Plant Safety & Cybersecurity – How Safe? How Secure?
Published on : Tuesday 02-02-2021
Addressing the safety and security concerns of the industry in the digital era.
Safety and security in the industrial context was always understood as the physical safety of the personnel as well as assets with the necessary security infrastructure in place to prevent entry of unauthorised persons in the plant complex as well as preventing acts like theft and sabotage by elements internal or external. With the advent of digital technologies, the safety of personnel has graduated beyond the use of personal protection equipment (PPE) and supplemented by sensors and wearables besides extensive video surveillance which takes care even of the lone worker scenario effectively. With the advent of digital technologies, there is also the rising menace of cyber-attacks, which is today a major security threat to businesses globally. With the connected enterprise, safety and security have now become inseparable, as the cyber criminals not only attack assets, but in the process also disrupt the safety systems that protect workers, equipment and environment. So how serious is the threat?
“Not every battle starts from air, ground or water. These days some of the fiercest attacks are happening among computer networks in the most silent form. The Digital Age has transformed the weapons into the most sophisticated digital tools, opening a whole new playing field of vulnerabilities with the unlimited threat landscape during pandemic,” says Mohit Kohli, Founder, Foresiet and former Vice President – Accenture, as he draws attention to the fact that cyber-attacks in India have increased multi-fold during the pandemic. India is among the top 5 most attacked countries. Indian companies have seen nearly 7 lakh cyber-attacks in 2020 affecting multiple sectors – Financial, Retail, Manufacturing, Government, etc. Remote work has fundamentally changed the dynamics, especially for teams habituated to working side-by-side every day. Unexpected changes can seed and drive security risks, especially where we fail to recognise this change and adapt to this new way of conducting business. “Employees working from home rarely have the same firewalls, network-based intrusion detection, and other defence integral to the offices we are all accustomed to working from. Which means even a strong security fort can be easily bypassed by alluring the last mile user, causing the enterprise to come to a standstill and have a cascading impact on the value chain. In case of Healthcare and Oil & Gas, the impacts would lead to life threats,” cautions Kohli.
“The pandemic induced remote working has increased the overall risk posture for both, large enterprises and small and midsize businesses (SMBs) in India. In particular, SMBs, some large Indian franchisers, and hyperlocal delivery apps among others, have been seriously impacted through ransomware attacks. Cyber-attackers also are changing their techniques and tactics and are now increasingly taking advantage of Covid-19 related news and charity initiatives by creating fake news, and spoofed websites to lure people and steal their credentials,” says Rajesh Dhuddu, Practice Leader – Blockchain and Cybersecurity, Tech Mahindra. “Even now, as India awaits the rollout of Covid-19 vaccine, fraudsters are using vaccine registration portals for cybercrime. It has been estimated by the National Cyber Coordination Centre that four lakh pieces of malware are found every day in India and 375 cyber-attacks are witnessed daily. These attacks are serious in nature and cause financial damages, irreparable damage to brand and reputation, and loss of productivity,” he adds.
Piotr Ciepiela, EY Global Cyber Architecture, Engineering & Emerging Technologies Leader, Consulting, draws attention to how, in recent years, the industry has experienced a significant number of successful cyber-attacks on critical infrastructure (CI) facilities. Those widely recognised and discussed cases (such as attacks to power grids and multiple critical manufacturing companies impacted by ransomware) have brought the new cyber risk to the attention of CI owners and societies whose safety depends on proper operations of this infrastructure. “As a result, we have now observed a significant rise in investments and new regulations aimed at protection of CI installations. The management and cybersecurity departments of CI operators are keenly aware how cyber-attacks can result in unavailability of essential services they support, by impacting basic process control systems with such components like DCS (Distributed Control System), PLC (Programmable Logic Controller) controllers or SCADA (Supervisory Control And Data Acquisition) class applications,” he says.
