On the 19 March this year, Norwegian aluminium manufacturing giant Norsk Hydro was hit by a cyber-attack. The attack impacted all operations in several of the company’s business areas, with Hydro having to isolate all its plants and operations, while switching to manual operations and procedures.
In a statement on 5 April, more than two weeks after the cyber-attack hit, the company said that most operations were “back to normal or near normal levels”, but there were still delays to certain administrative processes. Although the cause of the attack hasn’t been disclosed, Hydro added that the root cause had been detected and a cure had been identified.
Cyber-attacks have become very common. In 2017, for example, what was described as the ‘biggest ransomware attack in history’ took place, infecting some 150 countries. In the UK, the NHS was the worst hit by the virus, which encrypts data on infected computers and demands ransom payment to allow users access.
Criminals have many tactics to try and get into an operations infrastructure. A working knowledge of common attack methods might help in the long run, as digital, connected devices and improved systems become more advanced.
Phishing is now so well known that the word has made it into the Oxford English Dictionary. Simply defined, it means ‘the fraudulent practice of sending emails purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords’.
Edward Whittingham is as a former police officer and qualified solicitor, and now MD of cyber security business The Defence Works. Phishing, he believes, “will continue to be at the forefront” of cybercrime, with a real focus on stealing user credentials.
“End users will also come under more focus throughout 2019, as technological measures continue to fail to help prevent incidents sufficiently, with over 90% of all cyber-attacks involving human behaviour, as opposed to a lack of IT,” he says. “Phishing is typically the main route in for attackers, whether that be to compromise data or as the vehicle to deliver malicious software, which can then systematically encrypt data within its reach.”
Alex Hinchliffe, threat intelligent analyst EMEA at Unit 42, the global threat intelligence team at Palo Alto Networks, agrees that phishing is the most common suspect. “Many industrial/operational organisations now require their OT and IT networks to be connected, so as to allow the business to see what’s happening ‘in production’ without proper security controls,” he says. “This business requirement often weakens security posture.”
So how can phishing be stopped? Hinchliffe says that one thing that can be done is implementing Zero Trust – a cyber security model with a very simple premise: eliminate the concept of ‘trust’ from your network. “Everything and everyone must be authorised, which guarantees that cyber security practices are implemented consistently and effectively throughout a business’s entire infrastructure,” he says. “Another important step is employee education and awareness.”
Whittingham, too, agrees that phishing can be stopped by “increasing user awareness”. The Defence Works, for example, delivers GCHQ-accredited security awareness training to employees, as part of the National Cyber Security Programme (www.is.gd/iganid).
A major change in industry over the past five years is the spread of connected devices. Most people have a personal mobile phone or tablet and, on top of this, some operations rely on sensors, controllers, and tablets, to name a few.
James Summers, founder and CEO of Conker, a British producer of business rugged tablets, touch screen and mobile devices, says that business-rugged mobile devices are common across factories, interacting with the network and being used to access information, automate paper-based processes and control machinery.
“Organisations need to ensure that they can manage their fleets of devices effectively using mobile device management (MDM) or unified endpoint software, or that they limit access on the device to certain apps,” he says. “Part of the reason for this is because as mobile device usage continues to grow in popularity, it becomes an increasingly appealing target for attackers. This is because mobile devices generally lack basic firewalls, antivirus and other software applications, which is why companies need to start placing more emphasis on using MDM and unified endpoint software.”
Piers Wilson, head of product management at Huntsman Security, adds that the growing use of personal devices for employees means that it can be easy for hackers to slip beneath the radar of understaffed IT security teams.
“The nature of OT means it is often located separate to the corporate network in remote areas, going unpatched and unmonitored by the IT teams, yet still often with connectivity to and from it. As such, these systems remain in place, performing their critical task while exposed – both physically and virtually – to attack.”
Summers repeats that employees need to be educated about “the potential security shortcomings and implications associated with mobile devices”.
Wilson adds that it is estimated there will be 38 billion connected devices worldwide by 2020. “Undoubtedly, critical national infrastructure is a big, and well-publicised, target for cyber-criminals and state-sponsored attackers,” he adds. “By putting in place next-generation defences, alongside sensible processes and controls to protect critical systems, the sector stands a fighting chance of keeping the lights on.”
There are many threats already, but what about further down the line? Well, according to Jason Revill, UK&I security consulting lead at Avanade UK, there are emerging risks for those in the cloud, with attacks such as ‘password spray’ (an attack that attempts to access a large number of accounts with a few commonly used passwords) becoming increasingly common. This can lead to cloud compromise, followed by a pivot to on-premises networks that are connected to clients.
“Threats are numerous, from identity compromise to full on data exfiltration or industrial sabotage,” Revill adds. “It is key to have broad visibility from the end point, to the identity and to the network perimeter (which is increasingly the identity).
“With this visibility, behavioural analytics is often applied to build a picture of user behaviour to better detect unusual activity, however implementing these systems and being able to properly utilise them is a challenge for many businesses. Therefore, having a strong security partner strategy is key; partners should be able to perform the end-to-end delivery of security needs.”
Revill concludes: “As ever, employee, contractor and supply chain education are critical to preventing the common attack types, such as phishing and avoiding password spray. Removing the impact of a compromised account is ridiculously easy using multi-factor authentication. Combined with effective patch management, it will mitigate the large majority of common attacks, and these mitigations are also some of the easiest to achieve with modern security capabilities.”