Author: Daniel Ehrenreich, Consultant and Lecturer, SCCE
There is nothing new about the risk of cyber-attacks on IT and Industrial Control Systems (ICS). About a decade ago, people believed that cyber-attacks can only be launched through the internet and adopted the principle of air-gap-isolated systems. The famous Stuxnet attack (2010) was the first strong indication that cyber-attack on IT and ICS (known as Operation Technology- OT) organizations can be also launched internally after the adversary entered your facility. Among people who enter your facility are; your employees, maintenance providers, cleaning personnel, material suppliers and those who bring you the breakfast donuts.
Is your organization at risk?
Industry experts are not shy to say that there is no absolute method, which may prevent a cyber-attack on your organization. According to publications, over 90% (!) of "successful breaches" were contributed by humans' negligence, some your loyal, dedicated and professional employees (!). People sent to your facility by the outsourced service providers have access to critical data on your facility and Personally Identifiable Information (PII) on employees. What can they do with this information? IT- related breach may cause financial losses, inconvenience and damaging your reputation, but ICS-related attack might lead to non-repairable machinery, operation outage and hurting people.
Controlling the cyber security
There is no clear evidence about which specific person activated each of the published attacks on IT and OT operations, but all know that stronger cyber and physical security measures such as inspection at the entrance gate, use of CCTV, purchasing software from formal vendors, etc., could prevent or make the attack more difficult. Related to reducing the potential risks caused by the supply chain, you may consider few qualifying questions:
• Are reasonable physical security measures deployed in their facility?
• Do they enforce security for their suppliers, similar to what you require?
• How do they guard personal and proprietary data of their customers?
• Is the information they received stored or deleted as soon as not needed?
• What physical access controls are in place to protect their operation?
• Does your service provider agree to your survey conducted at their facility?
• Is their operation process: Documented? Repeatable? Measurable?
• Does your vendor require permanent connection to your network?
• How often they conduct security assessment on their operations?
• Does your vendor conduct background checks for newly hired people?
Summary and Conclusions
The only effective way to maintain cyber defense is that you assume that your organization will be breached "as soon as tomorrow morning". When you deliver such message to your management, it rings the bell. According to section 5 in the ISO 27001-2013 standard, "top management must demonstrate leadership and commitment to the Information Security Management System (ISMS), mandate policy, and assign information security roles, responsibilities and authorities". All departments must be a part of coordinated efforts, pass through training and drills Every CISO or CSO, may explain you to how the supply chain activity might lead to a cyber-attack, and why the selected supply chain shall be committed to the basic principles outlined above. Paying attention to all possible cyber security risks as outlined in cyber security assessment (a clear requirement in all published standards), will position your organization a step ahead of the cyber attackers. This shall no longer be a topic for debate about risk levels and Return on Investment (RoI), but an achievable goal through your commitment.
Daniel Ehrenreich, BSc. is a consultant and lecturer acting at Secure Communications and Control Experts, and periodically teaching in colleges and industry conferences on integration of cyber defense with industrial control systems; Daniel has over 25 years’ engineering experience with ICS and OT systems for: electricity, water, gas and power plants as part of his activities at Tadiran, Motorola, Siemens and Waterfall Security. Selected as Chairman for ICS Cybersec 2018 taking place on 11-10-2018 in Israel. LinkedIn