Industrial cybersecurity: What businesses need to consider

24 Jun 2021

Wayne Bursey. Image: Siemens

Siemens Ireland’s Wayne Bursey discusses the growing cybersecurity threat within the industrial sector and what businesses need to think about.

Click here to view the full Infosec Week series.

Cybersecurity has been pushed into the spotlight more than ever in the last year with remote working becoming commonplace in many organisations. But while there is always a concern about end-user devices, there is also a growing concern in the industrial sector.

Earlier this year, a report from industrial cybersecurity company Dragos found that the number of reported ransomware attacks on manufacturing entities more than tripled in 2020 compared to the previous year.

Wayne Bursey is the industrial cybersecurity lead with Siemens Ireland, focusing on operational technology (OT) security for customers with industrial control systems and environments.

He told there has been a “noticeable shift” from targeting individuals to a focus on critical infrastructure providers, recent examples of which include Ireland’s health service and a major US gas pipeline.

“The essence here is that threat actors attempt to garner payments from organisations where the ransom is lower than the actual cost of rebuilding their systems,” he said.

In the case of the HSE attack, cybercriminals requested $20m in ransom and current costs incurred to rectify the problem are reportedly “well over €100m” according to HSE CEO Paul Reid.

However, paying the ransom is never advised as it sends the message that an organisation is willing to pay, making them a further target. It also often doesn’t solve the problem, meaning companies have to spend the money repairing the damage anyway.

“On the subject of vulnerabilities, many organisations have grown organically, systems have matured and been replaced or upgraded at different speeds leading to disparate and interconnected systems across multiple locations,” said Bursey.

“Many industrial environments have simply not focused on mitigating vulnerabilities across these multiple systems and legacy equipment.”

Bursey also said the move to remote working affected the industrial and manufacturing sectors too.

“Organisations need to ensure that the same security principles apply when working remotely as they would when we are physically in offices, factories and facilities. For example, training, multifactor authentication, policies and control checks have and will always be important in an organisation’s security programme,” he said.

“Another huge risk surface for organisations is third-party service providers that require access to core systems. Again, we also look at the validation and the requirements. Where do these users need to go, and what should they have access to? Establishing clear paths and boundaries is a key metric in the design for secure remote working.”

Biggest threats

Bursey said the biggest threats coming down the line in terms of cybersecurity are ransomware and supply chain attacks, both of which we have seen in the last few months.

“The collateral damage for organisation further down a supply chain will become more common,” he said.

SolarWinds is an example of this and how threat actors get into an organisation through exploiting another company, supplier or partner within your supply chain. This could also mean outsourced manufacturing, code development and various other integrated operations.”

He said it’s vital that companies collaborate and understand the risks across the whole supply chain in order to maximise security.

As a lead in industrial cybersecurity, Bursey also spoke about the value of industrial internet of things (IoT) data. While it helps to deliver better efficiency and manufacturing gains, it also adds an additional threatscape to companies.

“Understanding your risks and the vulnerabilities that come from these added components or the additional threats needs to be workshopped,” he said.

“‘Follow the data’ is a good starting point. Understand where it goes, who has access to it, using encryption and creating specific conduits within the manufacturing zones, like placing the IoT system in parallel.”

One of the biggest issues with industrial cyberattacks is the wider implications on society. In the case of the Colonial Pipeline attack in the US, the cybercriminals knocked much of the pipeline’s network offline.

The HSE attack resulted in a major shut down of IT systems, leaving health services without access to electronic health records and disrupting healthcare appointments around the country.

But while individuals may feel powerless in the face of these major attacks over which they have no control, Bursey said education and awareness across the board is key to these challenges.

“If in our personal lives we are more aware of our security and our privacy and the technologies and companies we interact with, this increases the overall security by default,” he said.

“There will be a trade-off where the value for security of supply might mean an increase in cost. But it’s a price worth paying when the trade-off is interrupted supply, especially around our critical infrastructure of health, water, energy, transport and even our food supply chain.”

Jenny Darmody is the editor of Silicon Republic