In today’s connected and transforming economy, every company faces the threat of a cyber attack on its IT systems. For clean technology companies, this risk is now compounded by the possibility of an attack on operational technology (OT).
We are continuing weekly blog posts of articles from the leading clean energy journal in Colorado, the 2017-18 Innovative Energy Review. This is the second article in this series. Check out the full magazine here.
By Christi L. Edwards and John Graham
Many cleantech companies are connecting industrial control systems with manufacturing equipment in the Internet of Things (IoT). Benefits of this “smart manufacturing” include enhanced productivity, product quality, and operating and energy efficiency; reduced costs and waste; and faster delivery of products to markets,
For all of its strengths, however, this digital ecosystem is exposed to significant cyber risks. Since the
industrial control system and plant machinery are connected to the Internet or a wireless network, they can be hacked, resulting in such devastating outcomes as malfunctioning equipment and the theft of proprietary data.
Two recent articles in Wired magazine underscore this dire threat. A May 2017 story covered researchers at security firm Trend Micro were able to exploit security vulnerabilities in the industrial control system operating a networked and IoT-controlled robotic arm. By tampering with the data, they were able to compromise the robot’s capabilities. In other words, the robotic arm could be programmed to perform a task with incorrect specifications.
A feature published the following month detailed how researchers at the University of Tulsa remotely hacked into a single wind turbine at a wind farm. Since all the turbines were connected in the wind farm’s wireless network, the researchers were able to remotely shut down the entire system. Even worse, they had gained the ability to abruptly stop a turbine, which would severely damage the rotor blades and gearbox.
Such cyber threats seriously challenge the operations of all businesses. For cleantech companies operating with very tight product delivery timeframes in a just-in-time environment, such as suppliers to the automotive industry, a disruption to the normal flow of business can quickly erode customer trust.
In today’s interconnected global economy, a cyber attack against one supplier in a far-flung supply chain can disrupt business for all of the companies dependent upon that supplier. If the company’s operations halt for just a few hours or a day, the repercussions will be felt throughout the entire supply chain.
Hacker ingenuity is endless
Business disruptions from cyber attacks occur in diverse ways. Malware introduced into an OT system can cause physical damage to Internet-connected equipment, slowing down production lines. Hackers can modify data programming to produce design and production errors. Data also can be destroyed or held for ransom, affecting both production schedules and proprietary research and development.
Many cyber attacks capitalize on a company’s inferior cyber security standards and processes. A case in point is phishing – employees who unwittingly click on an attachment in an email infected with malware, opening the doors of the network to the hacker. Another substandard process involves the issuance of administrative data access credentials to too many people. If the person is hacked, the thief now has a window into protected data zones on the network.
Hackers use a variety of attack methods like a DDoS (distributed denial of service) attack and SQL (structured query language) injection attack to penetrate OT systems. Companies also must contend with interruptions to operations caused by the temporary outage of an ISP or partnering cloud provider that is hacked.
Since cleantech companies create products and services designed to reduce adverse environmental impacts and create energy independence, a cyber attack may generate unfavorable media attention. For example, an August 2016 Forbes article cited the ethical hacking by a homeowner of his Internet-
“Since all the turbines were connected in the wind farm’s wireless network, the researchers were able to remotely shut down the entire system.”
connected solar panel array to test its security. The person inadvertently gained access to the home networks of more than 1,000 other homes using similar solar arrays, exposing these homeowners’ personal data. Had this been a malicious hack, the provider’s reputation could have suffered irreparable harm.
What can be done?
More cleantech companies will implement IoT-enabled operating systems in the future, particularly as the cost of the electronics, software, sensors, actuators, and network connectivity for smart manufacturing drops. For these organizations, OT cyber risk management is now just as important as IT cyber risk management.
There are ways to reduce the impact of a cyber attack. To limit the extent of a network intrusion from a phishing attack, consider splitting the network into a series of sub-networks, each with a different layer of security. Mission critical systems, for example, would be contained in zones having the highest security. While this may not stop the progress of expert hackers, it will slow them down, giving cyber security professionals time to detect the intrusion and launch countermeasures.
Another smart tactic is to undertake a full accounting of all the devices that are connected to the IT and OT infrastructures. Once armed with this information, determine which devices absolutely need an open connection and close off access to the remainder. In this regard, companies might want to implement the practice of “application whitelisting,” in which only previously reviewed and approved software applications are allowed to run on the network.
Once this blueprint of normal network activity is developed, security pros are better positioned to monitor activities that occur outside the norm. The use of solutions like Security Information and Event Management (SIEM) software can provide real-time analysis of a security alert to prescribe the optimum course of action.
With regard to issuing administrative data-access credentials, a best practice is to observe the “principle of least privilege,” an important concept in computer security, in which data access is restricted to a user’s defined job necessities.
To explicitly know what to do when an attack occurs, incident response planning is critical. Once a plan is developed, routinely practice it by conducting “fire drills” that involve technical teams across the enterprise. Such collaboration is essential because of the interrelationship of the IT and OT infrastructures. After each drill, measure the effectiveness of the incident response to achieve continuous improvements in recovery times.
Lastly, given the vital importance of cyber security to operational effectiveness and production goals, a company must have a culture of cyber risk preparedness – from the top down.
Smart manufacturing is the future happening now. To address the business disruption risks of this emerging connected OT infrastructure, cleantech companies should consider the value of partnering with cyber risk management specialists. Partnering with a specialist is necessary to identify and mitigate your operating environment’s specific vulnerabilities, in addition to obtaining cyber incident response services and a full range of insurance solutions.
Christi L. Edwards is senior vice president and clean tech practice manager for Chubb North America.
John Graham is vice president and cyber product manager for Chubb’s Commercial Insurance.