Inadequate training and a culture of complacency among many owners and operators of critical infrastructure are significantly raising the risks of highly damaging cyberattack throughout the world.
That’s the viewpoint expressed by Steve Mustard, an industrial cybersecurity subject-matter expert of the International Society of Automation (ISA) and a UK registered Chartered Engineer and European registered Eur Ing and consultant with extensive development and management experience in real-time embedded equipment and automation systems.
Mustard, fresh off a trip to the Caribbean where he delivered a presentation on industrial cybersecurity to industry officials in petroleum and petrochemical operations, says that despite greater overall awareness of the need for improved industrial cybersecurity, not nearly enough is being done to implement basic cybersecurity measures and reinforce them through adequate staff training and changes in corporate culture.
“Everywhere I go I see the same issues, so this is not so much a company-by-company issue as it is an ‘industry culture’ issue,” says Mustard, an ISA99 Security Standards Committee member and an important contributor to the development of the ISA99/IEC 62443 industrial cybersecurity standards. “So much work has been done in the IT world on security that many believe they have mitigated the risks.
“For example, most security experts at the NIST (National Institute of Standards and Technology) meetings on the US Cybersecurity Framework could not understand why we were still discussing the most basic security controls, but yet a visit to almost any critical infrastructure facility will reveal that while there may be established policies and procedures in place, they are not properly embedded into training and the operational culture. Too many owner/operators I meet believe that because they have not seen a cybersecurity-based incident themselves that it will never happen. This sort of complacency is why there will be a major incident.”
Mustard points to the steady flow of cyberattacks on industrial automation control systems (IACS) and supervisory control and data acquisition (SCADA) networks being tracked by the Repository of Industrial Security Incidents (RISI).
“There have been many incidents in the past 10-15 years that can be traced back to insufficient cybersecurity measures,” he says. “There are many every year, most of which escape public notice. In fact, it’s widely believed that there are many more that are never reported,” he discloses. “The RISI analysis shows time and again that these incidents are generally the result of the same basic cybersecurity control failures. It is often only the presence of external failsafe and protection mechanisms that these incidents do not lead to more catastrophic consequences. Many use these protection mechanisms to argue that the concern over the consequences of cyberattack is exaggerated, and yet incidents such as Deepwater Horizon should teach us that these protection mechanisms can and do fail.”
Emphasis on security seldom matches emphasis on safety; security influenced by significant reliance on third-party workers
Mustard says that while the need for safety is well understood in facilities such as offshore drilling rigs, attention to security is often minimal.
“This is partly because these facilities are usually so remote (i.e. 50 miles offshore) and/or appear to be secure (It’s not possible to just walk into an offshore or onshore facility without having the appropriate clearance.) and also because there is little or no experience of cybersecurity-related incidents, whereas there is usually some direct or anecdotal experience of safety-related incidents.
“Another issue is the very significant reliance on third parties to install and support IACS equipment,” Mustard continues. “This creates two issues—in-house staff often lack complete understanding of the equipment needed to provide reliable on-site support and there is a continuous flow of third-party staff in facilities. Although security is generally tight in these facilities, there is a lot of reliance on third parties to ensure their own contract staff are correctly vetted, and yet third parties may not be as thorough as owners and operators.
“Furthermore, third-party employees will have their own computers and removable media. The owner/operator may rely on the third party to scan their devices for malware before they are connected to the IACS equipment, but there is no guarantee that this is the case.”
USB flash drives and other USB devices continue to pose serious cybersecurity threats
“Use of USB devices still remains one of the most common ways an industrial control network can be infected,” Mustard says. “There are a number of factors at play. Many, or even most, IACS equipment runs without anti-virus software. Rarely, is the equipment ‘security hardened’ and very often default accounts and passwords are either hardcoded or not removed/changed before go-live.
“In addition, the operating systems and applications are often not patched at all or if they are, they are not patched regularly. This creates a whole host of vulnerabilities that can be exploited by malware. While most standards recommend the elimination of USB removable media devices and that all ports be locked down, this is rarely the case. Since machines are usually not connected to the Internet, removable media is often the only way to transfer files. And while IT policies might enforce virus scanning of such devices before and after use, this often does not get enforced in IACS environments.
I heard recently anecdotally that a major oil and gas company detected the Stuxnet virus on its networks, and was found to have originated from an infected USB drive. This company has relatively good cybersecurity controls in place so you can imagine how easily this can happen in other organizations that have not yet grasped the importance of cybersecurity.”
ISA is widely recognized as a global leader in the development of IACS security standards, training, certification and educational resources.