Issue link: https://fhpublishing.uberflip.com/i/690456
Andrew Wadsworth says last year's cyberattack on the Ukraine electricity supply has lessons for all users of operational technology. What we learnt from Ukraine T he cyberattack that led to the power outage in Ukraine in December 2015 underlined how electricity infrastructure is a prime target for attackers. Yet the implications of the attack must be taken seriously by all those responsible for other critical infrastructure such as water, gas, telecoms and transport. In fact, all users of operational technology (OT) are vulnerable, and that includes almost every organisation because OT is more pervasive than many realise and its importance is increasing exponentially with the emerging internet of things (IoT) revolution. Even if you do not operate critical infrastructure, your business is likely to rely on OT to produce and deliver goods and services (the building management system that keeps your data centre and offices cool, lit and secure is an OT system). That vulnerability means there is a real and urgent need to develop a comprehensive, multi-faceted approach to defending OT. What questions should you be asking? The first is: Do you know who is responsible? Do they know they are responsible and what they are responsible for? Time and again we find organisations are not able to answer these questions. Yet proper OT security governance requires clear roles and responsibilities, and those fulfilling the roles must have the necessary knowledge, authority and resources to carry out their responsibilities, and be supported from the very top of the organisation. If not, individuals with security concerns will find themselves unable to act, because of a lack of a sound governance structure and management support. The next set of critical questions are: do you know what OT you have in your organisation, what is critical for safe and reliable operations, and what would the impact of a security failure be? Do you know what the vulnerabilities are and the current state of security of the OT? In short, organisations must understand the risks they face; without this information, they cannot make rational decisions on what to do and where to focus their efforts. Then they must check they are capable of dealing with an attack when it happens. That means understanding how likely they are to detect an attack in progress, whether is a deliberate attack from outside or from within the organisation, or an accidental virus infection. The key questions here are: do you have the structure and skills to deal with an incident and how quickly can you recover to run normal operations? To answer these questions, you must have practised dealing with an incident. All this needs to be underpinned by an understanding that, at some time, you will have an OT security incident. It might be minor and not cause disruption, damage or injuries. But it could be far more serious, and that is the wrong time to be working out what to do and to discover that your backup files are unreadable. Take a structured approach There are several frameworks that provide a structured, comprehensive approach to answering these questions and improving OT security. The UK's Centre for the Protection of National Infrastructure (CPNI) Security for Industrial Control Systems (SICS) framework provides an excellent basis to address these issues. It includes advice on governance, people skills and culture, and managing security through the system lifecycle from design to decommissioning. It also sets out how to monitor vulnerabilities, The Ukraine aTTack in facTs u Date 23 December 2015. u 225,000 people were left without power for several hours. u 17 substations lost power. u attacks began six months before the main attack with emails to Ukraine's power utility containing Microsoft Word documents that, when opened, installed malware. u The Blackenergy 3 malware let the hackers gather login details, which allowed them to remotely access vital controls and, ultimately, shut off the power. u They jammed company phone lines, making it hard for engineers to determine the extent of the blackout. CYBERSECURITY "The Ukrainian attack, had it been envisaged in advance, would probably have been dismissed as so unlikely to happen it could be ignored." AnDreW WADsWorth, MAnAging consUltAnt, globAl energy AnD Utilities, PA consUlting groUP netWorK / 10 / JUne 2016