A fire took out the Warnambool telephone exchange in the Australian state of Victoria in 2012, leaving 100,000 locals without connection for three weeks and reportedly costing A$950,000 a day. A cyber attack could have a similarly profound impact.
Australia’s Computer Emergency Response Team (Cert) does not yet break out the industrial component of the cyber incidents it responds to – but it does examine how best to protect industrial control systems (ICS) in its Essential Eight mitigation strategy.
While the scale of the problem that Australian industry faces is hard to quantify, no one disputes the threat is real.
According to a 2016 report by the Australian Cyber Security Centre (ACSC), a significant amount of data was stolen from the corporate network of an Australian critical infrastructure operator, including sensitive information relating to the organisation’s physical security and layout.
The ACSC’s investigation revealed the actor used legitimate credentials belonging to a staff member and a contractor of the organisation during the compromise. The actor was able to escalate their privilege to administrator level, enabling further compromise.
“Imagine if someone took out a telecommunications network for a week or a month or two – I don’t think people realise how fragile they are,” says Matt Tett, chair of the Internet of Things Alliance Australia (IoTAA) working group focused on cyber security and network resilience. “And with electricity systems, there is no redundancy, so there’s no back up if it’s out.”
ICS security gap
Right now, Tett says there is insufficient collaboration and communication between the teams deploying industrial systems and those running IT, with many of them operating in silos.
Deloitte describes this as the ICS cyber security gap. It notes that supervisory control and data acquisition (Scada) systems and distributed control systems used in operations were originally intended to operate on isolated proprietary networks where cyber threats were minimal.
Increasingly, however, they are being linked to other networks and the internet, featuring internet of things (IoT) devices that – unless properly secured and monitored – can become a weak link in the chain. Deployed by operations staff, whose métier is not necessarily cyber security, these IoT devices can create a security gap.
Phil Kernick, CQR Consulting
A glimpse of the extent to which IoT devices are now being deployed in Australian industry was provided at the recent CeBit conference in Sydney by Belinda Hodkinson, digital engineering strategy lead for the Snowy Mountains Engineering Company.
The company uses sensors to track soil movement, and the data is used to interpret the stability of a site. If the sensors detect a problem, safety messages are sent to staff by text warning them something is awry.
While there is a clear benefit of connecting ICS systems to the internet to deliver operational efficiencies – by alleviating the need to send someone to turn valves on and off, for example – all it takes is for a consumer-grade IoT camera to be installed to monitor a stockpile, and a weak link is added to the chain.
“People are buying off-the-shelf products and connecting them to their networks – and that is the weakest link that is causing headaches and problems,” Tett says. “Part of our role at IoTAA is raising awareness at the supplier side about what their products are used for, and making sure the demand side is aware too.”
Phil Kernick, chief technology officer and co-founder of Adelaide-based consulting business CQR Consulting, says part of the problem is that the people deploying industrial technology are not as aware of the cyber risks as their IT peers in the business.
“In their world, this is just a piece of kit – it’s not a computer, and as long as it keeps working they don’t care,” says the former electrical engineer.
According to Kernick, a key risk for most enterprises running ICS is that they often don’t even know if their systems have been compromised.
“I’m moderately surprised that we have not seen more industries ravaged by ransomware,” says Kernick. He acknowledges that it is unlikely any breach of security would compromise private data, so companies would not be obliged to disclose any compromise.
Under Australia’s notifiable data breaches scheme, only data breaches involving personal information that are likely to result in serious harm to any individual need to be reported to the authorities.
Tougher stance needed
Right now, Karnick says attempting to deal with the ICS security gap is “like putting a band aid on cancer” because there is often no secure alternative to the IoT and programmable logic controllers already on the market.
Kernick says the industry needs to take a tougher stance with equipment manufacturers and demand greater security controls be designed into solutions, with regular updates and patches made available in the same way as is the case with information systems.
In the meantime, he calls for the need to “transition the management of assets to people with qualifications – not leave it to the electricians and plumbers who were there when this was first put in”.
The IoTAA is also working on a Trustmark certification programme that it hopes to launch in September 2018 that will seed a degree of confidence about the security of IoT devices.
“We are leading the rest of the world, and hopefully the manufacturers will come on board because they are the ones that have to pay to have their products certified,” says Tett.
“The benefit ultimately would be that procurement agencies, instead of paper audits, would be able to see that the claims of the vendors have been materially tested and certified against that, and with any luck they would give those vendors preference.”
Read more about ICS security
- The number of internet-accessible industrial control systems is increasing every year, researchers warn.
- Airbus is helping to drive the cyber security market for industrial control systems used throughout industry, including many providers of critical national infrastructure.
- Coordination is vital to ensure that Southeast Asia’s cyber security efforts are focused, effective and in synergy with one another, said ministers and senior officials at a cyber security event in Singapore.
- Organisations should mitigate six key vulnerabilities in industrial control systems to reduce the risk of cyber attack, warns security firm FireEye.