Data Protection and Security: Priorities Not to Be Ignored

Data protection and security specialists know that the majority of cyber threats are not malicious. In fact, they often come from within and may be caused by staff making mistakes or looking for shortcuts. Although 80 percent of cyber incidents are unintentional, as noted by Software Engineering Institute, cyber attacks from actors with diverse motivations, whether malicious, criminal, or related to intelligence gathering, are on the rise.

State, quasi-state, criminal enterprises, and unpredictable individuals may be remotely investigating your infrastructure probing for weaknesses. Industrial competitors and foreign intelligence services may seek to gain an economic advantage. Cyber criminals may look to make money through fraud or from the sale of valuable information. Hackers might just enjoy the challenge of breaching computer systems, while hacktivists may attack companies for political or ideological motives.

When it comes to risk management, digital technology is increasingly underpinning the operations of modern businesses, which makes effective cybersecurity, data protection, and security are vital.

Shrouded in Secrecy

Organizations are generally reluctant to publicize breaches by cyberattacks and vulnerabilities may not be widely known. However, data protection and security experts keep up with developments via reliable specialized networks. The fast-changing cyber-threat landscape has led governments to facilitate high-level industry cybersecurity forums for organizations involved in Critical National Infrastructure (CNI). Such groups confidentially share information about the threat landscape and collaborate in finding responses.

In 2015, the US Department of Homeland Security reported that the energy sector faced more cyberattacks than any other industry. It has been targeted by robust, state-sponsored cyber-espionage campaigns. The growth of smart grid and distributed generation creates many more access points for penetration into connected computer systems.

Vigilance and Agility

Attackers and scammers are constantly developing new threats. Global security experts at Symantec estimate that 400 businesses are hit by scams every day.

Data protection and security are fast-moving fields. Ensuring safety and security starts with the architecture—both the people and the processes—and design of the system. Every IT department will issue its own list of common-sense dos and don'ts. While they control the software and hardware, what's even harder to manage is the human element. Social engineering—the psychological manipulation of people into performing actions or divulging confidential information—can provide a gateway onto an organization's network.

As GCHQ, the UK's security organization, points out, "If you openly demonstrate weaknesses in your approach to cybersecurity by failing to do the basics, you will experience some form of cyberattack."

IT and OT Convergence Risks

The ongoing convergence of operational technology with information technology brings both threats and opportunities. Connecting industrial components to centralized control centers enables remote management, monitoring, and control of processes, but also opens up new vulnerabilities as off-the-shelf components with standard passwords offer potential attack routes.

The first major cyber weapon identified was the Stuxnet virus, which came to light in 2010. This cunning and complex piece of malware utilized vulnerabilities in the Windows operating system to target specific operational processes. The software was programmed to hunt for predetermined network pathways and target specific systems. It was unwittingly introduced into Iran's uranium enrichment facility via a contractor's laptop. Once it found the precise configuration it sought, it infiltrated the programmable logic controllers (PLCs) regulating the centrifuges and reprogrammed them to speed up the centrifuges. The components' displays continued to report a normal operating speed while the increase in speed led to the destruction of the centrifuges.

Another notable attack on industrial operations came to light more recently when Germany's Federal Office for IT released information about the infiltration of a steel mill. The facility's control systems and enterprise networks were interconnected, which allowed attackers to penetrate the plant control system from the enterprise system. The initial compromise was accomplished via a spear-phishing email and, once into the system, the malware was able to infiltrate the control components. The result was production machine outages, which wrecked the blast furnace.

Such attacks highlighted vulnerabilities in PLCs, which have traditionally relied on the proprietary nature of control system protocols and devices to prevent attacks. This demonstrates that reliance on "security through obscurity" can leave control systems open to attack by skilled and motivated attackers. It's likely there have been hundreds of global control system cyberattacks across multiple industries.

ICS programming is a complex and specialized area. The Industrial Control Systems Cyber Emergency Response Team, a US government/industry collaboration, works to improve the overall cybersecurity posture of control systems within the nation's critical infrastructure.

The last decade has seen the emergence of specialized vulnerability and penetration testing services for industrial control systems, enabling asset operators to hire experts to cyber-proof their systems. Looking to the future, organizations will require their supply chains to meet cyber standards such as ISO 27001, a global standard for Information Security Management, before allowing them access to their assets.

Any organization operating in the digital space must adopt an informed and agile approach to cyber security and the ever-changing threat landscape. It is a daunting task for managers whose mindset was formed in an analog era. However, the digital age brings new opportunities and new challenges. Awareness of and response to rapidly changing cyber threats is a priority that is essential to ensuring data protection and security.