By Gregory Hale
It wasn’t that long ago when a German steel mill fell victim to a cyber attack that resulted in parts of the plant failing and a blast furnace workers could not shut down through normal methods.
The plant suffered “massive damage,” but one aspect not really played out was how the bad guys got into the system.
Exploitation of the mill took place thanks to targeting of on-site personnel in the corporate network, according to the German Federal Office of Information Security (BSI). The phishing emails contained a document that hosted a malicious code that would have taken advantage of vulnerabilities in the target’s system.
“In the German steel mill attack, the attackers were able to trick the operator into giving out his password. And with the password, they were able to connect to the VPN and get into the steel mill,” said Adam Gauci, Cybersecurity Program Manager, Energy Division at Schneider Electric. “We need to make people more aware of these types of situations.”
That meant all the technical security measures went out the window because the attackers were able to glean proper credentials.
The attack on that German steel mill was just over four years ago, and security awareness today is sky high, but it is a safe bet to say workers in the manufacturing automation sector need to understand the basics to ensure they, or their company, do not become the next victim of a cyber incident.
Increased Attack Intelligence
The sophistication level of the bad guys has evolved to the point where they can customize an attack to a particular target and even specially modify, craft and deliver it in a way that is intended hide in plain sight and fool people who support critical control systems.
“There are increased campaigns around social engineering and targeted attacks against certain industries,” said Peter Clissold, Sr. Cybersecurity Consultant for Schneider Electric in Brisbane.
As a case in point, Clissold pointed out one incident. “I am dealing with a friend that had a minor car accident and he went online to check things out then he called his insurance company. Within 30 minutes of checking things out online and calling the insurance company, he got a call from someone saying ‘I am from an insurance company wanting to talk about your accident.’ It was clearly a scam call, my friend was very concerned about how they were able to get access to that information that quickly. There is social engineering happening at the moment and it is increasing quite dramatically.”
“I know of a utility that was doing some fake phishing and sending out fake emails to employees and trying to trick them into clicking on the email,” Gauci. “The utility then got training to stop the workers from falling for these attacks. You should have a campaign in house to make everyone aware of cyber security. There also needs to be training for these people.”
With a top concern of security professionals going into 2018 being the lack of competent in-house security staff, according to a Ponemon Institute Survey, it only makes sense workers need to become much more aware of their security surroundings.
According to the survey of 612 chief information officers and IT security pros, two of the top four threats play hand-in-hand: Lack of competent in-house staff was the stop worry and inability to reduce employee negligence was the fourth fear.
With that lack of qualified security workers and worker negligence, educating workers and creating a stronger cybersecurity culture – much like safety – should be a goal for any program moving forward.
The following are pointers that can help workers become more secure on a daily basis:
• Make everyone accountable
• Be aware of social engineering
• Don’t find loopholes in security systems to bring our own devices in to corporate networks
• Don’t open emails asking you to enter a website and enter your password
• Only use your password where there is a direct link
• Don’t open files from people you don’t know
• Don’t give your password out to anyone
• Don’t let people follow you into a secure environment
• Use common sense
• Training, training and more training
“It all comes down to education,” said Jay Abdallah, Director – Cybersecurity Services EMEA & APAC at Schneider Electric. “The most important element is awareness and education and ensuring that education is recurring and constant. It comes down from the absolute top levels of management, filters down through operations leadership, down into human resources and eventually down to the associate themselves.”
“Companies themselves really have to drive security awareness into the people,” said Joshua Carlson, Subject Matter Expert and Technical Sales Leader for Cybersecurity at Schneider Electric. “Where are the threats coming from, what are some of the things we are doing, let’s not click on links, let’s not open unknown attachments, let’s not plug in removable media devices we found in the parking lot, let’s not find loopholes in the security systems to bring our own devices in to corporate networks.
Security Top of Mind
Some of the best practices for everyone to follow is to just show some good basic common sense, but they still need solid security concepts ingrained into workers’ minds.
“Always verify and don’t open emails asking you to enter a website and enter your password,” Gauci said. “Only use your password where there is a direct link. Don’t open files from people you don’t know. Don’t give your password out to anyone. Don’t let people follow you into a secure environment. Pretty basic common sense stuff.”
That means there must more than just an occasional reminder about security issues. “In any organization if you look at any regulation like NERC CIP (North American Electric Reliability Corporation critical infrastructure protection plan is a set of requirements designed to secure the assets required for operating North America’s bulk electric system), you have to have regular training for people on cybersecurity,” Gauci said.
Training must also be an ongoing thing that is measurable.
“I usually focus on social awareness training and follow up with simulated tests,” Abdallah said. “I will put USB sticks out there that shows me when somebody plugs it into a corporate network. You have to measure employees appropriately so they have a clear understanding of what is required of them and also make sure it is part of their performance measurement criteria. That is the only way to make it stick.”
Creating a Culture
Once everyone knows that security is part of a performance measurement, it then can become entrenched within the organization.
“Having the right culture and the right process in place is key,” Gauci said. “You have to make sure everybody is aware of what it is like to be working in a secure environment. In something like the electric utilities, it is a very conservative environment, they resist change as much as possible and they have to understand there will be a change in how they work. It may not be as simple as you had it before, but there are measures we can put in place to make it just as easy. There are guys that are used to doing things in a certain way, they will need things changed, it doesn’t mean we will make it more complex, there are measures that are just as simple, it will just be different, they just have to get used to them. If I have an operator sitting in a control center and somebody calls him to tell him to do something, he knows he should not be tricked or phished into doing something. They should also understand the technical standards that need to be in place in an OT system.”
Gregory Hale is the Editor/Founder of Industrial Safety and Security Source (ISSSource.com).