by Paul Morgan, Cyber Security Consultant with contributions from Mohammad Jbair, OT Security Consultant and Niklas Klotz, CyberSecurity Engineer ICS
The Covid-19 global crisis has had huge impacts in both our personal and professional lives. As a result, businesses across the globe have been forced to make major changes in how they operate and adapt to new challenges. Due to the crisis, many manufacturing and production facilities have been forced to reduce output or cease production completely, leaving what was once a 24/7 operation essentially dormant. Where work forces continue to operate, they do so with reduced resources, social distancing and travel restrictions in place.
Many of these critical infrastructure and manufacturing facilities rely heavily on Operational Technology (OT) to enable the Industrial Control System (ICS) to drive production. However, much of this technology is legacy, runs software and hardware that is vulnerable to known exploits and was implemented without security being a key concern. Existing security concerns to the OT production environment and the operational support functions become amplified during the crisis as new risks are introduced with many facilities adopting new remote working patterns.
Historically, there has been significant challenge in justifying any activity that interrupts the operational process which has a negative financial impact. However, the current situation creates a unique opportunity to take advantage of unanticipated downtime and availability of ‘non-productive’ staff to assess the current security posture to facilitate positive change.
What are the current threats?
Lack of OT device identification and management
The lack of visibility leaves operators unable to determine a device’s status and hence its security. Consequently, there is reliance on physical site visits to often hard-to-reach locations to carry out interrogation, fault diagnosis and maintenance. There is little or no visibility of the status of unmanaged devices.
Delays applying patches and security updates
The installation of patches and security updates to infrastructure may become delayed or generally more challenging to implement during the pandemic. Many legacy systems may require updates to be carried out locally or it may be deemed too high a risk to carry out an update remotely due to the chance of a system requiring manual intervention. This results in an increased exposure window for a cyber-attack to exploit new vulnerabilities.
Insecure remote working provision
In the rush to deploy new infrastructure and/or increasing capacity to cope with the increasing demand for employee remote working, service provisioning is often setup hastily with the main business drivers being to provide required functionality as quickly as possible. This can result in security controls and processes being overlooked or directly circumvented to save time.
As part of a home working solution, employees will continue to need access to the same toolset and data that they are used to leveraging in the workplace. It is critical that access to highly sensitive data or systems such as SCADA or Engineering Workstations are provisioned in a secure manner and access is restricted only to those who have a legitimate business need. Given the criticality and sensitivity of such access, it is vital that appropriate technical controls are implemented correctly with the supporting governance to provide a robust and secure solution.
Use of Bring Your Own Device (BYOD)
Due to the increased reliance on remote working, many organisations may have taken the decision to sanction BYOD to cope with hardware demand and provide system access for employees. As most home devices will not be subjected to the same rigorous security requirements and controls as corporate devices, the risk is immediately increased. Personal devices are considerably more likely to contain malware due to the very nature of their use and limited security solutions in the home environment. Should BYOD be deemed suitable for use, it is imperative that strict security controls and working practices are implemented; if not, an alternative secure remote working solution should be implemented.
Increase in social engineering attacks
Social engineering attacks show no sign of slowing down during the crisis – the volume of phishing emails has in fact increased , with criminals adapting their approaches including setting up fake coronavirus news websites embedded with malware. Employees who are subjected to major changes in their working practices and forced to adopt new processes and technology are likely to be more susceptible to a social engineering attack.
Employees subverting existing process and good practices
Employees may bypass existing processes and good practices intentionally or unintentionally. As employees adapt to new ways of collaborating, they may carry out a task in a manner that creates a security risk (often to save time, reduce burden or simply because they are not aware they are doing anything wrong). For example, employees looking to share data may become frustrated by the time-consuming process of logging into a company VPN and may decide a quicker method would be to use a 3rd party file sharing tool such as Dropbox or OneDrive. This not only risks the data being compromised but can also have critical compliance implications.
Ineffective Business Continuity Plan (BCP)
In addition to considering Business Continuity Planning from a technology standpoint, it is vital that key roles have contingency built in with a documented ICS restoration procedure that allows the functions they provide to remain available. Where this has not been addressed and system restoration cannot be executed by another available member of staff, this can leave businesses with degraded or halted operations due to not having the trained and knowledgeable resources available.
What are the impacts to organisations?
