On June 13, 2018 the National Cyber Security Centre said it was working alongside Dixons Carphone to investigate one of the UK’s biggest data breaches at a single firm, which gave unauthorised access to 5.9 million customer’s cards.
Traditionally, physical safety in a plant was ensured manually, with redundancy systems in place in case of a fault. However, as technology has advanced, and entire systems have become electronic and software-based, safety and security now have to also be delivered digitally.
Similarly, machine safety has historically been considered a standalone discipline, because it was entirely mechanical and hard wired. In the past 20 years, electronic control systems have overtaken mechanical methods because of ease of use, reduced maintenance and the abundance of data they can offer.
Despite the many benefits of electronic control systems, their use does produce safety concerns. All systems are connected, and data collected from the machinery is transmitted via local networks over the internet. If a flaw such as a bug is present in a single component, the entire plant can become vulnerable via the network.
The health and safety executive (HSE) is now involved in the cybersecurity of Electrical, Control & Instrumentation (EC&I) systems. One form of system held by EC&I operators are Safety Instrumented Systems (SIS), which may range from simple logic systems to complex programmable safety programmable logic controller (PLC) type systems.
Therefore, the Control of Major Accident Hazards Regulations (COMAH) has released guidance on the cybersecurity of Industrial Automation and Control Systems (IACS). The COMAH regulations aim to prevent and mitigate the effects of major accidents involving dangerous substances that can cause serious harm to people or the environment.
Because physical processes, machinery and systems are now controlled electronically, reducing the risk of a major accident must involve electrical, control and instrumentation (EC&I) systems. Control systems can take the form of Industrial Automation and Control Systems (IACS), Industrial Control Systems (ICS) or Operational Technology (OT), and all could provide points of weakness for cyber attackers.
Cybersecurity is a vital part of a plant’s safety and total security is dependent on the protection of IACS.
Many processes have dangerous steps. From working in hazardous environments, such as offshore, to using potentially dangerous equipment like pressure cookers or robots, safety procedures underpin each stage of every process.
Traditionally, safety features were physical, such as a stop button hardwired to cut power to machinery and requiring a manual reset. Hardwired systems are often time-consuming to maintain and reset and can create room for user error and mistakes, but they cannot be attacked remotely.
Many newer systems require the use of software-based safety systems instead. The development of mass-market machine learning algorithms and systems means software-based systems can employ technologies such as machine learning and artificial intelligence (AI) to pre-empt potentially disastrous events. The system can then automatically stop the dangerous process and notify an operator to take steps to limit the danger.
These systems have huge potential to reduce the risk and occurrence of safety incidents in plants. However, it is important to remember they are only as safe as they are cyber secure — and any disruption to safety checks could lead to a serious incident occurring.
Let’s take the simple example of cooking soup in a pressurised container. This could be remotely attacked in two ways.
The first type of attack is a reduction, removal or simplification of the safety processes before the lid is released. This could lead to the pressure not being released before the lid is removed, causing a violent steam explosion.
The second attack is on ingredient control. Recipes are usually stored electronically, and ingredients are automatically added at the right point. Compromise of an automatic addition system could be catastrophic. By adding too much of an ingredient such as salt, the entire batch would become unusable, or an attack could add unlabelled allergens. Unlabelled allergens could be fatal to consumers and are a top cause of expensive recalls, accounting for 47 per cent of recalls in 2014.
Because of the connectivity of electronic systems, a vulnerability in any part of the plant could give access to the control system.
Fifteen to twenty years ago, not only was safety controlled separately to control systems, plants were made up of disparate systems that were not connected and had no single interface to consolidate.
Because these legacy devices used their own protocols and operated on non-routable networks, the focus was on performance, safety and reliability instead of cybersecurity. However, as technological trends brought about increased competition, open connected systems with real-time information sharing became more popular.
Many people still mistakenly believe that an attacker needs to gain physical access to an industrial control system to infect or tamper with it. But as operational technology (OT) and information technology (IT) begin to converge, vulnerability in an IT system could provide easy access to OT control systems, and vice versa.
This effectively illustrates another reason why control system cyber security is increasingly important. Not only could an attack put workers in danger by tampering with machine safety or altering a process, it could leave the company open to attacks on data, such as the infamous WannaCry ransomware attack, which demanded payment to unscramble data.
Protecting all computer, control and electronic systems is essential to ensuring the overall safety of any plant and must be prioritised by plant managers. Bringing in an expert service such as the alliance between technology and IT consultancy NETbuilder can protect all systems across a plant, leaving no stone unturned.
Industrial control systems have traditionally been a separate entity from the IT systems used by the corporate enterprise and were therefore outside the remit of IT cyber security teams. However, as time goes on and the worlds of OT and IT converge, this is a dangerous mentality and securing ICS is essential to avoid attacks on personal data, as in the Dixons Carphone attack, or even process or physical safety.