The governor of the state of Louisiana in the U.S. has recently declared a state of emergency over a cybersecurity issue after a series of attacks shut down phones and locked and encrypted data at three of the state’s school districts. The issue of protecting data and other information technology (IT) assets has escalated at government facilities and it has plagued states and cities in the past year, including Atlanta, Baltimore, several cities in Florida, and others throughout the country. Cybercriminals have increasingly targeted state and local governments with ransomware tools – which infect an organization’s computer networks and lock up critical files in exchange for a ransom payment. Awareness of cybersecurity threats may be increasing overall, but enterprises are still struggling to get the staff they need to respond to those threats. Across Australia and New Zealand for example, an analysis of the local skills market found that over a quarter of the organizations lack the ability to develop the cybersecurity talent they need.
This situation gets worse for the OT/ICS sector. The cybersecurity protection of industrial control systems (ICS) and particularly process control differs vastly from IT cybersecurity in that the former includes OT (operational technology) while the latter includes information technology devices. As the name implies, OT technologies include devices involved in the actual operational aspects of the enterprise such as sensors, machines, industrial controllers such as PLCs (programmable logic controllers), actuators, and industrial networks that differ from IT networks which are based mostly on Internet protocols. Not only the nature of the technologies and associated threats differ between IT and OT/ICS cybersecurity, so do the international standards that govern these sectors. Thus, OT/ICS cybersecurity is conceptually and practically much different from IT cybersecurity and enterprises need to be keenly aware of these differences for effective protection of their assets.
The world’s first true remote cyberweapon was Stuxnet which was deployed in the early part of 2010. Its goal was to destroy centrifuges used in the uranium enrichment process in a nuclear plant in Iran. Stuxnet took advantage of a worm using four zero-day vulnerabilities and infecting computer networks through USB flash drives. Its effects included damage to a large percentage of the centrifuges. However, it also had other effects such as the modification or/and creation of cyber strategies in the world and an increase in awareness of cybersecurity issues.
In June of 2018, the CXP Group published a study called “The State of Industrial Cybersecurity 2018,” commissioned by Kaspersky Lab. The study was based on a survey of 320 worldwide professionals with decision-making power on OT/ICS cybersecurity, as well as 12 expert interviews. Interesting findings contained in the report include:
- 65% of the respondents indicated that their current major cybersecurity priority is managing risks.
- 77% of the respondents ranked OT/ICS cybersecurity as a major priority. Major concerns include damage to the products/services quality (69%), injuries of death of employees (64%), loss of customer confidence (63%), and damage to company brand or reputation (62%).
- Particularly in the Middle East, 63% of the respondents indicated that is very likely that their organization will become a target of a cybersecurity incident involving the ICS or industrial control network.
- The following security incidents were ranked as major concern for their OT/ICS systems or industrial control networks: targeted attacks / advanced persistent threats (66%), conventional worms, malware/virus outbreaks (65%), and ransomware attacks (64%).
Based on the main findings of the CXP Group report, is the time right for an OT/ICS cybersecurity “perfect storm” in the Middle East? Based on the above news, survey results, and facts, it certainly appears to be the case.
So, what are organizations going to do to address a multitude of cybersecurity issues? Some options include adopting an effective cybersecurity culture, using a top down approach, using effective cybersecurity processes and management policies, adoption of international standards such as ISA/IEC 62443, or hiring and developing the talent they need. One effective way to develop cybersecurity talent is through training, in fact the above mentioned CXP study states that 56% of the respondents indicated that they are increasing their training budgets for the next 2 years. Training certainly helps by elevating the culture and becoming more proficient in using processes, methods, standards, and controls to reduce OT/ICS cybersecurity risks.
Recently, three out of four organizations in the oil and natural gas industry in the Middle East have experienced a security compromise that resulted in the loss of confidential data or Operational Technology (OT) disruption. This is according to a recent study by Siemens and the Ponemon Institute.
GLOMACS has recently developed a course on “Process Control Cybersecurity” addressing the most important issues related to the protection of assets in a process control environment for the oil and gas industry.
“Oil and gas industry is the target of as much as one-half of all cyberattacks in the Middle East and given its importance for the region’s economies, the risks faced by the industry are all the more pressing“, says International Cybersecurity & Process Control Systems Expert Dr. Juan R. Pimentel who is scheduled to present this GLOMACS training.
Operations and Maintenance Personnel, Process Control Operators, Engineers, Process, Plant, and Project Managers, Process Engineers and Managers, Instrumentation Technicians and Engineers, System Integrators, IT/OT Engineers and Managers Industrial Facilities, IT/OT Corporate / Security Professionals, Plant Safety, Security, and Risk Management, Security Personnel are invited to attend the upcoming session.