‘USBs are among the most common devices used for cyber attacks’
Published on : Monday 30-11--0001
Shivendra Kapoor, Sr Manager – Functional Safety, Chola MS Risk Services.
The flipside of connectivity is the vulnerabilities that come along. How serious is the threat?
In today’s highly connected internet based world, everyone must have had an encounter with a cyber attack. Be it while online banking, at office, hospitals, using social networks or even in operating plants/industries.
As more devices get connected, so does the vulnerability to cyber attack increases. Vulnerability in simple terms is the weakness in a system that is an easy entry point for the attacker to gain a foothold in your system so as to gain unauthorised access and create havoc in your system while enjoy access to the wealth of information your exposed system has to offer. Industry estimates believe the cost of cybercrime damages will be USD 6 trillion by 2021. Have we forgotten – WannaCry, Stuxnet, Night Dragon, etc? Definitely not? But most importantly, have we learnt any lessons from these attacks or are we still confident that nothing bad would happen to us?
How can organisations address the issues of cyber attacks and IT security in the age of connected plants?
Organisations should get moving quickly on performing unbiased security gap assessments (especially for existing systems) and accordingly implement more robust cybersecurity practices and thoroughly follow documented policies. It’s like if you don’t know that you really have a gap in your security system, how are you going to solve the problem? Rather it is often observed that organisations that skip the gap assessment and risk ranking exercise end up wasting money on risks that actually need less attention but forget to invest money in risks that need urgent action. Path forward to develop counter measures to reduce the risk to a tolerable level shall be developed after recommendations from the gap assessment exercise. This would be the most effective way to progress in the cybersecurity journey and ensure that at every stage correct and most appropriate solution is being executed.
One major threat comes from growing proliferation of IIoT devices and storage (cloud). How can users deal with such threats?
First, organisations have to accept the fact that there is difference between IT and OT. In IT, data confidentiality is of prime importance whereas in OT, availability is the topmost priority. Integrity of data is no doubt a key factor always to be ensured. It should be ensure that personnel maintaining IIoT devices, systems are different than those maintaining IT devices and that there should be clear understanding about scope of work, responsibilities and boundaries between these two teams.
Access to control systems, logic programs, logs, other stored data and connected smart sensors and final elements shall be under strict administrative control and a layer of protection approach shall be followed. Under no circumstances shall these be bypassed. This would definitely act as a strong preventive layer of protection that will help in effective protection against cyber attacks.
A leading cybersecurity player recently demonstrated internal vulnerabilities like USB devices. Are employees adequately trained?
USBs have been found to be one of the most common devices used for cyber attacks. If the organisation doesn’t have any cybersecurity policy in place, the USB port is bound to be open and prone to misuse. It’s just so comfortable to plug in and attack! That’s it! Many times in industries; especially in control rooms, the hard disks of workstations (connected on the control network or even to enterprise network) have been found to be fully loaded with videos, images, inappropriate content- all copied through USB.
Organisations have to be cautious of internal disgruntled employees and external third party contractors and should aptly train personnel and necessarily percolate strict cybersecurity documented policies within the organization with well-defined terms of use, expectations, responsibilities and implications of misuse. I would suggest it should be treated as ‘Law’ within every organisation.
Do companies compromise security by their unwillingness to spend, attributing it to risk appetite?
Yes – especially for those who think SAFETY is not that important and it can be pushed for the next Financial Year when cash flow improves. They may believe that by opting for cyber insurance in their insurance policies they would be protected in case of a cyber attack. This encourages them to procrastinate most safety related activities like: general safety, process safety, functional safety including cybersecurity, etc., till an accident actually knocks them off – sometimes to the extent of catastrophic accidents beyond which no repair is possible as the damage (especially financially and to reputation) is already done. Cybersecurity is a part of overall safety, yet, it is one of the most misunderstood subjects.
Even today, industry personnel believe that by installing anti-virus software and having restricted user access they have cybersecurity systems in place and are free from cyberattacks. It’s a big mistake. These steps, though are crucial, yet, are just a miniscule part of an overall healthy cybersecurity system. Industries have to gear up to the beckoning world of cybersecurity and implement it as a ‘lifecycle’ concept especially for industrial cybersecurity where they need to follow IEC 62443 series of standard.
Is there an ideal solution that reaches a fine balance?
With mounting expenses and stiff competition it’s becoming tedious for organisations to maintain healthy bottom-lines. But this does not mean that basics should be compromised. In this ever increasing digital age where everything is connected and extensive networking is on the rise, there is need for strict discipline in the way we currently look at and deal with cybersecurity.
Just compare it with the human body. If we don’t follow a disciplined and healthy lifestyle, we are vulnerable to attack by external viruses, bacteria and at times diseases caused by these may prove fatal.
Similarly, in the cybersecurity world, we need industry personnel to be trained by competent professionals so they can correctly understand, implement and maintain the requirements set by their respective cybersecurity standards. Without a disciplined approach and involvement of top management it would be impossible to achieve true protection from cyber attacks.
Shivendra Kapoor is an Instrumentation & Controls System engineer from Mumbai
university, TUV SUD Functional Safety Certified Professional (FSCP), exida FSP (IEC 61511) and has 16 years international industry experience in design & detail engineering, EPC, LSTK, site support, process and functional safety consulting, training and publishing. He is currently employed as Sr. Manager- Functional Safety with Chola MS Risk Services in Mumbai. He has numerous technical papers published in reputed publications and is a freelance writer with +25 internationally published fiction, non-fiction and short stories.