Look around you. Unless you’re reading this in the middle of the Sahara Desert or Amazon Jungle, it’s a safe bet that there are at least three different electronic devices and applications around you that have, or can have, some kind of connection to the internet. Gone are the days when having the internet on everyday items were seen as something out of science fiction.
Take your smartphone for example. When you break it down, it is basically a global encyclopaedia, television, games console, camera, calendar, telephone box, pager and more, crammed into a small handset. Can you imagine not having such a device and having to lug around all those items around? The internet and connected devices, such as smartphones, are a great aid for us as human beings, as are the various machines and devices that are used within our manufacturing plants and workshops everyday.
However, as has always been the case, there are people out there that manage to take a positive and turn it negative, and in the 21st century these people are commonly known as hackers – people that aim to use computers and other electronic devices to gain unauthorised access to data and machines.
In recent years, hackers, cyber-attacks, and data breaches have been cast into the spotlight by companies and the media alike – often defined as one of the next big threats that the world is dealing with. But should UK manufacturers be worried?
Data says do more
The Department for Digital, Culture, Media & Sport warned in August that the UK’s top firms and charities urgently need to do more to protect themselves from online threats.
A survey (http://bit.ly/2uXEDri) of the UK’s biggest 350 companies found that more than two thirds of boards had not received training to deal with a cyber incident (68%) despite more than half stating that cyber threats are a top risk to their business (54%). In addition, one in ten FTSE 350 companies said they operate without a response plan for a cyber incident and less than a third of boards receive comprehensive cyber risk information (31%).
Matt Hancock, minister for digital, said: “Recent cyber-attacks have shown the devastating effects of not getting our approach to cyber security right. These new reports show we have a long way to go until all our organisations are adopting best practice and I urge all senior executives to work with the National Cyber Security Centre and take up the government’s advice and training.”
Separate research (http://bit.ly/2zPCtsG) released in the same month by specialist business continuity and disaster recovery provider Databarracks also warned that there is a continuing failure to prepare for cyber-attacks.
It found that 31% of the 400 organisations surveyed have been affected by cyber-crime in the past 12 months, and 41% haven’t invested in any safeguards over the last year.
Meanwhile, just 34% of organisations said they have invested in cyber awareness training and only 11% of organisations have certified to a cyber security framework.
So, we know that cyber-attacks are a big concern and companies are failing to prepare and invest, but what steps can manufacturers take in order to stop and mitigate against them?
Cyber awareness training
Cyber security breaches are often well documented. Most notably, the ‘WannaCry’ ransomware attack that crippled the globe earlier this year and demanded payment in return for access to files. Although it made many organisations and companies
go into panic mode as they were put at a standstill, it did highlight that companies and organisation are and clearly were not prepared to deal with such an attack and had no plan of action once an attack takes place.
Peter Groucutt, managing director at Databarracks, says that ongoing cyber awareness training is an “integral element” in an organisation’s defence against cyber-attacks.
He recommends that organisations who only carry out awareness training once a year – typically as part of an initial employee induction – should increase this to at least twice annually as well as provide employees with frequent security refreshers.
“The rate of change in cyber threats means that we all need to constantly adapt our methods of protection,” he explains. “It is no longer acceptable for cyber awareness training to be a five-minute warning given to new starters – the entire workforce needs to be informed and up to date on new threats.
“Additionally, this approach needs to be supported by the IT department who, when an incident occurs, needs to communicate this to the entire business, providing insight as to why an incident took place, what the implications were and, most importantly, what can be done to prevent this from happening again.
“Protecting your organisation from threats is not just about preventative technology, it’s also about building a culture of information security. An employee’s understanding of security is one of the most important and effective security measures that organisations should be investing in, not least because unwitting employees are often the unknowing accomplice within an attack. While good security habits take time, it is better to invest in good practices now than pay the price later.”
