Logo Header Menu

Back to basics: the top five technical issues to address in industrial cyber security

Jalal Bouhdada, founder and CEO, Applied Risk, offers up his top five technical issues to address in industrial cyber security Top five technical issues to address in industrial cyber security image

While industrial facilities are facing more cyber security challenges than they used to, the good news is that awareness around these challenges is increasing. That said, there’s still a marked difference between how well cyber security is understood in the consumer and corporate IT worlds, and how well it’s understood in industrial environments driven by OT.

In a sense that’s not surprising. After all, most well-publicised attacks have been in consumer and corporate IT. But with attacks on critical industrial environments now becoming more frequent, people are starting to wake up to the operational, financial, reputational and even human and environmental damage they can inflict.

Awareness is one thing. But the fundamentals of cyber security are still not being practised regularly. What are those fundamentals? In our cyber security work with organisations operating critical infrastructures around the world in sectors including power, oil and gas, water management, manufacturing and maritime, we’ve identified the top five technical issues that need addressing.

1. Software is outdated and vulnerable

In many industrial environments, the software behind control systems is obsolete. This is due to a failure to patch operating systems and applications, as well as to make essential upgrades to firmware when these become available.

All too often, we see poor patch management and the use of unsupported software. That makes it easy for attackers with off-the-shelf tools to exploit weaknesses – as we saw with the spread of the WannaCry ransomware that crippled many organisations. In 2018 and 2019, other ransomware campaigns also directly impacted industrial sectors. These systems should be upgraded, replaced or properly isolated to communicate with only what is explicitly necessary.

Cyber security scores: a new standard in mitigating risk?

Andrew Martin, founder and CEO of DynaRisk, explains how cyber security scores are improving employee engagement for enterprises

2. Networks are ineffectively segregated

It’s essential that IT/OT systems are segregated correctly, but this isn’t happening enough. Poor segregation of safety instrumented systems (SIS) from the rest of the OT network is also a major issue, as this leaves employees exposed to a higher level of risk.

And as OT becomes ever more closely integrated with enterprise and business systems, the boundaries between OT and IT environments are often weak, as are many firewalls. Attackers seeking to gain control of OT through the network are well versed in the technique of exploiting poorly configured gateways and other equipment to leverage weaknesses in the IT network, and that way enter the OT environment.

3. Poor systems hardening

Systems hardening is key to reducing vulnerability to attack, through eliminating possible attack vectors and condensing the attack surface of the systems. Yet many device installations have either no or minimal hardening measures in place.

Vulnerabilities are created in systems when, for example, access credentials are left in their default state or organisations use insecure protocols or permissive services. If vendors don’t make patches and updates available, organisations may need to upgrade, migrate or isolate a system from the network.

4. Weak access control

Access control in both the physical and logical sense are often poorly managed and can undermine the security controls that have been put in place. Think of things like managing joiners and leavers, managing account permissions and the use of weak passwords.

Facial biometrics: assuring genuine presence of the user

Andrew Bud, founder and CEO of iProov, helps explain how to assure genuine presence when dealing with facial biometrics –– the new standard in security

These can be resolved by establishing and enforcing a strong password policy. Storage of passwords is also a key consideration: a strong password is useless if it’s stored on an unencrypted system that is accessible to other users.

Organisations should also apply the principle of ‘least privileges’ – only granting permissions for user accounts to those who require them.

5. Insufficient logging and monitoring

Systems need to be monitored constantly and in real-time, in order to detect any unusual behaviour. Careful monitoring also helps build up comprehensive system logs that are of great use in the forensic investigation of any attack that does occur.

AI in cyber security: predicting and quantifying the threat

Jonathan Pope, CEO and co-founder at UK cyber security company, Corax, explains how AI in cyber security can predict and quantify the threat

Recent developments in the IT world have shown that one of the most effective ways to spot new and evolving threats is through host-based monitoring, such as with Endpoint Detection and Response tools. These tools can facilitate effective incident response processes. For OT systems that don’t allow host-based monitoring, there are passive and active monitoring tools that can monitor the network. They are improving hugely in quality.

Fortunately, most of these issues are all relatively easy to fix. It’s not a one-off job, however. Sustainable cyber security is a never-ending process, with many moving parts. To do it right, it’s vital to appoint people directly responsible for maintaining security in the OT domain, and implement a ‘defence-in-depth’ strategy with multiple levels of protection such as layered networks, strong access control, system hardening and regular testing of all entry points.

Written by Jalal Bouhdada, founder and CEO, Applied Risk

This article is tagged with: patch management, WannaCry

Latest news

divider
Healthcare
Royal Orthopaedic Hospital drives digitisation using low-code

Royal Orthopaedic Hospital drives digitisation using low-code

23 April 2021 / The large scale digitisation initiative will see the Royal Orthopaedic Hospital (ROH) utilise a low-code [...]

divider
Cybersecurity
Protecting consumer data is key – but organisations must do more to show it

Protecting consumer data is key – but organisations must do more to show it

23 April 2021 / The past year has confirmed that the digital age is now a fundamental part of [...]

divider
Research
Cyber security spending heading for $200 billion a year — Bloomberg

Cyber security spending heading for $200 billion a year — Bloomberg

22 April 2021 / The rise in cyber security spending forecast by BI in its report, Cybersecurity Primer: Accelerating [...]

divider
Cybersecurity
Protecting people, devices and data: the three pillars of a modern cyber security strategy

Protecting people, devices and data: the three pillars of a modern cyber security strategy

22 April 2021 / The mass move to home working as a result of the pandemic saw even the [...]

divider
Disruptive Innovation
Digital transformation in the insurance sector: cultural and organisational

Digital transformation in the insurance sector: cultural and organisational

22 April 2021 / Changing an organisation’s culture takes more than simply communicating a directive. Some insurance providers have [...]

divider
Blockchain
UK Jurisdiction Taskforce publishes rules for blockchain and crypto legal disputes

UK Jurisdiction Taskforce publishes rules for blockchain and crypto legal disputes

22 April 2021 / The new rules from the Government-backed UK Jurisdiction Taskforce (UKJT) look to address uncertainty, encourage [...]

divider
Research
Two-fifths of UK workers believe current tech is insufficient for hybrid working

Two-fifths of UK workers believe current tech is insufficient for hybrid working

21 April 2021 / With hybrid working looking set to be in place for many UK organisations as they [...]

divider
Cybersecurity
Cyber resilience: your last line of defence

Cyber resilience: your last line of defence

21 April 2021 / No cyber security defence is impenetrable. We’ve recently seen breaches on Acer, Microsoft Exchange and [...]

divider
Disruptive Innovation
Five design principles of cloud transformation in insurance

Five design principles of cloud transformation in insurance

21 April 2021 / Many insurers have traditionally been reluctant to move their operations to the cloud, citing security [...]

Information Age

Pin It on Pinterest