As industrial facilities and systems become increasingly connected to capitalise on digital capabilities, countering cybersecurity risks is becoming part of industrial best practices and digital technologies are being subjected to the same rigorous safety and security standards as other industrial technologies.
The increase in cyberattacks globally has contributed to a similar increase in attacks against industrial facilities, emphasises industrial automation and information multinational Rockwell Automation Business Development Network Security Services leader Gert Thoonen.
Successful attacks against critical industrial facilities, including the well-known Stuxnet attack against a nuclear facility and the recent successful cyberattacks against South Africa’s port systems and the Colonial petroleum pipeline in the US, both leading to disruptions and an inability to service customers, illustrate the risks, impacts and prevalence of industrial cyberattacks.
“The cybersecurity strategy of a company must be based on the value and risk presented by a production line, industrial system or piece of equipment. This will inform the required response and the level of security that needs to be applied to defend against a vulnerability. This changes cybersecurity risks into structured risks that strike a balance between resources and risks.”
There were, on average, 1 611 attacks carried out against industrial facilities across Africa each week over the past six months, and about 11% of organisations were affected by international malware, including the ExHelper smartphone trojan, says cybersecurity multinational CheckPoint Software security engineer Justice Anyai.
“This cadence is comparable to attacks against industrial facilities around the world. The increasing interfaces created between industrial control systems and external networks and the convergence of the information technology and operational technology platforms have increased the attack surfaces present in industrial facilities and critical infrastructure,” he says.
The types of attacks carried out against industrial facilities include malware and ransomware infection, including through removable media devices, Internet connections, smartphones and devices, and intrusion through remote access systems, as well as phishing and social engineering attacks to gain the credentials of operators, says Anyai.
The unsuccessful breach against a water treatment plant in the US in February, during which the hackers tried to increase the dosage of sodium hydroxide used to treat water to unsafe levels, indicates the potential harm that can be caused by attacks against critical infrastructure, as well as the need for industrial operations to implement cybersecurity measures, says telecommunications multinational Vodacom Business cloud security executive head Garith Peck.
“Any government entity operating critical infrastructure and public or private utilities must have high-level cybersecurity throughout its operational fabric. No single solution is secure, and defending these facilities requires a layered security method in which overlapping solutions provide security and limit the impact if any layer or system is breached.”
Africa as a whole is progressing with the implementation of industrial cybersecurity processes and tools, but lags other regions. Organisations are most vulnerable during the migration to new technologies from legacy systems, says data security and cybersecurity multinational TrendMicro sub-Saharan Africa technical lead Emmanuel Tzingakis.
Many industrial organisations are in the process of upgrading their equipment and systems, and it is crucial that cybersecurity is included from the start to ensure the environment is secured against intrusion.
“Many industrial facilities and operations tend to trust their internal networks, and this approach is a cause for concern. Awareness is foundational for effective industrial cybersecurity. This includes not only technology and processes, but also training of people and raising awareness of cybersecurity, which are key to ensure operations transition from operational technology environments to information technology environments safely and are ready for further deployments,” he says.
Industrial facilities and operations in Africa have the same threat vectors, and face the same attack types and threat actors as other parts of the world. Cybercriminals attacking the critical infrastructure of companies in Europe and Africa have similar motivations, typically to steal information and sell it on or use it to exploit its vulnerability, says cybersecurity multinational Kaspersky senior security researcher Maher Yamout.
Sensitive information can include, for example, production projections and supply chain information, and threat actors include fraudsters and cybercriminal syndicates, hacktivists, State-sponsored groups and cyberespionage groups. All industrial operations worldwide face these threats.
The long replacement cycles of industrial equipment and their importance in maintaining productivity and uptime present specific challenges to ensure industrial facilities are cybersecure, he adds.
Further, the digitalisation of companies and industrial operations is being done to gain commercial and operational benefits and this change is set to continue, says cybersecurity software multinational McAfee Enterprise South Africa country manager Carlo Bolzonello.