Identify your status
There are also other steps that UK manufacturing firms can take. Paul Hingley, business manager of data services, MindSphere, safety, plant analytics and industrial cyber security at Siemens UK & Ireland, says that the first step UK manufacturers need to take in order to prepare for a cyber-attack is to understand what their “status” is – what is their footprint with regards to protection against an actual cyber-attack.
“The biggest issue we see with companies is that they don’t really understand where the attack will come from,” he explains. “They don’t understand what is actually connected to their operational technology (OT). What actually is their status with regards to security – understanding what is actually connected to your networks is the first step and what you generally find is the surprise in what
is connected.”
Once companies have identified their status, Hingley says that they should then seek input from those relevant to their industry. “From an automation perspective, for example, if they are primarily a Siemens user, then speak to Siemens and ask for advice around their product, the utilisation of the product and what security steps can be taken around the products themselves,” he says. “That would be the same with any vendor – gathering as much information as possible around the implementation of the products that are on their OT network.”
The next step is to then understand where you are with regards to the operating systems – have they been patch managed? Hingley says: “In some businesses they are running on firmware that hasn’t been patched and that’s a major problem. So, in the audit element of security, firms need to identify what’s on the network, the network history (applied patches) and if the software has been updated. It’s almost like doing a risk threat or vulnerability analysis where you bring all the elements together in a document that identifies how to mitigate all the issues you’ve found.”
Loss of data
Tony Mannion, sales development manager at SolutionsPT, agrees that unpatched systems are a big problem. “Many attacks are not targeted, meaning all systems, including unpatched systems, Windows systems and the aforementioned legacy systems, are vulnerable to infection, he says. “Similarly, if a ransomware attack can infect your systems, for networks that suffer from a lack of visibility, knowing what the malware is targeting and what damage it is doing is almost impossible.
“But perhaps the biggest threat to manufacturers lies in the loss of data. This is a huge issue for manufacturers because, as well as being enormously disruptive to operations, the loss of key data often carries with it legal implications, as some industries are required to provide information to government agencies, such as the Environment Agency, and failure to do so will result in substantial fines. Likewise, for manufacturers in regulated industries who are unable to sell their products into certain markets unless they have a complete set of production data, such as the pharmaceutical industry, the loss of data can be catastrophic.
“Manufacturers need to ensure they are protected against ransomware attacks by having a protective strategy in place which can identify an infection early. Manufacturers need to develop an architecture that is inherently secure by design, and ensure they have a plan in place to protect them against the threat of multiple types of cyber-attacks.
“This is a cultural issue and the biggest victory a company can achieve against cyber criminals is for a shift in mind set around the OT environment. A disaster resilience provision should be the cornerstone of every manufacturer’s cyber security strategy, as this will ensure they are able to function in the event of an attack, even when it’s impossible to prevent the attack from occurring in the first place.”
Continuous monitoring
Hingley also recommends looking at 62443 (International Electrotechnical Commission standards). Although not fully released yet, they give a good understanding of how to design a protection level for your plant.
In addition, he says that firms should also continuously monitor security as “only with continuous monitoring can you have continuous validation.” “One of the biggest issues is that you put these systems in place and walk away, and then it turns unsecure,” he warns. “You may have mitigated but then a new virus comes and it hasn’t been recognised.”
Don’t ignore the threat
The risk to manufacturers has never been higher. Ransomware and other cyber-attacks have become a major problem and with its ability to spread quickly and force unscheduled downtime, manufacturers can no longer afford to ignore the threat it poses. Data shows that we know it is a big threat, but are still lacking behind where we need to be. Could 2018 be the year when cyber security sits at the top of the manufacturing priority list? I certainly hope so.
Case study: WannaCry attack
Earlier this year, what was described as the ‘biggest ransomware attack in history’, took place, infecting some 150 countries.