“However,” adds Ciepiela, “there is still a limited understanding by non-automation professionals that for large and complex installations like refineries or power grids, there is another layer of industrial control systems, the so called Safety Integrated Systems (SIS) protecting us from large malfunctions, which would result in ecological catastrophes and loss of life. These very reliable, basic systems have a single purpose – to switch off technological installation in a safe manner if technological process parameters go beyond acceptable levels.” Beyond SIS, there are passive measures dedicated to minimising the impact, such as explosion-proof infrastructure. Ensuring proper reliability of these critical systems is a goal of the whole significant part of automation engineering, which is part of a larger domain called functional safety. There’s an imperative to pay more attention to the possible exposure of SIS to the cyber threats and how functional safety specialists can consider those threats in their reliability analysis for systems they design and deploy to keep people and systems safe.
In this context, Deepak Naik, Director Business Development, HIMA Middle East FZE, quotes the example of a safety controller deployed in a process facility in the Middle East, which was hacked in 2017. “The Safety Instrumented System (SIS) was compromised and initiated a plant shutdown. While no damage or injuries occurred, the incident should serve as a wake-up call to heighten awareness of segregation and cybersecurity in the industry as it was the first publicly-known successful attack on a safety instrumented system – which is the last line of defence in any process plant,” says Naik. Furthermore, critical hardware vulnerabilities affecting most modern processors have recently been identified. Attack modes such as Meltdown and Spectre exploited these in order to steal data from computers all around the world. It again reopened the discussion around the layer of protection and additional segregation requirement in different layers. “An independent protection layer (IPL) is a device, system, or action that is capable of preventing a scenario from proceeding to its undesired consequence independent of the initiating event or the action of any other layer of protection associated with the scenario,” he adds.
What are the most common cyber threats and how best can companies counter them? “One of the weakest links, in most cases, is due to outdated software. So, the software and firmware in the entire system has to be up-to-date. It mitigates attack vectors caused by vulnerabilities a hacker can exploit. However, besides outdated software, statistical data on breaches indicate that the greatest threats are actually humans in the organisation. Social engineering is in fact the most common cause for breaching a system. Only then can the attacker start looking for outdated software,” observes Ravi Ramarao, an International Business Leader with 29+ years of overall experience in Connected Manufacturing. “Each new service and capability introduces additional risks. Hackers constantly look for points of entry for potential privacy breaches. The number and usage of connected systems and smart mobility services shall only increase, inevitable. So, we should be prepared to face a growing number of cyber, fraud, and data-breach incidents. If un-prepared, it shall cause damage to both companies and consumers,” he adds.
According to Mohit Kohli, the adoption of modern technology is challenged by the increase in cybersecurity threats that target the Operational Technology community. “We have seen an exponential rise in sophisticated social engineering techniques with the motive of cyber-espionage. Cybercriminal groups attempt to take advantage of vulnerable employees (enterprise users or users from supplier/vendor, etc.), who are unfamiliar with managing their technology environments. It is one of the most effective attack vectors because it exploits human behaviour and our tendency to trust one another. India has noticed a rise in Credential stuffing attacks this year using sophisticated phishing campaigns” he points out and states that organisations must switch from detecting to predicting cyber breaches with a multidimensional approach covering – Secure Mindset, Secure Last mile remote users, secure network access, secure work environments, and secure collaboration.
Rajesh Dhuddu believes Practice Phishing, MITM (Man in the Middle), SQL (Structured Query Language) injection, malware, zero day exploits, supply chain attacks and Domain Name System (DNS) tunnelling are some of the most common cyber threats. “Such attacks are impacting organisations world over. As per Reuters report, the recent supply chain attacks on SolarWinds have caused disruption to the State and local governments in the US,” he says and adds that companies must train and educate employees about phishing attacks and help them identify and deflect such attacks. This is important because if employees are vulnerable, even the strongest cybersecurity technologies or products will be suboptimal.
While cybersecurity is now important, are companies paying adequate attention to the physical safety of its personnel and assets? “With the growth of industry and huge industrialisation across the world, negligence or little compromise in safety results in huge disasters. Every year millions of industrial accidents occur which result in loss of human life, loss of man-hours, machine hours and loss of production time,” says Darshana Thakkar, MSME Transformation Specialist and Founder, Transformation – The Strategy Hub. “Additionally, huge financial loss in terms of repair and replacement of machinery, equipment, compensation for employees, and sometimes loss of revenue because of delayed delivery to the customer,” she adds.
