IN­DUS­TRY FEA­TURE

Utilities Middle East - - CONTENTS -

util­ity sec­tor plan­ning for en­hanced se­cu­rity, new dis­trib­uted re­sources and grid tech­nolo­gies are adding more com­plex­ity to the sys­tem, which means that keep­ing se­cu­rity prac­tices up to date will most likely be a con­tin­u­ous job.

“The rise in dis­trib­uted en­ergy pro­vides a weak­ness for the ex­ist­ing model of cy­ber-at­tacks,” says An­drey Doukhvalov, chief strat­egy ar­chi­tect and head of fu­ture tech­nolo­gies depart­ment, Kasper­sky Lab. “This is good news. How­ever, the bad news is that in the fu­ture the main chal­lenge will be how to pro­vide a trusted source of in­for­ma­tion from these dis­trib­uted sys­tems since in­for­ma­tion flow has to be cen­tralised for ef­fec­tive man­age­ment. And of course the is­sue of cy­ber­se­cu­rity will now change to the area of trusted in­for­ma­tion.”

By ex­am­in­ing the cur­rent cases of cy­ber­at­tacks, Doukhvalov says it is clear that cy­ber­crime might shift from theft of in­for­ma­tion to theft of busi­ness con­ti­nu­ity. “If the bad guys know the price of un­planned out­age of a plant or dig­i­tal sub­sta­tion, they no lo longer then need to steal per­sonal in­for­ma­tion from bank ac­counts or money trans­fers. They just may at­tack in­stal­la­tions and ask for a ran­som that is al­most equiv­a­lent to the cost of an un­planned out­age of that par­tic­u­lar in­stal­la­tion.”

Data from a sur­vey con­ducted by Ernest and Young (EY) shows that 80% of util­ity com­pa­nies have wit­nessed an in­crease in ex­ter­nal threats, with mo­bile com­put­ing, mal­ware and phish­ing the most preva­lent con­cerns.

But while they may recog­nise the threats, only 11% of sur­vey re­spon­dents said they felt their cur­rent in­for­ma­tion se­cu­rity mea­sures fully meet their or­gan­i­sa­tion’s needs, 60% are run­ning no or in­for­mal threat as­sess­ments while 64% be­lieve that their se­cu­rity strat­egy is not aligned with to­day’s risk en­vi­ron­ment.

It is a trend that wor­ries cy­ber se­cu­rity so­lu­tions providers who feel that the scale of threats is not widely un­der­stood by in­dus­try play­ers and are now calling for a com­plete change in the ap­proach for se­cur­ing vul­ner­a­ble util­ity in­fra­struc­ture and sys­tems.

The story of crit­i­cal in­fra­struc­ture se­cu­rity is part of a fa­mil­iar nar­ra­tive of the clash be­tween old tech­nol­ogy and new cy­ber threats, be­tween gov­ern­ment reg­u­la­tion and com­pany mo­ti­va­tion, and be­tween cost and se­cu­rity – with se­cu­rity con­se­quences unique to crit­i­cal in­fra­struc­ture.

“A large sec­tion of the ex­ist­ing util­i­ties in­fra­struc­ture is old and not re­silient enough to with­stand the emerg­ing cy­ber threats,” says An­drey Su­vorov, head of crit­i­cal in­fra­struc­ture pro­tec­tion busi­ness de­vel­op­ment, Kasper­sky Lab.

Su­vorov says that a com­plete change in at­ti­tude and ap­proach is re­quired to lessen threat lev­els, and to boost the se­cu­rity of all at­tack vec­tors at any given unit that could be a po­ten­tial tar­get.

Crit­i­cal in­fra­struc­ture sys­tems in­clud­ing the elec­tri­cal grid and wa­ter dis­burse­ment are in need of some se­ri­ous se­cu­rity over­hauls to pre­vent the hack­ing threats cur­rently im­pact­ing

The rise in dis­trib­uted en­ergy pro­vides a weak­ness for the ex­ist­ing model of cy­ber­at­tacks. This is good news. How­ever, the bad news is that in the fu­ture the main chal­lenge will be how to pro­vide a trusted source of in­for­ma­tion from these dis­trib­uted sys­tems since in­for­ma­tion flow has to be cen­tralised for ef­fec­tive man­age­ment. And of course the is­sue of cy­ber­se­cu­rity will now change to the area of trusted in­for­ma­tion.” An­drey Doukhvalov, Kasper­sky Lab.

those sec­tors, he says.

“What we are wit­ness­ing is mostly a re­ac­tive ap­proach where com­pa­nies de­ploy se­cu­rity so­lu­tions only af­ter threats be­come pal­pa­ble. But to guar­an­tee high avail­abil­ity, re­li­a­bil­ity and safety, the en­tire sys­tem must be in­su­lated from cur­rent and fu­ture threats be­cause at­tack­ers are al­ways chang­ing tac­tics.”

A num­ber of com­pa­nies tend to give less at­ten­tion to real pos­si­ble tar­gets and in­stead fo­cus on ar­eas such as data, which down­plays the very real pos­si­bil­ity of cy­ber­crim­i­nals tak­ing con­trol of es­sen­tial re­sources, says Su­vorov.