In the UK, the NHS was the worst hit by the computer virus, also known as ‘WannaCry’, which encrypts data on infected computers and demands ransom payment to allow users access. In the manufacturing world, it was also reported that Nissan’s Sunderland car factory was hit by the cyber-attack, with a spokesman stating that “like many organisations our UK plant was subject to a ransomware attack affecting some of our systems.”Following the attack, the National Audit Office (NAO) launched an investigation that focused on the ransomware impact on the NHS and its patients. The report findings were released at the end of October, but why was the NHS so badly affected and what steps were taken in response to the attack?
The investigation found:
● The Department was warned about the risks of cyber-attacks on the NHS a year before WannaCry and although it had work underway it did not formally respond with a written report until July 2017.
● The attack led to disruption in at least 34% of trusts in England although the Department and NHS England do not know the full extent of the disruption.
● Thousands of appointments and operations were cancelled and in five areas patients had to travel further to accident and emergency departments.
● The Department, NHS England and the National Crime Agency said that no NHS organisation paid the ransom, but the Department does not know how much the disruption to services cost the NHS.
● The cyber-attack could have caused more disruption if it had not been stopped by a cyber researcher activating a ‘kill switch’ so that WannaCry stopped locking devices.
● The Department had developed a plan that included roles and responsibilities of national and local organisations for responding to an attack, but had not tested the plan at a local level.
● NHS England initially focused on maintaining emergency care.
● NHS Digital said that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves. Infected organisations had unpatched, or unsupported Windows operating systems so were susceptible to the ransomware.
● The NHS has accepted that there are lessons to learn from WannaCry and is taking action.
“The WannaCry cyber-attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
Amyas Morse, head of the National Audit Office
Sources: NAO (http://bit.ly/2gHtWzW), The Express (http://bit.ly/2gEjFEu), The Telegraph (http://bit.ly/2qAwqXN)
Expert views:
Ryan Kazanciyan, chief security architect at endpoint security and systems management company Tanium, as part of the CBI’s recent Cyber Security Conference (http://bit.ly/2h2LOIB):
Hackers get to know a system before they attack it
Hackers will spend months gathering intelligence on the users, systems and data they are interacting with. Kazanciyan says that to prevent a hacker exploiting this, a business needs a full inventory of their assets, visibility of them, and the ability to detect unauthorised activity. He adds that adding new tools also expands the “attack surface” for hackers as well as the resource a business needs to maintain its security, so sometimes it’s best to remove tools.
Hackers will find a foothold and maximise the opportunity
Kazanciyan says that most security breaches will happen because a hacker gets a foothold and then uses it to access other parts of the system. These footholds can begin with just one system user and breaches of “third party” applications. To manage risks, businesses should ensure that up-to-date patches are installed, review the completeness and accuracy of the applications being used, and assess whether the system could contain a threat to applications.
Hackers are persistent and use a mix of tools
Beyond good visibility and knowledge of the system, good management of the software supply chain is important in limiting
the risk of security breaches from one of the ranges of tools hackers use, Kazanciyan adds. Ensuring that the easy thing is the safe thing for your employees or end-users can be the best option. Businesses should think about how to protect the whole system, rather than
just limiting risk at the point of the end user.
Paul Hingley business manager of data services, MindSphere, safety, plant analytics and industrial cyber security at Siemens UK & Ireland:
Phishing
Hingley says that phishing or phishing emails are the “primary go-to method” for hackers. He explains that the majority of cyber-attacks are ones where malware has been installed into an email that has been designed to look “personal”, and sent to an employee. The employee will then see that email and assume it is safe because it seems related to them and of importance. “Then before you know it, you have been exposed.”
Own devices
Another way that hackers can exploit systems and get past a company’s cyber security is through the devices of other people. Hingley says that bringing your own devices to work is becoming more acceptable in companies across the world.
However, these companies often “do not understand what devices are connecting to their network” and the person who has connected their smart device may not know if an attack has happened either.
Wireless networks
Unsecured wireless networks can also be an issue facing organisations, Hingley warns. “We’ve had cases in the past where young students have picked up on a wireless network that hasn’t been secured and they suddenly find themselves inside an operation’s IT system,” he explains.