On the first weekend in July, one of the largest hacker attacks in recent years started. The attack on the US IT service provider Kaseya, whose software served the attackers as a gateway to over 1,000 companies worldwide. As a result, 800 supermarket branches in Sweden had to close for several days.
A few days later, on July 6, 2021, criminals attacked the computer system in Saxony-Anhalt and paralyzed the entire IT system and thus critical communal work areas. Among other things, social benefits could no longer be paid out. As a result, for the first time in the history of Germany, a disaster due to a cyber-attack was declared in a district.
And also, this year, the American insurance company CNA Financial paid, according to the US news agency “Bloomberg” , the largest known ransomware payment of all time – 40 million dollars.
The three examples of current cyber incidents are interesting from several points of view. You are just the tip of the iceberg, as most attacks take place without the public ever knowing about them. According to the report “Status Quo of Ransomware 2021” by the British IT security provider Sophos, more than every third company (37%) was affected by ransomware attacks in the past year.
Want some other numbers? As the antivirus provider Emsisoft reports, the average ransom demand has risen from just 5,000 US dollars in 2018 to around 200,000 US dollars in 2020; the average downtime after an attack increased by 11% compared to the third quarter of 2020 and is 21 days according to the American ransomware specialist Cover.
Therefore, cyber threats have reached the general public’s awareness and will become even more prominent in the next few years. For companies with general IT use, IT risks have long been an ever-increasing challenge. It now seems that highly automated and strongly networked production and industrial companies have moved into the crosshairs of the attackers. If sensitive and business-critical production facilities are attacked and impaired, many companies find it all the more difficult to counter criminals’ ransom demands.
And there is no end in sight in the future either: We estimate that the total global costs for companies due to these attacks will exceed 15 billion euros this year. The corona pandemic has also resulted in remote workers being the main target of ransomware attacks and possibly serving as a gateway for companies and production facilities.
But what can you do about it? In the following, we would like to point out some possible measures that we have described in detail this year in our “Industrial Cyber Security Handbook”
Understand defense-in-depth as a central concept that you can and should use everywhere. Be it using different security solutions in the various technology layers, in the form of segmentation and zoning of the individual networks and asset classes, or by thinking and setting up your security concept as broadly as possible. This ranges from the physical protection of your buildings, production lines, and individual components, through the numerous technical possibilities, to processes and people in the form of guidelines, training courses, and regular inspection scenarios.
Centralization, Standardization, And Automation
Most companies are faced with the problem of having to get by with fewer and fewer staff for their operations. In my opinion, there is only one strategy that can help: try to centralize and standardize as much as possible. The fewer individual processes, tools, and activities, the more time, money, and nerves you save. The effort and costs for cyber security at your production sites must not be multiplied by the number of areas but must be managed efficiently and centrally. Exact transparency about external maintenance personnel and suppliers is also essential. For these and many other challenges, there are already standard tools that offer a good overview, central management, and maximum transparency and traceability.
Configuration And Asset Management
A stable configuration and asset management is one of the most important aspects of topics such as structured further development and protection of control and automation technology. In larger and more complex environments, in particular, administration using Excel or based purely on manual entry quickly reaches its limits or simply no longer scales. In addition, the advantages of the complex and permanently updated system and configuration documentation are not only important when securing the systems.
Regular activities such as system maintenance, necessary expansions, and the first steps towards Industry 4.0 are difficult or risky to manage without this database. The cyberattacks described above make clear, more complex, cyber-physical attacks always on unauthorized configuration changes. Often, security loopholes are not even necessary, but the standard functionality of automation technology is, as it were, misused for applications that were not originally intended. Anyone who can detect or prevent such unauthorized configuration changes can also protect themselves effectively against such attacks.
Current configuration and asset management solutions specializing in control and automation technology offer many other features in addition to the automated detection of unauthorized configuration changes or the introduction of unauthorized hardware into the monitored network. For example, unusual accesses or data flow to components of the control system are reported, or external maintenance access can be monitored and restricted in detail.
Since technologies, infrastructures, and the associated attack options are constantly evolving, a sustainable security concept must also be continuously improved and adapted on many levels. Numerous standards and safety systems such as IEC 62443 or the more general ISO 27001 address this approach, the holistic and continuous improvement cycles, but are relatively time-consuming to implement if the recommendations and specifications contained therein are fully implemented with practical and also business sense want to implement. As with many other approaches, this also shows that a combination of long-term and systematic planning with a pragmatic, economically sensible approach is most efficient.
This means that time and money should primarily be invested where, according to the 80/20 rule, the greatest possible improvement in security can be achieved as quickly as possible. At best, this improvement can then even be measured quantitatively or qualitatively. At the same time, these individual measures should complement each other and fit well into an overall sustainable concept.
Personal Responsibility And Dedicated Budget
The last and perhaps even the most important tip is: set up dedicated personnel responsible for the cyber security of your production facilities. This person or team is organizationally located is not as important as the requirement that they have at least basic knowledge of control and automation technology. In addition, it should be a dedicated position, i.e., someone who can devote 100% of his available time to this activity.
Implementing all or most of the described measures and specific protective mechanisms will most likely prevent the steps described at the beginning of the article.
In summary, the following conclusion remains to be stated:
Most attacks, including industrial plants, are far less complex than assumed and have far fewer specialist knowledge and resources. Even with basic measures recommended by the CIS Security Controls, you are already quite well protected against such dangers.
Since an individual security concept always has to be developed step by step and, above all, further developed, the combination of basic measures, on which more advanced methods can then be built, is a sensible approach.