Industrial control systems: the new cyber hacker ‘go to’
Hacking of a water treatment plant in Florida last month reflects a rise in the ability of sophisticated cyber criminals to breach control systems at industrial sites, and offers a “grave warning,” FM Global says.
The Florida hacker was able to introduce more sodium hydroxide, or lye, into drinking water, posing the potential to cause serious health impacts to more than 15,000 people.
The facility noticed the breach within six hours and quickly rectified the issue, but FM Global Cyber Consultant Pankaj Thareja says the incident underscores the vulnerability of industrial control systems and the potential losses that can come about as a result.
“This incident shows that this area is ripe for risk improvement activities,” Mr Thareja, an expert with nearly 20 years’ experience in IT and cyber security, said.
He says there are lessons that can be learned for risk managers and insurance professionals in Australia from the attack.
“If any of the critical infrastructure systems are impacted ... if they are badly impacted or disrupted for a long time it can really disrupt the entire nation, not just that particular industrial sector,” Mr Thareja tells insuranceNEWS.com.au.
Uptake of the internet of things (IOT), including industrial control systems (ICS), is increasing vulnerability, with recent figures showing almost half Australian enterprises have deployed at least one IoT solution and are planning on expanding their systems.
This trend has been accompanied by a simultaneous rise in sophisticated hackers who have knowledge of and are able to breach ICS, which often lack dedicated cyber security personnel and have minimal budgets.
Industrial control is “ripe” for risk improvement activities, Mr Thareja says, noting that these systems often suffer a lack of dedicated cyber security personnel and minimal budgets.
He stresses the importance of proactive mitigation of cyber risk and recommends placing firewalls between Operational Technology and Information Technology systems, as well as rethinking cyber security governance, to achieve better resilience.
If the motive is purely financial, hackers generally try to penetrate commercial areas such as manufacturing and later take advantage of mechanisms such as cryptocurrencies to remain undetected.
“They can command attention. They get their brand value - that they anonymously hacked something and they made money in that black market they operate within,” Mr Thareja said.
Money is not the only motivator for attackers though, with disputes between nations and activists also hacking with an "objective to disrupt or distract”.
“That's a different story. Their objective is to deliver a message,” Mr Thareja says from Singapore during a video interview.
Transportation, water supply, power generation and other industrial infrastructure are at risk and Mr Thareja says that with dependency on technology rising "to bring that efficiency that humankind desires,” risk exposure is escalating.
FM Global notes research from Cybersecurity Ventures predicting global cybercrime costs will grow by 15% annually, reaching $US10.5 trillion ($13.6 trillion) a year by 2025 in what has been described as the greatest transfer of economic wealth in history.
Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, embezzlement, fraud, post-attack disruption to business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.