The bright and dark of digital transformation

Over the past few years, those in virtually any service and manufacturing area have been able to experience progressive technological developments, primarily in the fields of digitization and automation.

Modern technologies based not only on electronics and networks, but also on advanced analytics, artificial intelligence and machine learning, are a great improvement for many businesses. The use of, for example, telemetry systems coupled with advanced reporting allows to create and review complex business strategies and respond to anomalies at a glance. What is more, thanks to computerization it is possible to work efficiently remotely from any place in the world (with Internet access, of course), as well as to make key resources available to field workers (e.g. survey maps in Geoportal or internal documentation and telemetric data for engineers).

These undoubtedly outstanding achievements of technology are used not only by ”good” people but also by criminals (here: cyber criminals), who in this peculiar arms race do not want to lag behind. There is too much at stake for them. We can briefly enumerate risks such as an unaware or frustrated employee or attacks from the outside: industrial espionage, attacks from crazed representatives of competitors, actions of foreign countries (if it comes to critical infrastructure), the most fashionable type of malware recently encrypting for ransom: ransomware, or its more severe variant, wiperware (malicious software aimed at destroying data on infected devices, not necessarily preceded by a polite request to transfer digital money). Some of these threats are controlled consciously, while some of them can be accessed by accident, thanks to automation, which the “bad guys” can also use on their side today.

Modern technologies

Modern technologies based not only on electronics and networks, but also on advanced analytics, artificial intelligence and machine learning, are a great improvement for many businesses. The use of, for example, telemetry systems coupled with advanced reporting allows to create and review complex business strategies and respond to anomalies at a glance. What is more, thanks to computerization it is possible to work efficiently remotely from any place in the world (with Internet access, of course), as well as to make key resources available to field workers (e.g. survey maps in Geoportal or internal documentation and telemetric data for engineers).

Over the past few years, those working in virtually any service and manufacturing area have been able to experience progressive technological developments, primarily in the fields of digitization and automation. Modern technologies based no longer just on electronics and networks, but also advanced analytics, artificial intelligence, and machine learning, have been quite an improvement for many businesses. The use of, for example, telemetry systems coupled with advanced reporting allows to create and review complex business strategies and respond to anomalies at a glance. What is more, thanks to computerization it is possible to work efficiently remotely from any place in the world (with Internet access, of course), as well as to make key resources available to field workers (e.g. survey maps in Geoportal or internal documentation and telemetric data for engineers).

These undoubtedly wonderful achievements of technology are used not only by ”good” people but also by criminals (here: cyber criminals), who in this peculiar arms race don’t intend to lag begind. There is too much at stake for them. We can briefly enumerate risks such as an unaware or frustrated employee or attacks from the outside: industrial espionage, attacks from crazed representatives of competitors, actions of foreign countries (if it comes to critical infrastructure), the most fashionable type of malware recently encrypting for ransom: ransomware, or its more severe variant, wiperware (malicious software aimed at destroying data on infected devices, not necessarily preceded by a polite request to transfer digital money). Some of these threats are controlled consciously, while some of them can be accessed by accident, thanks to the automation that “the bad guys” can also do on their side today.

Ordering a DDoS attack or ransomware is not a problem today even “in retail”, and the effects of such actions can be very severe for the victim. Online stores suffer when they come under the fire of a Denial-of-Service attack and their services become unavailable for minutes, hours or even days. Data leaks to competitors or to the public domain can lead to customer takeovers, the news of the incident itself can damage a company’s reputation, not to mention potential legal consequences due to various formal requirements imposed on different industries (including the already famous GDPR). Perhaps such incidents do not sound spectacular. So imagine a few hours or days of production downtime resulting in a disruption of the supply chain. These are no longer elements of movie scripts, today such things happen in real life, and even teenagers can stand behind it, although I rather mean simpler attacks. And while the justice system is able to catch some of the perpetrators, and the efficiency of the systems can be quickly restored from backups or thanks to redundancy of various fragments of the infrastructure, it does not necessarily mean that our company will quickly get back to its regular operation.

You don’t have to go far into the past to find examples of security incidents that have had dire consequences. It is increasingly difficult to have a month without new reports of this type. Some of them are interesting, some scary.

In December 2019, the city computer network in New Orleans was attacked with ransomware malware. A state of emergency was declared, shutting down all sensitive systems and requiring city officials to cut their devices from the network.

Earlier this year, in the 15,000-strong city of Oldsmar, Florida, hackers managed to break into the system of a water treatment plant and manipulate the settings related to the amount of sodium hydroxide being dispensed. Fortunately, a plant employee was able to recognize the incident and respond in time, ensuring that no one in Oldsmar was harmed.

One of the most serious yet recent security incidents of significant scope was the attack on the infrastructure of Colonial Pipeline, the largest U.S. pipeline operator. On May 8, 2021, the company reported a cyberattack taking place the day before: and again, it was ransomware. It is worth mentioning that we are talking about more than 8800 km of pipelines transporting, among other things, gasoline, diesel and jet fuel across the country in an unimaginable amount: 350 million liters per day. As a result of the attack, it was decided to suspend selected systems in order to limit the spread of the malware. However, this meant that the operation of this colossal web of pipelines in general was temporarily halted in its entirety. The state of emergency lasted for 5 days, the entire East Coast was affected by supply shortages, i.e about 12 thousand gas stations.

