Any engineering organisation that invests heavily in protecting its premises and business assets from intruders by employing CCTV, alarms, access control and video surveillance is rightly regarded as taking sensible – indeed, vital – precautions. After all, these are the systems designed to businesses and employees from harm – and investment in such technology is seen as a sound one. But what about the threats posed by the more pernicious, harder-to-detect threats: the cyber-attacks that are rapidly increasing in sophistication and proliferation, such as ransomware, malware and insider threats from an organisation’s own workforce (deliberate or accidental) – are organisations as robustly armed and well prepared to take on these dark forces?
The harsh truth is that adopting a defence strategy that embraces all such threats equally and at the highest level is no longer a choice, but an absolute – because the possibility of becoming another victim of the cybercriminals has become an increasingly high one.
It’s something to which British engineering company Arup can attest, on a grand scale. Recently, it was the victim of a deepfake fraud attack after an employee was duped into sending HK$200m (£20 million) to criminals by an artificial intelligence-generated video call. Hong Kong police revealed back in February this year that a worker at a then-unnamed company had been tricked into transferring vast sums by people on a hoax call “posing as senior officers of the company”. Now Arup has admitted in a statement that it was the company involved.
ATTACK SOPHISTICATION SOARING
Arup global chief information officer Rob Greig, who oversees the company’s computer systems, has also revealed that the organisation has been subject to frequent attacks. “Like many other businesses around the world, our operations are subject to regular attacks, including invoice fraud, phishing scams, WhatsApp voice spoofing and deepfakes,” states Greig. “What we have seen is that the number and sophistication of these attacks has been rising sharply in recent months.” Greig hopes that Arup’s experience will “raise awareness” of the increasing sophistication of cyber-attackers.
If Arup, which famously provided the structural engineering for the Sydney Opera House and whose latest project involvements include the London Crossrail transport scheme and Sagrada Família in Barcelona, can be deceived on that scale, then is any engineering organisation safe? The frequently heard dictum now in engineering circles and elsewhere is: ‘Not if, but when’. And ‘when’ can bring dire outcomes.
“Cybersecurity incidents can have quite far-reaching consequences, impacting not only an organisation’s operations, but also its reputation and customer trust,” cautions Jennifer McGhee, global chief information security officer (CISO) of Element Materials Technology, a provider of testing, inspection and certification services in building material, aerospace, transportation, health sciences, oil and gas – and fire protection. “Businesses need to be prepared, with a robust incident response plan, detection, containment and recovery. This should be coupled with clear communication, collaboration and coordination among stakeholders during a crisis,” she adds.
REMOTE ACCESS VULNERABILITY
Due to their critical nature, most operational technology (OT) devices typically deployed within engineering environments, such as programmable logic controllers (PLCs), human machine interfaces (HMIs) and supervisory control and data acquisition systems (SCADA) should not be public-facing and internet-accessible, cautions Bernard Montel, technical director and security strategist at exposure management company Tenable. “However, a shift in working practices to optimise production, drive innovation and increase efficiency has seen the provisioning of remote access within these sensitive environments,” he states. “This includes cellular modems, 4G/5G, dial-up or dedicated internet lines, which are being used to monitor and access equipment. These OT devices, many of which were not designed to be public-facing and internet-accessible, are discoverable and being fingerprinted and indexed by search engines, such as Shodan. This allows a variety of users, including security researchers and threat actors, to search for and obtain information about them. And we’re seeing this exposure abused by threat actors.”
It’s important to recognise that whatever is visible on the internet is likely to be the first point that threat actors will target, adds Montel. “OT devices are increasingly a target for attack by a variety of threat actors, such as ransomware groups and affiliates, hacktivists and nation-state cyber criminals linked to Iran and China. The most effective action to protect OT devices is to disconnect internet-accessible OT devices, unless they were designed to be enabled for such access. Given that this is not always practical, if such devices do require remote access, it’s essential that they are properly configured behind firewalls and isolated from business-critical networks. In order to do this, it’s imperative to gain full visibility into the environment: of IT and OT assets, IoT, building management systems and everything in between – the interdependencies that exist for critical functionality – and determine where weaknesses and vulnerabilities exist.”
Other steps Montel believes should
be taken are:
Limit administrator access and ensure accounts have only the required permissions; Use strong, unique passwords for accounts and ensure all default passwords have been changed; Enable multi-factor authentication (MFA) on accounts where possible; Standardise on a secure remote access platform for OT, with audit and logging capabilities to ensure access is being utilised properly; Create a baseline of all the configurations of OT and IoT devices, monitor for changes and determine if these are made intentionally or not, by a human, or if potentially malware.
It’s about understanding what is critical for the business to function, whether that’s systems or data, then addressing the risks these systems face first, he points out. “Doing so means the vast majority of attack paths will be closed off, preventing compromise, malware infiltration and/or exfiltration of data.”
DEEPFAKE THREATS
No debate about cybersecurity can now take place without AI having a prominent place in the discussion. While AI’s positive qualities are many, attackers are also reaping the technology’s benefits, using AI-powered voice and video-cloning technology to trick recipients into making corporate fund transfers, for instance. However, there are also possible use cases for information/credential theft, reputational damage or even to bypass facial and voice recognition authentication.
“It is deeply concerning to see the number of organisations threatened by both deepfake and third-party vendor risks,” comments Luke Dash, CEO of compliance management company ISMS.online. “To address these rising and more sophisticated threats, organisations must continue to build robust and effective information security foundations. However, it is encouraging to see businesses investing in securing their supply chains, and increasing employee awareness and training.”
Despite AI being part of the problem, UK respondents are also adopting AI and ML technologies to thwart threats, though they are still in the early stages. “It’s still unclear how new, advanced technologies like AI and Machine Learning are going to change the data security landscape,” adds Dash. “We are certain, however, that governments around the world will push for more, not less, regulation. Standards such as ISO 42001, which deals with AI, will help organisations provide assurances to partners, customers and regulators.”
The challenge here is that regulation takes time to formulate and implement – attackers have no such constraints.