The introduction of interoperable IIoT sensors and integration platforms into industrial processes to drive innovation extends the risk boundary, especially when cloud computing is added to the equation. These are unavoidable risks in the current era and must be dealt with, regardless of the solution being internally hosted or subscribed to by a service provider. The vital aspect in the introduction of these new solutions is to ensure that risk management is triggered to assess and help support the decision-making on what risks are acceptable and how they align with the organisation’s objectives.
The industrial sector is no exception from the threat of hacking and breaches. In fact, some of the well-known breaches in the last decade have targeted this sector. One example was the spear-phishing attack on Saudi Arabia oil giant, Saudi Aramco, targeting the company’s network and infecting 30,000 workstations which took more than a week to restore normal operation. More recently of course, there was the ransomware attack on the Colonial Pipeline that disrupted fuel supplies to large sections of the South East US. Other examples of worms and hacks at the PLC level within critical infrastructure are also well documented.
These cases prove that there is not much difference in how industrial systems face security challenges compared to typical IT systems. Equipment operated by human or devices run by software connected to a network (which makes up most of the company asset that supports business operation) are all susceptible to breaches and hacking. The objective may be different, though, for an Industrial ICS-operated environment, where equipment within the ICS ecosystem does not typically store sensitive information on its own. Instead, it mainly runs for production operations. This suggests that the motive focuses more on interruption, destruction, or even control of the continuity of the operations than merely stealing data from it. Unfortunately though, we can’t rule out that there is no intent of data breaches; there were several cases of breach incidents where threat actors use destruction and interruption as a diversion to hide the primary goal of exfiltrating sensitive business information.
Embracing security and compliance in the Industrial sector.
There are standards and models that have been developed for the industrial sector; ISO, ISA, and NIST are some of the known organisations that actively promote standards in implementing cybersecurity in different industries. For example, one of the well-recognised standards for the ICS environment is the ISA/IEC 62443 that consists of series of standards for a strategic approach in implementing cybersecurity for industrial systems.
Another example is the PERA, or Purdue Enterprise Reference Architecture. It is comparable to a network segmentation or a tiered security model and it defines different levels for each critical infrastructure in an ICS environment to ultimately protect the physical machinery as the inner process (level 0). Other relevant standards available are:
- CISA’s Securing Industrial Control Systems: A Unified Initiative.
- NIST’s Special Publication (SP) 800-82 Rev. 2 (DOI)
- ISO/IEC 27019:2017 (Energy Utility industry)
These references aim to provide guidelines for protecting industrial infrastructure and practices. However, the data element may require an extra level of controls to comply with regional data privacy regulations and sovereignty, such as the EU’s GDPR (General Data Protection Regulation) and California’s CCPA (California Consumer Privacy Act).
Industrial companies can adopt any standards applicable to them according to their risk appetite and needs. Most of these standards, if not all, promote prioritising risk management programs as the foundation in security management and governance. It serves as a tool for identifying unknowns and risks as early as possible and manages the lifecycle up to the remediation, aiming to minimise the likelihood and impact of breaches and hefty penalties for non-compliance imposed in specific regions.
Other traditional security tools and guidelines should be treated as non-optional to minimise the chance of successful technical breaches and hacking attempts to the business. For example, endpoint security combats malware and ransomware, while robust authentication and privilege access management decrease the likelihood of account breaches. Comprehensive network security help detects unauthorised activities and lateral malware movements that can aid the SOC (Security Operations Center) in monitoring the entire network environment.
While these tools are designed to protect the company’s digital assets, data, and devices, another area in the security chain that needs protection is the human element. Social engineering such as phishing attacks is still considered one of the most effective and elusive attacks in the current threat landscape. The threat actor targets users, taking advantage of human behaviour, trust, and ignorance as the potential gateway to access sensitive information. This can be addressed through sufficient security awareness to help mitigate the risk of falling from such type of attack.
Innovation in the industrial sector is a natural response to the demand for service expansion and process optimisation, elevating industrial business processes to the next level. Two factors contributing to the successful adoption of innovative solutions are security and compliance. There are compelling arguments that cyber threats are inevitable and are just waiting for the right opportunity to strike. To minimise the likelihood and severity of impact, it is imperative to treat both security and compliance as equal priorities to core functional requirements in the early stage when transforming industrial business operations.
Reekoh’s Industrial IoT integration platform is equipped with mechanisms that address its data security obligation and reliability, built within its core capabilities. Our commitment to delivering interoperability through asset and data integration also extends to maintaining our customers’ existing security and compliance reputation. Learn more in our Security Center.
Argie Gallego is Reekoh’s Head of Cybersecurity