“With the in­creased con­ver­gence of cy­ber and phys­i­cal worlds, at­tacks are no longer lim­ited to of­fice com­put­ers and net­works, and can have a phys­i­cal im­pact in the real world,” Su­vorov points out.

“It makes eco­nomic sense to make a sin­gle in­vest­ment in a se­cu­rity so­lu­tion that will pro­tect your in­fra­struc­ture for many years ahead rather than wait­ing for a threat to hap­pen and then take ac­tion.”

The in­dus­trial Cy­ber­Se­cu­rity ex­pert says that it is im­por­tant that util­i­ties im­ple­ment IT se­cu­rity so­lu­tions that in­te­grate net­work, end­point and mal­ware anal­y­sis, threat in­tel­li­gence and re­me­di­a­tion ca­pa­bil­i­ties and don’t just de­liver rapid de­tec­tion and re­sponse, but con­tin­u­ous au­to­mated in­ci­dent res­o­lu­tion.

“But most im­por­tantly, any so­lu­tion must take peo­ple into con­sid­er­a­tion, both as strong and weak points in se­cur­ing a sys­tem. Peo­ple pose a real threat than the pro­cesses within a com­pany. There­fore, sen­si­ti­sa­tion is needed at all lev­els along with build­ing a ro­bust se­cure perime­ter, based on a lay­ered ap­proach to pre­vent abuse,” says Su­vorov.

In May 2016, ran­somware at­tacked the power and wa­ter util­ity at Lans­ing, Michi­gan, USA, re­sult­ing in a loss of about $2mn. These, along with sev­eral sim­i­lar hacks ap­pear to have in­creased util­ity con­cern about the se­cu­rity of their power sys­tems.

“The scale, na­ture and speed of cy­ber-at­tacks tar­get­ing en­ergy and util­i­ties in­stal­la­tions are chang­ing as tech­nol­ogy evolves,” says Eu­gene Kasper­sky, CEO of Rus­sian head­quar­tered cy­ber­se­cu­rity firm, Kasper­sky Lab. “A few years ago, cy­ber-at­tacks were re­stricted to of­fice soft­ware. But with in­creas­ing vul­ner­a­bil­i­ties in the soft­ware and hard­ware used in util­i­ties, cy­ber crim­i­nals are now toy­ing with dig­i­tal in­dus­trial net­works.”

Ac­cord­ing to Kasper­sky, util­ity pro­fes­sion­als say cy­ber and phys­i­cal se­cu­rity is the most press­ing con­cern for their com­pa­nies with the ma­jor­ity of them stat­ing it is ei­ther “im­por­tant” or “very im­por­tant” to­day.

“To­day, se­cu­rity is­sues rank highly among util­ity con­cerns right from elec­tric power gen­er­a­tion, trans­mis­sion to dis­tri­bu­tion, largely due to the dis­trib­uted en­ergy pol­icy be­ing adopted by util­i­ties across the world,” says Kasper­sky.

He says that in­creased at­ten­tion to on­go­ing cy­ber threats around the world by the me­dia and in­dus­try groups is am­pli­fy­ing the gen­uine con­cern about se­cu­rity of crit­i­cal in­fra­struc­ture.

“Cy­ber-at­tacks such as the one in Ukraine are not be­ing treated in iso­la­tion by the in­dus­try. There is a gen­uine con­cern that sim­i­lar at­tacks might take place else­where,” Kasper­sky points out. “And util­i­ties are start­ing to share vi­tal in­for­ma­tion on cy­ber-at­tacks and threats.”

In fact, the real awak­en­ing to the re­al­ity of cy­ber threats in the Mid­dle East is as re­cent as five years, and this comes at the back of a se­ries of cy­ber­at­tacks at some of the re­gion’s largest in­stal­la­tions.

In a re­cent re­port by PWC, 67% of par­tic­i­pants said that within the past year, they have had at least one se­cu­rity com­pro­mise that led to the loss of con­fi­den­tial in­for­ma­tion or dis­rup­tion to op­er­a­tions.

The re­port also re­vealed that 47% of the at­tacks came due to neg­li­gence on the part of staff mem­bers.

“Peo­ple must be pro­vided ap­pro­pri­ate train­ing to guide them in work­ing on sen­si­tive sys­tems. At the same time, mea­sures should be put in place to re­strict move­ment of unau­tho­rised per­son­nel at the in­stal­la­tion,” says Jari Kaija, se­nior vice pres­i­dent, ABB Group Ser­vices

ABB’s Cy­ber Se­cu­rity Ser­vice Mon­i­tor­ing Ser­vice pow­ered by Ser­vicePort, iden­ti­fies, clas­si­fies and helps pri­ori­tise op­por­tu­ni­ties to im­prove the se­cu­rity of a con­trol sys­tem. By over­see­ing the cy­ber se­cu­rity sta­tus of a con­trol sys­tem, Ser­vicePort col­lects sys­tem data for com­par­i­son against in­dus­try best prac­tices and stan­dards to de­tect

Peo­ple must be pro­vided ap­pro­pri­ate train­ing to guide them in work­ing on sen­si­tive sys­tems. At the same time, mea­sures should be put in place to re­strict move­ment of unau­tho­rised per­son­nel at the in­stal­la­tion.” Jari Kaija,ABB

weak­nesses within a sys­tem’s de­fence.

