12 minute read
Cybersecurity, Industrial Infrastructure & Digitalisation
IE TalkS CybErSECurITy, INduSTrIal
INfraSTruCTurE & dIgITalISaTIoN WITh kaSpErSky
In an increasingly digitalised world, cybersecurity and protection of digital information are becoming more important than ever. As the coronavirus pandemic sweeps across the world and with a larger percentage of the global population working from home, cyber attacks threaten infrastructure on a larger scale than before.
Russian cybersecurity experts Kaspersky recently revealed a string of cyberattacks on various industrial centres dating back to 2018. At its core was the highlyadvanced malware MT3 - dubbed “MontysThree” by the team - which used various advanced subroutines to remain undetected.
MontysThree was responsible for a series of advanced persistent threat (APT) attacks on various actors in the industrial sector. These kinds of attacks are rare but present a potentially catastrophic target for hackers.
Today, Industry Europe will be diving into the world of cybersecurity and its role in our digitalised future from those involved in the sector. To this end, we interviewed Georgy Shebuldaev, Head of Growth Center at Kaspersky, to find out why protecting industrial interests is so vital.
Industry Europe: Thanks for joining us, Georgy. If you could introduce yourself and what you do, we can begin.
Georgy Shebuldaev: I am the head of the Growth Centre at Kaspersky. The Growth Centre is where we target new Kaspersky business opportunities to deal with various burgeoning sectors. One of our new branches is in industrial cybersecurity, which is a relatively new interest for us, in comparison to protecting home and corporate users. That’s why I’m here.
IE: Would you care to explain why it is so vital to protect industry in the same way you would legislature or corporate cybersecurity?
GS: Well, the most straightforward answer is just in the connection between safety and security. Regarding Operational Technology (OT) and industrial infrastructure, the connection between safety impacts because of cybersecurity events is very strict. Far more strict in comparison to both banking and corporate networks.
The possible risks are bigger. On the topic of the interaction of production processes in something such as the energy sector, we have the potential for blackouts and a cascade of unpleasant situations and risks.
Over the past 20 years, our OT infrastructure has become far more digitalised day-byday. Because of this, the probability of such risks emerges. That’s why, on a global level, we’re seeing a positive movement and a greater push for regulations and mandatory requirements for OT cybersecurity because the issue of plant cybersecurity becomes not only a company-wide risk but could send shockwaves that can be felt at a state level.
IE: What potential threats exist or could exist in the future?
GS: There isn’t a massive difference between what we see in corporate and business structures and what can happen in operational technology. The best example is ransomware, which is designed to be encrypted into corporate machines to get
some money in exchange. When it accidentally gets into OT infrastructure it can cause interruptions of production which can lead to big money losses. We are still seeing a lot of situations - both among our customers and in the wider world - of commodity-based cyber threats hitting OT infrastructure.
At the same time, threats that are far more dangerous and difficult to protect against, such as supply chain attacks, could cause some deeper problems because standard ways to prevent them - the barriers we build around our OT infrastructure - won’t work.
As we move deeper towards Industry 4.0 and the Internet of Things, with free data exchanges and shared cloud services, we may see the return of forms such as denial-of-service (DDoS) attacks on network infrastructure increasing.
IE: How can businesses and industry as a whole best prepare to deal with these evolving threats?
GS: I feel as though in 2020, there are already enough regulations, frameworks, software renders and experts available on the market to protect ourselves from basic threats. If I had to guess, there are probably enough cybersecurity tools to protect against 90-99% of day-to-day threats.
There is already a good stock of security technologies in place, especially in business. All it requires is a standard set of preventive measures, such as network security, segmentation between corporate and industrial networks, proper remote connections with logins, monitoring etc and preventive technologies and applications such as competent antivirus software and device control. Most companies will have most, if not all, of these in place to protect their interests.
However, if we look at more advanced, or “super-critical” industries, the situation is a bit different. From my perspective, when we talk about cybersecurity - or so-called cyber unity - we aim to make any kind of attack inefficient or difficult in general. Our goal is to make criminals want to pick another target because, at the end of the day, protecting business is vital. We want them to think “this is enough for me; this isn’t worth our time” when they attempt to gain information from these industries. Making data frustrating or inefficient to access to will ultimately decentivise attacks from cybercriminals in the long run.
In some cases, however, leaving even a small room for an attack is not acceptable. In cases such as this, we analyse every potential threat vector and the possible impact of those threats on the industry. If we are unable to be 100% sure that all possible cyber-impacts are closed with some countermeasures in place, then we go back to focusing on safety: one more barrier, one more duplication layer etcetera. The relationship between safety and cybersecurity ultimately becomes cross-functional and somewhat symbiotic in more extreme scenarios.
IE: What kind of effects could potential cyberattacks have on industry if companies don’t prepare correctly?
GS: It depends on the situation. It’s on a spectrum. In some cases, nothing or very little will happen because if the attack surface is narrow, in which case normal safety measures should be adequate. Operators simply restore data from the backups and move on. In fact, one of the biggest problems with industrial cybersecurity awareness is that the majority of incidents are not properly investigated. Operators deal with the consequences, while not fully understanding where the attack actually came from.
If there is a situation where the attack surface is far larger, we can see huge money losses. For example, one of the latest cases was the Norsk Hydro attack that happened last year which cost the company nearly €50 million in funds owing to their business freezing entirely.
In critical situations, such as with what unfortunately happened in Ukraine back in 2016 where the whole region faced a blackout owing to a cyberattack, the consequences may be huge and could cause irreparable damage. For instance, hospitals could face power shortages or a dam holding back floods could fail, which raises the stakes to involve human lives.
IE: With increased connectivity - Industry 4.0, Internet of Things etc. - comes increased risk from cyberattacks. Should companies extend recruitment to cybersecurity opportunities or just stick with measures in place to protect their data?
