The Consumerization of Industrial Cyber Security

Just as internet security was a relative unknown concern 20 years ago, public awareness of  threats to the electric grid, water supplies, etc. is mounting

To the average person, industrial cyber security is mostly likely a foreign concept. Unlike a hacker compromising their credit card data, stealing their identity, or posting less than flattering pictures from their phone or PC on the internet, consumers are by and large blissfully unaware of security threats to the electric grid, water supplies, gas lines, food processing, etc. 

If we look back to the internet boom of the mid 1990s, the general public was also unaware of how a computer security breach could impact their lives. Little attention was given to computer viruses (now called malware), websites that were compromised by hackers or data breaches. But that all changed, once attackers began stealing credit card information and identities online. 

It then became clear to everyone that security breaches in the virtual world could have serious implications in the real world. Ransomware, phishing, and other forms of cybercrime have been well publicized. Today the average consumer is keenly aware of the dangers associated with computer security incidents – because their safety, reputation and bank accounts are at stake. 

When it comes to the security of industrial technology, namely the small and numerous computers that are used to control physical processes in electricity generation; drinking water purification; food, beverage and pharmaceutical manufacturing, etc., consumer awareness is currently on par with what it was for computer security 20 years ago. To quote Yogi Berra, “It’s like déjà vu all over again”. 

Until fairly recently, industrial facilities and equipment were isolated from the rest of the world. They were not connected to the internet or even other systems, which made the threat of security incidents very unlikely. Furthermore, the computers used to run industrial processes generally operate for years without any updates or changes. In some cases, these devices can run for 20-30 years without requiring the typical care and feeding given to traditional computers.  

In addition, the development known as the industrial internet of the things or IIoT, has eliminated this buffer zone or “air gap”. By connecting once isolated industrial devices to business networks, IIoT has introduced new security risks that could be right out of a science fiction novel. But they’re not. 

That’s because the consequences of industrial security incidents can dwarf the damages associated with computer security incidents. Consider the physical, environmental and health safety implications that could result from security breaches that cause processes in food, beverage, pharmaceutical, chemical, water, utility or nuclear facilities to go awry. Three recent incidents brought this point home. 

In September, two Boston suburbs were rocked by serial natural gas explosions. In the aftermath, an investigation found that a system upgrade caused gauges used to monitor pressure levels to be taken offline and for over pressurization to go undetected. While the damage could have been much worse, the incident resulted in more than 70 fires, killed one, injured dozens and destroyed or damaged more than 100 structures. In the aftermath, approximately 9,000 customers were without power.  

In this instance, the overpressurization of the gas mains was due to human error by company employees, but could easily have been caused by an external hacker. Early on, some residents even feared the explosions were a terrorist attack.   

On January 10, an investigative report published by the Wall Street Journal reconstructed a hack of the US electrical grid by Russia which was achieved by compromising hundreds of contractors and subcontractors that work with utilities to break in the back door of energy providers’ networks.  

Meanwhile, in January, it was reported that two hackers were able to take control of fifteen cranes and other heavy construction equipment using an industrial control system vulnerability and a remote control device costing less than $500. 

Incidents like these will eventually lead to a tipping point in terms of consumer awareness of industrial security threats, and demand for more comprehensive security to protect digitalized processes in electricity, water, manufacturing, etc. from being compromised and resulting in physical or environmental damage and even loss of life. 

Fortunately, innovative entrepreneurs and companies are stepping in to fill the void with new technologies that can protect industrial processes in much the same that we protect our computer systems today. Given the stakes, it’s imperative that industry, governments and consumers share in the effort to prevent industrial security incidents from occurring at the same rate as they currently do in the computer industry. 

 - Learn More at SecurityWeek's ICS Cyber Security Conference

view counter

Original author: Barak Perelman