The dawn of the industry 4.0 poses new risks with regard to cybersecurity. Whether these risks come from competitors, criminal organisations, or even hostile States, the threats weighing heavily on this ultra-connected industry are numerous and need to be pre-empted at all levels.
In the family of industrial malware, I’m requesting the latest: “Triton”. Also known as “Trisis” or “HatMan”, it is the most recent of its kind and leaves an even greater mark on the history of industrial cyberattacks. At the end of 2017, this impressive attack was carried out against an industrial plant located in the Middle East, the identity of which has not been revealed. Even though this cyberattack would appear to have failed, it was able to cause great operational disruption to the plant.
Since then, cyberattacks against industrial infrastructures throughout the world have continued; their official number only increasing with public announcements. Over the course of December 2018 alone, two major attacks were identified: the first was a variant of the Shamoon malware, and infected the IT system of the Italian petrol giant, Saipem; and the second delayed the distribution of several large American newspapers, such as the Los Angeles Times. More recently, in March 2019, Norsk Hydro, one of Europe's largest aluminium producers, suffered a major cyber attack, attributed so far to LockerGoga ransomware.
And this year, there is nothing to indicate that the risks are going to decrease. On the contrary. At a time when the industry 4.0, development of the Industrial Internet of Things (IIoT), the digitisation of factories, and artificial intelligence technology are making industrial networks (OT) more and more connected and communicative, particularly with regard to IT networks (company information systems), this ultra-connection exposes them to even more to the threats.
The strength of the cybersecurity chain is only equal to the strength of its weakest link.
The rise in machine-to-machine communication, requiring no human intervention, or the development of digital twins (digital replicas of a piece of equipment or system), are also participating in the increase of industrial attack surfaces. It is worth remembering that the strength of the cybersecurity chain is only equal to the strength of its weakest link. The multiplication of entry points therefore requires an increased securing of interconnections between these different networks. It thus becomes a strategic challenge to protect sensitive industrial environments effectively.
Facing up to the major sources of attack against industry in 2019
The main sources of attack against the industrial sector come from within three groups:
- Its own stakeholders, via the game of industrial spying,
- Cybercriminals at the origin of mass attacks (such as WannaCry),
- Hostile States, through cyberwarfare.
The first are looking to obtain a competitive advantage, the second to make money, and the third to weaken the country in which industrialist is attacked.
When faced with its own competitors, industry at least has the option to level the playing field. This is because an industrial attacker usually has good knowledge of the equipment used by its competitors - as it uses it itself - and therefore has the information necessary to lead its criminal company.
A cybercriminal does not have this information and so does not aim at a target but at the most widely used equipment which contains a security flaw (e.g.: Windows XP, IP cameras, routers, etc.). With the rise of the IIoT and the digital, connected equipment of the industry 4.0, it is very tempting to choose the latest, state-of-the-art device. However, it is always prudent to choose the one that ensures the best cyber protection.
With regard to the threat from hostile States, this remains the most difficult to comprehend by industrialists. Faced with an attacker that has both financial and human means that are generally greater than those of its target, it is complicated to integrate this statistically very low risk. Especially when an industrialist's security and cybersecurity teams are used to classifying and managing risks depending on their probability of triggering an incident.
Implementing the appropriate procedures
Once the potential stakeholders involved in industrial cyberattacks, their motivation, and their means of action have been identified, the industrial business just needs to follow a few basic rules and:
- Place itself in a position whereby it thinks that this doesn’t just happen to others,
- Be aware that every system is weak, and that this weakness only increases over time,
- Draw up a map of its devices and the communication means between them,
- Train all employees, without exception, and make them aware of all the different types of cyberattack in order to make them potential whistle-blowers,
- Identify critical areas and potential attack scenarios,
- Implement response procedures to identified attacks,
- Ensure compliance with the different regulations (LPM, NIS, etc.) or, in the event that the regulations do not directly apply, become familiar with them and use them as a guide to good practice.
Finally, the best thing to do is to form a cybersecurity entity, bringing together security and cybersecurity experts in the same team. The business then has operational knowledge in addition knowledge of the abuse and associated risks.