Certain industries, including oil and gas, manufacturing and chemicals, take human life into consideration when designing and planning work, using frameworks from disaster recovery planning through to checklists designed to avoid issues.
These industries understand that disasters are mostly caused by some combination of human error, dangerous working conditions and faulty equipment.
However, a category one cyber attack on one of these industries could be catastrophic. A category one cyber attack has been defined by the National Cyber Security Centre (NCSC) in the UK as a cyber attack that causes sustained disruption of essential services or affects national security, leading to severe economic or social consequences or loss of life.
"The threat of a category one cyber attack in these industries is that everything could seem right," says Craig Gonzales, head of ethical hacking AMEA, BT in Africa. "The readings on the meter could be fine, checklists would be followed, and equipment would work as it's supposed to, yet danger could still unfold."
As an example, he references 2010, when the Stuxnet virus caused fast-spinning centrifuges to tear themselves apart. "While this attack didn't cost lives, it's not improbable to imagine another attack that does have catastrophic consequences."
The NCSC believes in the UK, a serious cyber crime is around the corner, he adds.
Ciaran Martin, CEO of NCSC, says: "I remain in little doubt we will be tested to the full, as a centre, and as a nation, by a major incident at some point in the years ahead; what we would call a category one attack."
While the UK government expects this type of attack to happen as cyber warfare and Internet-connected control systems grow in popularity, that expectation or threat is far from limited to the UK, notes Gonzales.
"Almost every country has critical national infrastructure, many based on similar hardware and software, so when vulnerabilities are identified and exploited, the impact could be felt anywhere."
According to Gonzales, no business is in a position to identify and patch every zero-day threat in their supply chain, so there are no guarantees. Similarly, an attack of this nature would probably come from a nation-state attacker with infinite resources in terms of time, money and legal protection.
"Our recommendation is to mix board-level awareness with a systematic approach to defence in depth. These best practices allow you to make the right defensive decisions whilst mitigating the impact of an exploited vulnerability."
Take it step by step
He says the first step is getting the C-suite and board to buy into this threat. In a time when cyber security is a priority at the highest level, it is important for senior leaders to fundamentally believe a category one threat must be avoided at all costs.
"Once leadership is on board, the business needs to understand what exists, what could be vulnerable, and then act upon that knowledge. Assess the situation, and invest in threat intelligence against the existing systems. When new vulnerabilities are disclosed or when other industrial control systems (ICS) are attacked, even if it's in academic research versus in the wild, you should have a mechanism to know that and start paying attention to your systems."
Then there is the need for continuous visibility. "Knowing what is happening in your ICS is vital for identifying and stopping an attack. The marketplace and talent for asset and traffic visibility is growing rapidly, so finding help shouldn't be hard, but making the decision to capture and analyse traffic to your ICS is essential."
The final step, says Gonzales, is mitigating damage. Once the business knows what it has, and what is vulnerable, and has established intelligence and monitoring, it needs to apply 'war game and table-top' scenarios to see what the potential fallout could be.
"Running these exercises will give the business a sense of the damage that could be caused. This then leads to disaster recovery updates, new processes and procedures, and maybe new mitigation technology so breakdowns don't cascade into category one experiences."
Share