African operations have good security practices and smart people looking after security; however, the challenge is to do more with fewer resources, including counteracting the global challenge of a cybersecurity skills shortage. Africa can leverage on the lessons from companies and operations in other regions. However, the need remains to enhance and grow our cybersecurity and industrial cybersecurity skills base, he says.
New requirements and initiatives to automate and provide operators, managers and executives with visibility of the production systems require data, which comes from the field control systems and devices. This requires connectivity, which is further eroding or removing the isolated segments, or islands, of industrial networks, says Yamout.
“Industrial cybersecurity requires different approaches to secure, specifically, and in contrast to cybersecurity systems in corporate environments, because industrial cybersecurity comprises 80% advanced monitoring and detection and only 20% of security relies on prevention technologies,” he says.
“The most important part of an industrial cybersecurity strategy is to understand your infrastructure and the entry and exit points, as well as to implement network segmentation and proper advanced monitoring to know what is going on so that you can respond accordingly, comparable to the procedures to manage any faults or failures of production equipment.”
Technology and cybersecurity equipment and tools alone do not constitute industrial cybersecurity, and teams must be trained on best practices and to use the technology deployed, says Thoonen.
“If operations do not delve into what the technology can do and if people are not trained on the procedures to use the technology to protect their equipment, then the solutions will not be implemented to their full effectiveness nor provide the expected protection,” he says.
Every operator is a living firewall, and requires education and training. Similar to training to ensure operators know what to do when something goes wrong in the production environment, industrial operations must develop procedures, train their operators and explain to them what the potential impact of a hack or breach could be. The procedures must inform operators how they must respond, whom to contact and what to do to ensure the security and integrity of the operation.
“This can be compared to the rules prohibiting unauthorised persons on the production floor. Operators will respond to mitigate the risk of an unauthorised person on the production floor by calling security. Similarly, operators have to be trained to enforce cybersecurity rules, such as a rule prohibiting a person from using an external device on the production floor, and with comparable responses to ensure these rules are adhered to.”
Neither information technology nor operational technology experts have worked in such a complex environment before, which is becoming more complex and difficult to manage, not least because the devices and tools are not secure by design, says Tzingakis.
“One way to protect such an environment is to be proactive and monitor the environment through end-point detection and response. These types of capabilities become especially important to combat advanced persistent threats and prevent an intrusion from moving laterally in the environment and expanding its presence within an industrial network.”
“Critical infrastructure is defined as any infrastructure that can cause physical, reputation or financial harm to a country or people through its unsafe use or disruption. Therefore, critical infrastructure includes not only utility infrastructure but also private-sector industrial facilities, as they can be critical for a country’s economy and the economies of the regions they are located in,” says Thoonen.
The risks and hazards presented by a compromised industrial facility inform the due diligence and duties of the operators in terms of physical and cybersecurity, he emphasises.
“Africa is seeing increased interest in its mineral and natural resources, and these elements attract threat actors. This will likely contribute to an increase in threats against manufacturing, exploration, and oil and gas in Africa. This makes Africa an interesting target for different types of threat actors, including potentially State-sponsored threat actors, seeking to make money or disrupt crucial supply chains,” says Yamout.
Industrial cybersecurity requires a holistic approach. Industrial facilities must focus on knowing in detail all their information technology and operational technology equipment and systems to better defend themselves and transition to digitally enabled operations.
This requires collaboration among all operational, business and information technology disciplines in an organisation and industrial cybersecurity must be done in
parallel with the engineering of the infrastructure to ensure industrial facilities are secured and able to grow into the future, says Yamout.
“Countries and industries need to be protected in the new global marketplace they operate in. Digital environments are the future of industries, and countries and companies must be prepared and ready to defend themselves against cyberattacks to ensure they remain secure and effective into the future,” says Bolzonello.