The Cyber Security environment for Industrial Control Systems (ICS)
Today we depend on a safe, resilient and protected digital environment in order to carry out our daily lives, for economic stability and in the interests of the country’s national security. However, the speed and global reach of cyber events as well as the intent of attackers means the cyber security landscape is rapidly evolving. While corporate IT systems had been the preferred target of hackers until now, they have begun increasingly to turn their attention to the ICS environment.
Securing ICS is critically important as they support the foundations of our modern society and operate the essential infrastructure we depend on in our daily lives such as electrical, power, water, oil supplies as well as the transportation, manufacturing and industrial landscapes.
However, securing ICS poses new challenges to industry because:
l ICS were originally designed for isolated environments and were traditionally largely self-contained, standalone control systems. Now they are fully connected and distributed systems tightly integrated with external systems and networks and communicate wirelessly with increasingly open communications protocols. They are often connected to web based applications and real time management information systems to help businesses fully exploit the capabilities of their assets and provide improved service to their customers. This increased level of connectivity increases the attack surface of business assets.
l Traditionally ICS were typically designed and implemented to be operational for 15+ years. This creates many legacy issues and risks especially when systems are not regularly maintained.
l The core requirements for ICS are reliability and availability; they operate 24/7 and need to remain connected to maintain essential operations. Therefore, it is more difficult to take ICS offline to maintain, patch and secure them which means the rules governing corporate IT security cannot as easily be applied.
The connected age we live in means it is no longer an option to always isolate industrial networks. It is therefore essential to understand how we address known and unknown threats whilst still maintaining the constant operation of critical services.
The effects of cyber intrusions on businesses
New penalties are game changers in terms of costs to business. In May 2018 new EU regulations regarding the protection of personal information (the General Data Protection Regulations – GDPR) will come into force which could have significant financial implications on UK businesses. Penalties of up to 20m euros or 4% of annual global turnover could be imposed for serious breaches. It could also deliver criminal charges at the door of senior managers who are deemed responsible for damage caused, and that might include directors. It is therefore critically important that organisations elevate cyber security risk to the same threat level as other critical business risk.
The physical, financial and reputational damage to a business due to an attack is widespread and includes:
– Loss of privacy
– Legal liability
– Loss of revenue
– Loss of intellectual property and trade secrets
– Loss of reputation
– Financial loss
– SLA violation
– KPI violaton
– Loss of competitive edge and efficiency
– Threat to health and safety; death, injury
– Loss of customers
– Business failure
The threat landscape
If there is one constant in the battle against cyber-attacks, it is change. New ways and methodologies to penetrate systems are constantly being deployed. Lone hackers and organised criminal adversaries alike are evolving new and more sophisticated tactics to exploit corporate systems. Prior to 2010, ICS security was not on the agenda of most businesses but that changed later that year with the discovery of Stuxnet that specifically targeted ICS.
Similarly, a semi-autonomous piece of ransomware known as WannaCry was capable of encrypting victim’s hard drives and demanding payments to unlock them. WannaCry became one of the most virulent cyber breaches in the history of the internet. It affected a significant number of public and private companies across the world including the NHS in the UK, Renault in France and Telefonica in Spain, with an estimated total business cost of around $4bn. In recent years it has become evident that businesses of all types and sizes are potential targets. Recent events should serve as a warning to businesses to be alert, vigilant and to proactively invest in protecting their critical assets. Senior business leaders need to understand that cyber threats are not simply technical issues but rather, real business threats affecting three key areas, people, process and technology. Making one-off security investments is no longer sufficient to protect critical assets. Proactive decision making, formulated by evidence based assessments of asset maturity and risk is now business-critical, not only to enable businesses to protect the foundations of their operations, but also those of their customers.
Ensuring resilient systems
Capula‘s extensive ICS domain expertise means that we have been at the forefront of implementing ‘secure by design’ solutions for decades. Security is an integral component of our systems and is taken into account in every phase of our operations from design and development to maintenance and support.
As independent specialists, we have developed strong working partnerships with the UK’s leading cyber security thought- leaders to help solve the most complex security issues. As such we are able to deploy some of the most sophisticated and proven security assessment tools on the market to help provide clarity about the level of maturity of client’s most critical assets. Some of these services and toolsets have been developed and deployed within government bodies, and are already enabling organisations to assess risk quickly and effectively.
Complementing client’s existing compliance programmes, our experts are trained to implement a comprehensive approach to security, comprising 4 processes – Review, Assess, Identify and Defend. This 4 step approach helps businesses understand if their management policies and processes, personnel, equipment, in fact their complete organisational landscape is operating at optimum effectiveness.
The output of our cyber security service is a high level action plan with defined metrics to enable organisations to work towards the desired maturity control level.
A managerial-led ‘top-down’ approach to cyber security is recommended by the National Cyber Security Alliance, and this is an area where our cyber security services adds further value. The report findings of a Capula assessment equip an organisation’s decision-makers, not only its technical experts, with the right information needed to participate in business planning and make informed decisions about the appropriate levels of security protection required. It helps senior business managers understand and plan for the future at a pace that helps them keep ahead of cyber threats.
All of our security analysts are true security experts which ensures clients receive the highest calibre of service. Our teams are thus equipped to to address vulnerabilities before they have a major business impact. Similarly, in the event of an attack, clients can be confident that disaster recovery activities are implemented effectively to restore systems to optimal functionality.