The Unfortunate Truth of Industrial Attacks

An Industrial Network is a complex area that has several 3rd parties with cross responsibility, which means no one wants downtime during their work shift. A critical component of operational efficiency is ensuring that the Industrial Network provides access to the necessary resources whenever needed.

Add to the mix the “if it's working don’t touch” and “the engineers won’t allow it“ or “to do it we need to stop the entire plant!!!“ I have seen all of those and more.

I have been on the other side of the table as a plant cyber security looking to change the world. Although there are many factors to consider, most of them revolve around money and time / money tradeoffs. As a consequence, security was always on the losing side of the equation.

In recent years, we've seen an increase in attacks on industrial systems, since the owner will often pay the ransom simply to return to production, unaware that the payment itself marks them as a pay target and leaves them vulnerable to a second or third attack.

The cyber solutions we have today cannot provide 100% protection to those old machines, and changing architecture is not an option that is financially viable. This provides the stakeholder with a minimal level of protection, and they do try most of the common protection systems as well as Network-IDS and antivirus. The biggest problem with these systems is that even when operators see something when they are monitoring it, they tend to discard it as noise or ignore it altogether.

In the end, the ICS are machines running with humans operating and engineering, and cyber security should include them in the final solution, with Policies, Procedures, guidelines and playbooks. Engineers are very good at running systems at good efficiency but when changes in the control are required, the alignment for order is reduced dramatically.

The industrial process is sometimes very complex and sometimes simple, but documentation and standardization can have a burden requirement on some of the new patches. In some cases even the name convention needed to be tweaked to support the new machinery.

In many of the plants that I have started to assist with alignment work the main issue was to initiate the process to align the control documents and control processes, with a goal of speeding up the process and making it more efficient. 

Cyber security is most impactful on the security maturity of a company when it is integrated into the day-to-day work process.

The culture in the industrial areas of the plant is very different from the corporate office, and many managers ignore it or do not understand those issues at all. This makes the change a lot harder than usual as culture is a strange beast that fight you back every time you want it to adjust to changes. 

When managers take responsibility and take action that changes their company culture, we can see a significant impact on security. Those are moments I cherish and it's one of the many reasons why I love my job.
Rotem Bar Podcasts

https://www.linkedin.com/in/barrotem/