Therefore, as we can see, a thorough analysis of the risks that may affect our infrastructure is required. This assessment should result in the creation of an internal security policy, in which – we can probably all agree – appropriate protection of not only access to the building, but also the entire IT infrastructure is nowadays essential for business survival. Firewalls, network access control systems, authentication, privileged access control, data security copies next to thorough training of employees in the subject of “computer health and safety” are becoming obvious countermeasures, although it still takes some time for them to become widespread. But can we then sleep peacefully? After all, we still have the OT infrastructure!

here is one incredibly important point that needs to resound in this article: IT infrastructure and OT infrastructure are two vastly different areas. The goals of IT and OT are distinct. Different devices and systems communicate with each other in these areas. They use different communication protocols. For historical reasons, the OT area seems to be less flexible, e.g. in terms of software updates or security patches. In industrial networks, where we do not always have the redundancy of every “single point of failure,” it is easier to stir up controversy if we calculate the cost of stopping production for a recommended software update of automation systems. For a long time, the OT field was not as exposed to outside attacks as it is today, so manufacturers did not have to address many of the potential security issues encountered in the IT world, an example of which is the frequent lack of encryption of communication protocols. This, in turn, poses a risk of transmission eavesdropping as well as the risk of an attacker extracting data or entering false data by impersonating a legitimate component (Man in the Middle attack). This is therefore an area that requires more attention in terms of security. While security professionals in IT are not in short supply, cybersecurity awareness in OT is still a scarce commodity.

Fortunately, it is possible to take some measures to increase security in the OT world based on a rich history of experience from the IT world, while being mindful of how the two worlds differ and hoping that OT component manufacturers will quickly become sensitive to the growing risks associated with digital transformation. As early as a few years ago, in 2017, PWC published a report titled. “10 OT Network Vulnerabilities,” a compilation of key security issues for industrial networks and therefore requiring high priority. Of several issues already well known in computer networks, the following are worth mentioning:

  • OT systems, in many places originally isolated from the world, over the years became systems directly connected to the Internet, e.g. for the purposes of remote diagnostics; it is worth remembering at the same time that, for natural reasons, security in communication with the Internet was for many years not a point of reference for manufacturers of these devices, where the priority is, for example, access to real-time data;
  • security updates can be costly given the possible need to suspend production, but hacking into an outdated version of software can also be expensive; it’s worth mentioning that even the latest features and updates to any kind of hardware may contain some compatibility or security flaws (a flagship example is the newly discovered range of vulnerabilities in Wi-Fi networks called FragAttacks, which also includes the latest variant of WPA3 encryption mechanisms);
  • securing the interconnection between IT and OT networks is necessary not only because of the risk of attacks on the industrial infrastructure from the IT area, but also because of the risk of an attack on the IT infrastructure initiated in the operational network, where the entry point may consist of (sometimes still undetected and not covered by updates) vulnerabilities on a directly reached OT device; it is also worth paying attention to proper security (encryption) of communication of OT devices in remote locations in the case when they are separated from each other by the IT infrastructure, as often used communication protocols in OT are outdated and not security-oriented;
  • the OT network itself should also be internally divided into properly secured areas (instead of the flat architecture often used) to make access to critical devices more difficult, and to limit the range of what an attacker can find in the network after breaking into a device from any area;

It is not only common sense and recent history that make us think about securing industrial networks, we can also find formal reasons, such as the Emergency Management Act or the National Cyber Security System Act implementing the EU NIS Directive. An inspiration in the area of OT infrastructure security, or more specifically critical infrastructure in the water and sewage sector, can be found in Recommendation R-CYBER-01/2021 published in February 2021 by the Cyber Security Department of the NPRM. It contains several awareness-raising examples and recommendations, including those mentioned in this article.

To sum up, for our modern infrastructure to take full advantage of the opportunities offered by modern technologies, it is important to conduct a thorough risk analysis, identify devices and how they communicate with other components in the network, identify data flows. It is essential to address various types of risk not yet considered in industrial networks, also for full compliance with legal requirements. One of the systems supporting threat analysis, decision-making processes and automated responses to incidents is Scadvance – a Polish-made Intrusion Detection System (IDS). Among the advantages of this system, it is worth mentioning the function of reporting incidents to CERT units and ensuring compliance with the law and security policy within the organization. Based on artificial intelligence and machine learning algorithms, it detects anomalies and attacks in the SCADA network, allowing to react before an attacker is able to do real damage to the operational infrastructure.

And last but not least – it is important not to treat any one security mechanism as sufficient, these mechanisms should overlap as much as possible, so that a possible “break” of one of them does not end up with a complete opening of the network to an attacker. We could say that for similar reasons we lock the car door (saying today “with the key” may not be fully adequate) despite the fact that it is equipped with an alarm.

demo scadvance

Request a Demo

Fill in the form. Our experts will contact you to arrange individual tests.

Request a Demo

Fill in the form. Our experts will contact you to arrange individual tests.

Thank you

We will get back to you within 1 business day