“In addition to the direct threats brought as a result of digital transformation, there is an aspect of physical security of assets and personnel that is often overlooked. In 2018, Microsoft and Accenture conducted a joint survey with more than 200 industry leaders for understanding how critical physical security is in the era of digital transformation. The report concluded that even though the leaders understood risk management in digital enterprise, they lacked the understanding of physical security of personnel and assets. Additionally, there is a risk to the physical security of personnel and assets, as a result of system malfunction,” says Suneet Pahwa, Deputy Director at DSCI (NASSCOM). Data Security Council of India (DSCI) is a not-for-profit, industry body on data protection in India, setup by NASSCOM – the premier trade body and chamber of commerce of the Tech industry in India, which is committed towards making cyberspace safe, secure and trusted by establishing best practices, standards and initiatives in cyber security and privacy. “Insider threat is another threat to the OT sector, including industrial plants. According to the latest report on Insider threat by Verizon, manufacturing is among the five industries with the highest number of insider threats. The average cost of insider threat to a manufacturing organisation is about USD 8.86 million,” adds Suneet, emphasising the magnitude of the threat.
So how can companies effectively counter the various threats ranging from perimeter security to workplace safety, theft and sabotage, etc., with effective use of technology? “Remote working has imposed a great magnitude of threats which means a new standard to be developed to protect the endpoints. Companies spending on cybersecurity do not necessarily correlate with the level of protection. Enterprises need to build a strong borderless security approach due to the decentralised nature of business,” suggests Mohit Kohli.
“Organisations should undertake a complete risk – both cyber & physical – quantification program. This will create a comprehensive risk register along with risk classes with respect to corporate networks perimeters. Organisations must realise that VPN technologies may not be sufficient for comprehensive cyber threat protection. While the implementation and integration of two-factor authentication can help in significant risk reduction, it will not eliminate the possibilities of cyber threats or attacks completely,” opines Rajesh Dhuddu. He suggests organisations should focus on zero trust concepts like Device ID/fingerprinting, software defined networks, dynamic perimeter overlay and implement solutions like SASE that provide security for DNS, web gateways and firewalls integrated with Cloud Access Security Broker (CASB).
Piotr Ciepiela states that catastrophic industrial accidents in the past caused by human error, improper design or operations have resulted in development of analysis methods dedicated for ensuring functional safety. “One of those, proven in use, is the Hazard and Operability Studies (HAZOP) method. This method is based on a systematic review of design assumptions and the technological processes to identify all possible deviations of parameters and supports selection of proper countermeasures to lower the risk of such events to acceptable levels. HAZOP is a standardised risk analysis method for conducting analyses according to the methodology described in IEC (International Electrotechnical Commission) 61882 standard,” he explains.
“If I talk about my real industry experience, most of the micro-enterprises are not able to fulfil basic safety requirements. This is a big concern for human safety,” says Darshana Thakkar, who believes MSME industrial accidents can be reduced through effective preventive measures by hazard assessment, good housekeeping, training, and better personal protective equipment (PPE). “To develop a good safety culture, the attitude of the workers needs to be reoriented by adopting best practices, good housekeeping, and changes in work culture and work practices. Industrial accidents are common in India, as in many other developing countries. Prediction of various types of accidents helps owners/managers to formulate organisational policies for improving safety performance,” she asserts.
Talking specifically about process industries where the stakes are high, how adequate are the counter measures against such threats? “We have seen that cyber threats to safety integrated systems (SIS) are not just a potential, but a reality. In 2008, an oil pipeline in Turkey that exploded is now believed to be due to a cyber-attack, where hackers were able to disable SIS before taking control over the oil transmission process and take it outside safety parameters. That was probably the first publicly announced attack of this type,” says Kris Lovejoy, EY Global Cybersecurity Consulting Leader. “However, most recently we can witness the rise of safety-related incidents. In 2017, Triton malware – the first SIS dedicated malware, capable of modifying main functions without any notice to system engineers or operators – was identified. Rapid evolution of technology and constant changes in IT/OT integration increase the risk of cybersecurity incidents in critical infrastructures,” she points out.
