By Steve Hanna, Chair of Industrial Work Group
Cyber-attacks on Industrial Control Systems are increasing, requiring the designers of industrial systems to reassess and re-evaluate their methods of guarding against not only targeted attacks, but also mass-distributed malware. Attacks are not only increasing in frequency, but also in sophistication, meaning there is a need for stronger countermeasures to be implemented.
Such attacks not only have an enormous financial impact, but with the motives of hackers ranging from corporate espionage to political aims to the downright malicious, attacks on industrial systems can have huge implications for the real world.
What makes it so difficult to guard against cyber threats is that a single point of entry can be enough for hackers to take down an entire organization, or at least take it offline. This could be something as simple as one employee opening an infected email, or a software update that contains a hidden vulnerability.
In 2017, Maersk fell victim to a major cyber-attack. The world’s biggest shipping conglomerate was one of the highest profile victims of a piece of malware called NotPetya, a fast-propagating and particularly destructive virus that irreversibly encrypted master boot records, leaving computers unable to find their own operating systems.
NotPetya entered Maersk’s systems through hackers taking advantage of a back door during an update of accountancy software used in many offices in Ukraine. The malware spread quickly and within minutes, the screens of Maersk employees around the world were turning black. Container ships stood still at sea and Maersk’s port terminals ground to a halt. It took nine days for the company to restore its Active Directory system and caused financial losses totaling some $300m.
Maersk was not the only multinational affected by NotPetya. Pharmaceutical giant Merck, delivery firm TNT Express, food producer Mondelez and consumer goods company Reckitt Benckiser all suffered millions of dollars’ worth of damage. That was several years ago and the financial fallout from cyber-attacks continues to grow as the number of attacks grows also.
Increasing threat for industrial systems
According to Kaspersky, the average cost of a cyber-attack rose in 2019, to between $108,000 and $1.4bn depending on the size of the company. Cybersecurity Ventures has estimated that total damage in 2021 alone could top $6 trillion.
Kaspersky’s most recent risk report shows that in the second half of 2018, almost half of industrial systems bore evidence of attempted malicious break-ins. The most common form of attack, according to the report, was Trojan malware, which it detected on 27% of ICS computers.
The report also identified phishing emails as the most common attack on industrial companies, but this is just one example. Threats can be wide-ranging and varied – and can have far-reaching human consequences, not just for the employees of targeted companies but for customers, too.
Power grid attacks
Industrial IoT covers a broad spectrum of critical infrastructure systems, such as mining, chemical plants and power grids. A successful attack on critical infrastructure is of tremendous concern because it can cause widespread disruption.
Power grids are prime targets for cyber-attacks because of this, with the European Network of Transmission System Operators for Electricity (ENTSO-E) the latest to have fallen victim in March 2020. That attack, which targeted the organization’s administrative systems, appeared to have no direct impact on customers. That is not always the case.
An attack on a Ukrainian power company in 2015 resulted in a loss of power for 225,000 homes over several hours. It is thought a virus was delivered via a spear-phishing email, which targeted key employees with messages using details found on social media. Once a key employee opened the email, the virus spread throughout the company and gave the attackers the access that they wanted.
A year later, another attack on Ukraine disabled an electricity substation and left parts of Kiev without power for an hour. Experts believe the attack was designed to cause physical damage to the grid.
Against this backdrop of increasing threats against Industrial Control Systems, the Trusted Computing Group (TCG) has published a new guidance document, which provides detailed advice on how to secure Industrial Control Systems using TCG technology.
Recommendations include the use of the Trusted Platform Module (TPM) or Device Identifier Composition Engine (DICE) as a root of trust for devices, enabling many new security features. For example, storing keys in the root of trust can provide a reliable way of identifying remote devices. Further, use of the TPM’s random number generator can enhance the strength of cryptographic protocols. The use of security gateways can also extend the life of legacy assets, thus reducing costs.
This guide is aimed at architects and engineers responsible for industrial security and explains how by using TCG specifications, sophisticated protections can be employed without the need for custom hardware. The guidance offered by TCG is tailored specifically for Industrial Control Systems as opposed to IT systems, which have very different security needs.
As well as describing, in detail, how trusted computing principles can be used to implement security measures and prevent expensive and dangerous cyber-attacks being successful, TCG’s reference document will help trusted computing experts to understand and better address industrial uses of trusted computing technology for a safer, secure future.
Membership in the Trusted Computing Group is your key to participating with fellow industry stakeholders in the quest to develop and promote trusted computing technologies.
Standards-based Trusted Computing technologies developed by TCG members now are deployed in enterprise systems, storage systems, networks, embedded systems, and mobile devices and can help secure cloud computing and virtualized systems.
Trusted Computing Group announced that its TPM 2.0 (Trusted Platform Module) Library Specification was approved as a formal international standard under ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission). TCG has 90+ specifications and guidance documents to help build a trusted computing environment.