“This pin­points ar­eas that re­quire ac­tion to help pro­tect your con­trol sys­tem by en­sur­ing it has mul­ti­ple lay­ers of se­cu­rity. The ABB Cy­ber Se­cu­rity Mon­i­tor­ing Ser­vice is non-in­va­sive, and can be ap­plied to any con­trol sys­tem,” points out Kaija.

The re­al­ity of cy­ber-at­tacks has seen a sig­nif­i­cant in­crease in bud­gets for IT se­cu­rity world­wide with some util­ity com­pa­nies cre­at­ing di­vi­sions ded­i­cated to cy­ber­se­cu­rity.

Gen­eral Elec­tric is re­ported to have so far in­vested over $1bn into the In­dus­trial In­ter­net and cy­ber­se­cu­rity so­lu­tions.

GE has ac­quired Van­cou­ver-based Wurldtech, which spe­cialises in se­cu­rity soft­ware that pro­tects big in­dus­trial sites used by the en­ergy, chem­i­cal, nu­clear and man­u­fac­tur­ing in­dus­tries at an undis­closed sum.

Es­tab­lished IT com­pa­nies are in­creas­ing cy­ber­se­cu­rity so­lu­tions that tar­get the util­i­ties sec­tor, as the in­dus­try be­comes a clear tar­get for cy­ber crim­i­nals.

“A lot of cus­tomers are smart about cy­ber­se­cu­rity and most have strong IT se­cu­rity prac­tices. What needs to hap­pen is the op­er­a­tions tech­nol­ogy se­cu­rity has to bridge to the IT prac­tices,” says Ganesh Bell, chief dig­i­tal of­fi­cer, GE Power.

“The op­er­a­tions side is catch­ing up. The other wrinkle here is the role of the gov­ern­ment given that util­ity cy­ber­at­tacks can be car­ried out by state ac­tors. There are a num­ber of pri­vate-pub­lic ini­tia­tives re­volv­ing around cy­ber­se­cu­rity.”

Mi­crosoft has in­vested more than $2bn im­prov­ing smart and cy­ber­se­cu­rity so­lu­tions for util­i­ties in­fra­struc­ture.

“In the past, we have seen C-level ex­ec­u­tives of or­gan­i­sa­tions adopt­ing a very con­ser­va­tive ap­proach to tech­nol­ogy adop­tion. They only view tech­nol­ogy in terms of new busi­ness mod­els and cost op­ti­mi­sa­tion but of­ten down­play­ing the real pos­si­bil­ity of this same tech­nol­ogy be­ing com­pro­mised,” says Kasper­sky. “We see this chang­ing as due con­sid­er­a­tion is now be­ing given to the like­li­hood of cy­ber-at­tacks.”

“Another chal­lenge has al­ways been re­sis­tance from OT (op­er­a­tional tech­nol­ogy) staff who do not want any in­ter­fer­ence with their ex­ist­ing tech­nol­ogy set up. That is why we have based the ge­neal­ogy of our so­lu­tions on pas­sive ways of mon­i­tor­ing which leaves any ex­ist­ing tech­nol­ogy set up in­tact.”

Kasper­sky Lab re­cently signed a Me­moran­dum of Un­der­stand­ing (MoU) with UAE head­quar­tered In­jazat Data Sys­tems (In­jazat), an in­dus­try-recog­nised mar­ket leader for se­cure data cen­tre and man­aged ser­vices so­lu­tions.

The agree­ment will see the two par­ties work­ing to­gether to de­velop a po­ten­tial part­ner­ship in the ar­eas of in­dus­trial IT se­cu­rity, cy­ber de­fence and other of­fer­ings.

As the drive to con­nect ci­ti­zens and de­vices through smart city ini­tia­tives gain mo­men­tum in the Mid­dle East, the threat of cy­ber-at­tacks re­mains real and its po­ten­tial to ruin these dreams is in­escapable.

This prob­a­bly ex­plains the grow­ing mar­ket for cy­ber­se­cu­rity so­lu­tions in the re­gion es­ti­mated to reach $13.43bn, ac­cord­ing to a re­cent re­port by Cy­ber­se­cu­rity Ven­tures.

IT se­cu­rity providers and in­dus­try an­a­lysts con­cur that any strate­gies to­wards achiev­ing a vir­tual com­mu­nity must pri­ori­tise cy­ber­se­cu­rity and sup­press it at all lev­els.

A lot of cus­tomers are smart about cy­ber­se­cu­rity and most have strong IT se­cu­rity prac­tices. What needs to hap­pen is the op­er­a­tions tech­nol­ogy se­cu­rity has to bridge to the IT prac­tices. The op­er­a­tions side is catch­ing up.” Ganesh Bell, GE

Newspapers in English

Newspapers from UAE

© PressReader. All rights reserved.