GS: Both approaches can be successful. First of all, just adding some preventive tools is not enough. On the other side, there are always humans. It comes down to expert monitoring and being able to do incident response adequately and deal with and minimise the impact while learning from the situation.
Going back to the original point, some companies like the “on-premise” model, where they have teams of technicians dedicated to cybersecurity and dealing with threats. Others are more attracted towards service models - paying a third-party a subscription to handle cybersecurity.
The chosen model is often dependent on the region. For instance, here in Russia, we tend to prefer the “on-premise” solutions, as do many places in the Middle East. On the other hand, Western Europe and the US tend to favour the service model. The market for service experts is relatively small and fairly niche. It is a new sector as a connection between OT and cybersecurity. It requires a high amount of expertise both in what you are protecting and what you are monitoring against.
There has been an educational shift in recent years amongst companies such as ours towards the training of this calibre, but there is still a lacking labour force for his sector. Because of these shortcomings, a service model should win out in terms of protection efficiency for the short-term.
IE: Could this lead to an increased demand for automotive or AI-based software to aid in cybersecurity?
GS: I guess a certain level of automation for detection and response to threats is inevitable. There is still a long way to go until we see the “cyber-immunity” concept in a live scenario when you will be able to replace people in this situation. For the
moment, it’s always about inventing new ways to counter the new and creative ways cybercriminals can breach infrastructure. I don’t think automation and AI for cybersecurity on an industrial and mass scale is a pertinent goal with current technology.
IE: There are rumours that some governments still prefer physical copies of documents kept under lock-and-key and armed guard. How can industry respond to that kind of thinking?
GS: There might be some specific scenarios where those kinds of offline safety measures can be the best option. When we look at the broader scale, this temptation to just build a fence and try to air-gap in industrial infrastructure using methods from the outside world actually brings even more harm from a cybersecurity perspective because there is no way to ensure that an air-gapped system is 100% secure. First of all, it can be tedious and hard to maintain, and second of all, the software may not be entirely relevant to the air-gapped infrastructure or have the capacity to cover all of it. If we are isolating and focusing on building the fence but not “looking inside” - analysing and such - we lose the ability to properly maintain systems owing to reduced visibility. As such, we also lose the ability to do proper automated responses, linking back to the previous question.
For example, I had a customer with whom I met 13 months after ransomware attacked their servers, and they were still dealing with the fallout from the attack because they had such a large and fragmented system. Malware managed to get in but they were unable to identify the response in due course.
On a broad scale, the increased connectivity is the answer as to how to raise cybersecurity operations and make attacks far easier to handle.
IE: How can smaller businesses with fewer resources protect their own interests in an evolving, more digitised world?
GS: From a cybersecurity perspective, not much differs. The same approaches cost less on a smaller scale. I would argue a service model is key here. The most important thing is to adopt digital technologies and to not be afraid of cybersecurity risks but to just deal with them as a matter of course. After all, digitalisation is about efficiency, and efficiency is about cutting costs, and cutting costs means a lower final price for production and being successful as a business.
I hope that soon, we will see the products of increased digitalisation and Industry 4.0 concepts, such as heavily-decentralised marketplaces where smaller businesses will be able to offer their production facilities. For instance, in this market, Kaspersky’s job would be to provide cybersecurity. I think this is just a part of the progress.
IE: How can we incentivise businesses to make the switch to full digitisation or increased worker automation?
GS: Increased business. If, for instance, you wanted to sell steel constructions, you need to be able to sell them on a dedicated market for a market price. When one company wants to produce or implement digital ways of managing its supply chains, cut costs, or do more proper planning to efficiently load its production facilities, then they win the market. The ones who do not do this will fall behind. It’s just business as usual.
If everyone embraces full digitalisation, then everyone is put on an equal playing field.
IE: How has the ongoing coronavirus pandemic affected demand for cybersecurity, with a large portion of the population working from home?
GS: This has had something of a positive impact on the perception and importance of cybersecurity. The global switch to digital platforms has raised more awareness for it as an industry and raised its priority in the echelons of management maintenance of enterprises.
We have advised on increased cybermanagement, such as how to perform secure remote connections, both to industrial and corporate clients. In general, I like to think that in my field of interest and among my contacts, I would state that customers were prepared and acted accordingly and adapted quickly, and transformed and went digital securely and safely.
Now, the question is: when it all ends, what will happen? Still, when we think of digitalisation we think of robots and artificial intelligence and the displacement of jobs. We are human, after all. It is in our nature to not prioritise questions when they are not urgent. We’ll see.
IE: Do you think this would’ve had the same positive aspect a few years ago with the advent of digitalisation?
GS: An interesting question. It depends on the time-frame. If the pandemic happened, say, 15 years ago, I would say it would be almost impossible for industry to operate effectively. The technology of the time was not yet there, such as with secure connections and remote operations and more advanced operating systems.
If the time-frame was lessened to maybe two-or-three years ago, I think it could have had a similar impact.
IE: Did you have any advice or tips and suggestions for industry to help in their cybersecurity issues or help them as we move towards increased digitalisation?
GS: I think in general, open communications and open interaction is something worth encouraging. When we look at OT infrastructure, it is still relatively closed. They are still involved in closed communities and a lack of transparency regarding information. The more effective the disclosure of information, investigation with experts and community involvement will have a positive impact and encourage those companies looking into investing in OT cybersecurity to finally make the jump.
Several companies are leading in this process. From this perspective, I think active cooperation and open information exchange is something we need.
Technology-wise, there is a lot of fish in the sea when it comes to vendor experts and different services. We are at the point where it is all about adoption and investment. n Visit: www.kaspersky.co.uk