“The manufacturers, and perhaps customers too, will have to identify and secure critical elements for the entire platform – all the way through to phase-out. This means life cycle management will be a decisive topic in the future. In other words, how do you provide adequate risk-based protection after start of production for connected systems? They are in the cyber space and face many years of exposure to a constantly changing threat landscape,” says Ravi Ramarao. “As an OEM or supplier or a consumer all should be aware of these facts and to achieve the security level identified in this way, we need to involve all participants,” he adds.
“We are seeing a clear shift from Cybersecurity to Cyber Resilience. Both increasing IT/OT integration imposed by raising business requirements and cutting-edge security capabilities sourced in different delivery models result in developing a very wide and complex environment to protect,” says Mohit Kohli, who maintains the industry is not only getting better at identifying cyber threats but is also responding and dealing with them faster. “Business needs to ensure security is deep-rooted in the organisation's DNA. There is no silver bullet to confront cyber threats as it is continuously evolving. Hackers leverage AI-enabled engines to guess and predict the next move of the Enterprise protection engine; which means the war is between AI-enabled products and AI-enabled hackers,” he stresses.
Today, every process plant has Industrial Control Systems (ICS) governing different levels of digital adoption in the organisation, varying from corporate servers to field devices. “Safeguarding these ICS and SCADA (Supervisory Control and Data Acquisition) systems are of paramount importance as the health and safety of workers/employees are also dependent on them. Human errors continue to play a significant role in physical and cyber disasters. Along with this, an increased potential for remote attacks on ICS and SCADA systems have raised the stakes for cyber-attacks even further. While there are adequate measures to focus on process safety and cybersecurity individually, harnessing the overlap between these two is the key to build resilient cyber defences,” says Rajesh Dhuddu.
“There is a significant lack of understanding when it comes to cybersecurity awareness. This is commonly seen across multiple sectors,” says Suneet Pahwa. “Cyber policies need revision, as the way organisations are operating has changed in the past few months. In some of the cases, these guidelines have been written from a subject-matter expert perspective. However, given the vast scale of threats and vulnerabilities, cybersecurity guidelines must also address people on the manufacturing floor,” he adds.
What could be the ideal approach for comprehensive safety solutions for a typical industrial plant? “Businesses need to shape themselves to meet the new way of working during a pandemic. Take the attacker’s view. Risk reviews and vulnerability analyses must not focus solely on the value of the information to the company and the ascertainable gaps in its defences. The profiles of potential attackers are also important: Who wants the organisation’s information? What skills do they possess? Thinking about likely attackers can help identify new gaps and direct investment to protect the information that is most valuable to the most capable foes,” says Mohit Kohli, summing up his assessment.
“Comprehensive safety solutions for typical industrial plant should have following elements,” says Rajesh Dhuddu., and enumerates the points:
a. AI based video surveillance.
b. Security Operations Centre (SOC) with all device integration and comprehensive use cases.
c. Discovery, identification and control platform for all connected OT/IoT (Operational Technology/ Internet of Things) devices in the plant.
d. Implement micro-segmentation to clearly segregate IT infrastructure and IoT/OT infrastructure.
e. Recurrent and repeated training of employees on all hazards – physical and cyber.
Kris Lovejoy is of the opinion that the traditional model of cybersecurity as a compliance activity, bolted on by a checklist approach instead of built into every technology-enabled business initiative, is not a sustainable model. “Next-generation chief information security officers (CISOs) should look beyond the standard information security realm into OT’s cyber-physical systems, considering safety as well as emerging technologies threats that are related to IoT or cloud, just to mention two examples. To get ahead of those threats, companies must focus on creating a culture of security by design. This can only be accomplished if organisations successfully bridge the divide between the security function and the C-suite and enable the CISO to act as a consultant and business enabler instead of the stereotypical roadblock,” she concludes.
(Note: The responses of various experts featured in this story are their personal views and not necessarily of the companies or organisations they represent. The full interviews are hosted online at https://www.iedcommunications.com/interviews)