Security support: helping industry defend against cyber attacks

It’s easy to raise the alarm on the dangers of cyber-attacks to industry, but what are the best strategies for protecting firms against incursions into their networks and compromised infrastructure? Agricultural workers, manufacturing teams, logistics providers, supply chain operators – to name just a few roles – are busy people and can’t be expected to be at the bleeding edge of cybersecurity. And even firms that have IT resources in place could find themselves in a perilous position if these business units turn out to be the sole defense against increasingly well-equipped and professionally run attack groups.

The stakes are high. Food security and the provision of essential supplies to healthcare, energy, and other critical sectors are easily identified as priorities, but cyber campaigns launched against any firm can have big consequences if they are successful in disrupting services. No industrial output for a company means no income and puts jobs at risk. Firms in this space have other worries too. Producers are under pressure to accelerate their digital transformation, deploy Industrial Internet of Things (IIoT) solutions more widely, and fully embrace industry 4.0. But, if poorly implemented, such strategies can further jeopardize security by unwittingly linking IT and operational technology (OT) segments of the network.

Priority list

“Maintaining that air gap or separation is the priority,” Charly Davis, Head of Industrials at NCC Group told TechHQ. “And finding solutions doesn’t have to be costly – independent, objective third parties can help firms by identifying quick wins that prevent lateral movement.” Strategically, companies can learn a huge amount about where to best raise their defenses by organizing an architectural design review. The aim of the survey is to look at the industrial environment as a whole and help firms to understand their critical assets and prioritize the protection that needs to be applied.

“The level of security control needs to factor in the risk tolerance of the business and create a technical environment that’s less susceptible to human intervention and error,” said Davis. There are practical considerations too, as there’s no point in having a solution that’s ultra secure, but then becomes disruptive to the business in other ways. “If a network link goes down, the USB lock that you’ve installed may now become a risk, if you can no longer update a piece of equipment,” Davis comments.

One of the issues facing firms is that while security hardware may look alike, the level of protection offered by competing products can be wildly different. “Safeguards such as secure by design and defense in depth need to come from the components within the devices,” said Davis. It’s an area where legislation can help. And this can be seen most recently in the consumer IoT space, where providers selling into various territories must now pay greater attention to ensuring that devices are more resilient to cyber-attacks. Updates to existing industrial requirements are in the pipeline too.

Legislative sweep

The EU’s Network and Information Security (NIS) 2 directive (PDF), which is currently being considered by member countries, includes reforms to incident reports, requirements for additional security measures – for example, to bolster supply chain security, fines for non-compliance, and tiered regimes to distinguish between essential and important entities. “The legislation will come in waves, starting with critical infrastructure,” said Davis. In the UK, proposals echo the themes of the EU’s NIS 2 directive. And, in the US, NIST has shared the latest draft of SP 800-82 – a detailed 300-page resource that is essential reading for anyone wanting practical guidelines on improving the security of OT systems.

Teaming up with cybersecurity experts to navigate the good practice that’s increasingly available is a sensible strategy for industrial firms of all sizes. And, at the same time, certification schemes – a trend that is on the rise – will eliminate some of the weaknesses that are currently present as companies upgrade and swap out hardware. Given the large market for industrial control systems, the positive impact of globally adopted standards could be far-reaching. The prevalence of international supply chains also points to the need to tighten security upstream as well as on the production floor.

Looking at the threat landscape today shows why experts are concerned. Industrials top the list of targets by sector (based on data from NCC Group’s monthly Threat Pulse) by some margin. Almost twice as many cases were reported cumulatively for industrial activities such as construction and engineering, freight and logistics, and transportation compared with the second-placed category – consumer cyclicals – a grouping that includes speciality retailers, hotels and entertainment services, media and publishing, automobiles, and others.

On the plus side, the more threat intelligence that’s available, the more evidence that analysts have to draw on when it comes to reviewing industrial designs and identifying the assets that are most at risk – further tailoring advice for clients based on the markets served by companies. Davis points out that different attack groups have their own preferred methods and target sectors, and go by names such as PARASITE, XENOTIME, and MAGNALLIUM – to give just a few examples. In a previous article, we covered some of the support that is being rolled out to agricultural operators and perhaps making funds available more widely, for services such as security reviews, could be money well spent – given the current focus of threat actors on industry and the scale of the consequences should things go wrong.