More than half of the companies in Germany have been victims of cyber attacks in recent years. However, it is no longer just IT systems which are the subject of cyber attacks. Whilst failures and attacks on traditional IT infrastructures can have an impact on the continuity of operations and often have financial consequences, the failure of industrial control systems can endanger the availability of the (critical) services to be provided. Attacks on operational technology (OT) and industrial control systems (ICS) can have a direct influence on the “real” world, with potentially devastating consequences. CYOSS GmbH has simulated what such an attack could look like.
OT and ICS are present in many areas: from controls in motor vehicles, machines and medical equipment, through to critical infrastructure and everyday fields of building automation, such as elevators and smoke extraction systems. The control systems are particularly vulnerable to cyber attacks. Typical ICS have a long lifecycle – sometimes of up to 20 years. The development of today's installed systems can therefore be traced back to the 1980s and 1990s. When they were designed, neither the current levels of interconnectivity (i.e. Industry 4.0) nor cyber security in general were given much attention. In addition, they are often operated without regular software patching, meaning that software-based end-user protection is not possible. The use of IT components in OT also opens the door to attackers if the components are not sensibly protected and made more robust.
Today, the importance of protection mechanisms for OT and IT is at least as high as the importance of physical protection measures for a factory. Terrorists or other criminal groups are now in a position to gain access to the control system of a plant, thereby endangering the system itself, the environment or people, or to extort “ransom” money from the operator. Attackers can get into the systems and manipulate them via network connections. Malware can completely paralyse large areas and also cause immense physical damage and danger to life and limb. Even before 2017, when many internationally active corporations suffered from numerous cases of production downtime, it was clear that factories and systems are targets for cyber attacks.
Sophisticated security concepts must therefore be created for production environments, so as to guarantee OT and IT security in practice – both for new and older systems. Of course there can never be 100% protection in terms of IT and OT. In future, it will be more a case of identifying attacks in good time, and quickly minimising the damage caused, through effective measures. It is against this background that CYOSS GmbH – at Germany's first Cyber Simulation & Training Center – has developed a training module designed for use with industrial control equipment. In the module, trainees learn about the problems and weak points of networked systems/equipment and expand their skills so that they can quickly identify attacks, and mount a successful defence against them. IT components of a SCADA system, e.g. a monitoring or maintenance system, are used in the virtual training environment, and connected to hardware for controlling production equipment (programmable logic controllers, or PLCs). In order to mimic a real factory situation, actuators can be connected to the control systems, so the trainees can experience at first hand the consequences of the attacks on the training environment.
PLC weak points
Together with its partner, RadarServices, CYOSS GmbH is a provider for “Cyber Security made in Europe”, with a specific focus on IT and OT security. CYOSS has put together a showcase to demonstrate the susceptibilities and vulnerabilities of ICS using a concrete example: Manipulation of the controls for a robot arm through weak points in the PLC. For this purpose, a control device for processing packaged goods by means of a robot arm was used. Standard, commonly available hardware and software components were used to programme and monitor these PLC units. The robot arm is operated and monitored via an engineering workstation. Once the attacker – having already achieved access into the company’s network – has identified this computer, they will attempt to access it. These client computers are often not equipped with the latest software. The attacker exploits this in a targeted manner: They will look for weak points and use “exploits” (malware) for criminal purposes.
Once they have gained access to the engineering workstation, they can manage to sabotage the production process and thus massively disrupt operations. This can occur, for example, through the targeted manipulation of the robot’s control programmes. These manipulated programme components then gain access to the PLC when the next regular maintenance is carried out.
What can be done to combat such incidents, that can cause serious damage? A first step towards protecting ICS is to increase employee awareness in companies and government organisations, and to give targeted training to technical staff. As well as undertaking technical measures, companies must be advised on how people can be supported in their work. Ideas for solutions towards protecting ICS are either derived from the field of traditional IT, or evolve from entrepreneurial innovation processes. However, any technology is useless if the employees don't operate it properly, work in the correct manner, or simply fall for the attackers’ tricks because they have never seen them before. All security measures should therefore be based more on humans, as they constitute a particularly important vector for cyber threats.
Humans can indeed be the critical weak link in any organisation or in any chain of security. Clarification, training and awareness are the key points for “fine-tuning”, in order to substantially reduce the risk factor. CYOSS therefore provides holistic solutions for the complete IT security chain, covering prevention, detection and response. Anyone wanting to effectively counteract the dangers found in cyberspace needs a plan detailing how to recognise attacks, and how to respond appropriately to them. This is precisely where a security operation centre (SOC) comes in. It constantly monitors an organisation’s systems, data and network, so as to be able to identify threats at an early stage and counteract them in a targeted manner. However, it is extremely difficult to find staff qualified in this field, which is why companies are increasingly turning to the services of external SOC specialists. But even these specialists need an internal point of contact – someone who is familiar with the company’s own systems and experienced in matters of information security.
Many companies recognise the importance of information security but find it difficult to recruit appropriately qualified staff. This is because, in addition to standard skills, these roles require sound experience in the detection and handling of cyber attacks. The solution: train your own staff and get them up-to-speed on the challenges of cyber security, so that critical security incidents can be identified in good time, and quickly, safely and appropriately responded to using tried and tested processes. It is worth investing in training your own employees, so that your company can bundle and retain the greatest possible levels of expertise. It is only by bundling security technology and investing in the relevant skills that companies will find a package that meets the highest standards, and protects them from attacks from cyberspace.