The industrial sectors of the engineering world are currently amidst a period of incredible progress. With the introduction of more automated processes than ever before, the industry is becoming increasingly efficient and requiring less physical manpower.
However, the digital transformation of the industry does come with its downsides. When integrated with technology, vital industry hardware becomes connected to the internet, which makes the chances of corruption far more likely.
Fortinet is an American multinational company that develops cybersecurity software in the engineering sector. They recently released a report entitled the ‘2019 Operational Technology Security Trends Report’, which examined troublesome cyber-attacks, specifically targeting supervisory control and data acquisition (SCADA) and industrial control systems (ICS) systems.
In the report, Fortinet says that two-thirds of global operation technology is connected to an interconnected network. 32% of the systems are connected to the public internet, and the other 32% connected through a gateway into the enterprise. Fortinet writes, “This gateway is sometimes as innocuous as a single PC that is separately connected both to the OT system and the internet.’
Those systems are directly vulnerable to attacks. The report also found that in 2018 exploits ‘increased in volume and prevalence’ for almost every ICS/SCADA vendor. Meaning, hackers were attempting to find vulnerabilities in ICS and SCADA systems. Once vulnerabilities are found, it is up to companies to ‘patch’ the particular vulnerabilities.
Just recently in July 2019, security researchers published a list of 11 vulnerabilities that needed urgent attention by cybersecurity specialists - they aptly named the vulnerabilities the Urgent11.
Larry O’ Brien, vice president of the ARC Advisory Group - a leading technology research and advisory firm for industry wrote:
“Cybersecurity is playing an increasingly important role in process safety systems. This became apparent with the cyber-attack on safety systems late in 2017 that ultimately ended in the safe shutdown of a Middle Eastern petrochemical facility. Attacks on safety systems have the potential to cause real harm in the physical world, so it’s important that ICS/SCADA cybersecurity policy include rational approaches to process safety systems.”
Lessons are being learned every year, but it seems that businesses will have to invest in cybersecurity at a more rapid rate due to the quick nature in which new exploits arise. The engineering industry needs to learn how to secure their systems from the hacker-types who are technically gifted enough to discover those loopholes.
INSINIA, a company specializing in cybersecurity for enterprise and industry in December 2018 spoke about the hacking of industrial control systems at the Security BSides London conference. They presented a lecture entitled: ‘Hacking SCADA: How We Attacked a Company and Lost them £1.6M with Only 4 Lines of Code’.
The group developed a ‘weaponized’ Arduino micro-controller that could scan a network and shut down components in an interconnected setup, powered by only four lines of code. They showed how easy it could be to take down an industrial setup in minutes.
The group says that in their research of certain companies running industrial control systems, some were found to be using Windows 7, and in some cases even Windows 98 as operating systems. The issues being that older operating systems can be vulnerable to backdoor attacks that are unlikely to be patched as new operating systems have made their way to market.
The onus seems to be on the engineers of companies to source enterprise-level systems with apt cyber-security to combat the denial-of-service attacks hackers attempt to exact on SCADA and industrial control systems.
“Deliver Secure Digital Transformation.” Fortinet, www.fortinet.com/.
Leyden, John. “Pwned with '4 Lines of Code': Researchers Warn SCADA Systems Are Still Hopelessly Insecure.” The Register® - Biting the Hand That Feeds IT, The Register, 20 June 2018, www.theregister.co.uk/2018/06/18/physically_hacking_scada_infosec/.