to interfere with production?
However, recent large-scale cyber-attacks appear to have been untargeted and, due to their promiscuity, highly capable of spreading rapidly across any systems and services which are interconnected. Couple the increased risk from untargeted malware with the continuously developing, extremely aggressive, and highly targeted advanced persistent threat and more than just IT networks are at risk. As we continue to rely on, and realise, the benefits of business intelligence and connect corporate networks to operational environments, it is clear to see that businesses are exposed to threats that they may not have realised or seen before.
Whilst many businesses now understand what they must do to protect their corporate (IT) environments, executives must begin questioning how the Operational Technologies within their enterprise are protected.
Highly publicised attacks such as the Stuxnet worm, HAVEX, and the attack on power grids in the Ukraine, all show just how vulnerable Operational Technologies are. Recent reports from the US Department of Homeland Security, which identify that power grids, nuclear facilities, and aviation systems, amongst others, should be prepared and have the necessary security controls in place, only go to show how important cyber security in industrial / operational environments is becoming.
Executives the world over should be asking what the risk is to their systems, and what the potential impact might be if networks in production environments, which often utilise outdated and unsupported technologies, became infected. Would production grind to halt? Would vital safety systems continue to operate as intended? And, what would the financial impact on the business be should there be an extended, unplanned outage?
Regency ITC offers a range of first class cyber security services in both the commercial and operational environment. Our expert cyber security consultants have a wealth of experience gained from backgrounds in engineering and control system design, and offer vendor neutral advice and guidance aimed at reducing the risk to your Operational Technologies.
If you would like to develop a deeper understanding of how cyber-attacks could impact on your Operational Technology systems, contact us on 01242 225699 or email us at email@example.com