With a high-level view of the most common threats during the Covid-19 crisis identified, what exactly are the consequences of a cyber breach occurring? The impact from a cyber security breach can ultimately impact service availability of the OT environment which in turn has a range of financial consequences which can be realised both directly and indirectly. The obvious financial loss is seen through loss of critical service availability such as Service Level Agreement penalties and fines from industry/regulatory bodies or degraded output of a production line.
There are also qualitative factors to consider which are difficult to assign a monetary value to, such as damage to company reputation and the reduction in customer confidence. Should an incident impact production output or service availability, it is very likely to have a knock-on effect throughout the supply chain. This can often lead to a general drop in confidence and concerns over delivery in the future, potentially resulting in loss of contracts and prospective business opportunities.
In 2019, according to Verizon 25% of breaches were motivated by Cyber espionage . The act of gaining access to confidential information is big business and it is not only Intellectual Property (IP) from your R&D department that is at stake. Threat actors are after all kinds of confidential information which might give them a commercial advantage, whether it be client databases, pricing structures or even corporate negotiating strategies. This information can be used by an adversary to take advantage of many situations such as bids, buyouts, mergers and acquisitions or the information can even be sold on to the highest bidder.
What can be done to protect organisations?
To address the risks associated with the adoption of new working practices, organisations need to quickly understand and assess their security maturity to identify exactly where their strengths and weaknesses reside. Airbus CyberSecurity has developed a CyberResilience Maturity Model service to help organisations respond to these demands and maximise the opportunities that a reduced operational tempo can offer.
Our CyberResilience Maturity Model does not only incorporate several security frameworks and best practices but also our long-term practical experience in securing critical industrial environments. In the course of a hands-on workshop setting (physical or virtual) our OT experts focus on the critical OT security areas needed to address the key risks which have emerged or increased during this pandemic. The ultimate goal of this pragmatic approach is to collaboratively assess organisations security maturity to identify exactly where their strengths and weaknesses reside as well as transform the corresponding gap into an actionable roadmap. Workshop and follow-up activities are described below:
On-site/Virtual Workshop activities:
- Tool Familiarisation
This initial step is a kick-off with key stakeholders; it includes familiarisation of the assessment tool and expected agenda for the workshop.
- As-Is Operating Model
Identify the current security maturity (As-Is) of the scoped OT infrastructure by discussing cyber security from a 360° perspective considering the organisation’s people, processes and technology.
- Target Operating Model
Define the target security maturity of the scoped OT infrastructure collaboratively to derive clear objectives taking into consideration multiple variables such as risk exposure, standards, and regulations.
- Gap Analysis
This step will analyse the gap between “As-Is” and “Target” security maturity taking into account the high-level risk exposure. Visualising the gap helps organisations to increase management awareness of cyber security objectives provide justification for cyber security needs.
- Roadmap Definition
Due to Covid-19 crisis, it is very important to prioritise the roadmap to achieve the target security maturity within a sensible timeline and budget. A prioritised roadmap is an essential enabler for achieving sustainable OT security enhancements ensuring the right actions are taken in the right order.
- Final Report
Management report which demonstrates the results of the tool via graphical representation of both “As-Is” and “Target” Maturity Models; the report also summarises the identified risks, impact and recommended security mitigation measures.
A holistic approach which considers the people, processes and technology that support a business is the only true way to understand the big picture. Organisations undergoing this assessment will be able to evaluate their existing technology, security controls, policy and procedures, incident management, physical security and focus on the key risks identified during Covid-19 crisis. From this information, recommendations can be made to mitigate risks and provide some “quick wins” which offer the highest impact to security improvement for the least investment. This initial investment also provides the business with the foundation to building a longer-term cyber security maturity programme in order to reduce the risk of an incident occurring, ensure a high level of preparedness and ultimately reduce the impact.
Who can help?
We understand the current challenges in OT environments and are proven experts in cyber security. We have expansive experience both through our own manufacturing facilities and from numerous customers who we support daily around the world. It is key that during this crisis, companies take advantage of the imposed downtime and use the time wisely to improve their security posture and address the risks more prevalent during the Covid-19 crisis. By placing a small investment into the CyberResilience Maturity Model and becoming aware of your security posture could save you hours of downtime, reputational damage and financial impact in the long run. At Airbus CyberSecurity we can assist you in building a structured and prioritised programme, closing the gaps and reducing your risk.