Cybersecurity is no longer a far-fetched concept relegated to science fiction or conspiracy theories. It is a major and growing global risk across all industry sectors
Given the increasingly central role of digital technologies, data and connectivity, cybersecurity is widely accepted as a major risk to all industries and society as a whole. Furthermore, as technology becomes more accessible, the skill pool of associated "dark arts" expands – and the risks increase (Figure 1). According to the 2018 Global Risk Report from the World Economic Forum (www.weforum.org), cybersecurity is the third-largest risk faced by businesses. The report also estimates that cyber-crime activities will incur costs of around $8 trillion over the next five years across the entire economy. Furthermore, findings from telecommunications giant Verizon, in its 2017 Breach Investigations Report, found that 95% of "phishing" attacks (disguised emails aimed at stealing information) that led to a breach were followed by some sort of software installation. These points underline the fact that industries must be proactive in dealing with cybersecurity issues.
The view from the boardroom
Too many businesses make cybersecurity a priority only when they have been attacked, and although many recognize the lack of adequate resource allocation to this critical aspect of business resilience, they also admit that they do not have enough understanding of the latest information, security implications and their own vulnerabilities.
Executives are beginning to recognize that those individuals responsible for cyberattacks are highly skilled, are not constrained by the law and are driven by a range of motivating factors. While there is significant activity across many industries to mitigate the potential impacts of cyberattacks, many experts still feel that the level of cybersecurity response may be insufficient or misdirected.
While adequate measures may be in place to protect against data theft and hacking, operations remain vulnerable, making interruptions a likely outcome in the event of a cybersecurity breach. Experts have also suggested, for example, that most oil-and-gas and chemical processing companies do not yet have in place the systems and resources required to precisely determine the source of cyberattacks, or with what frequency they occur, in order to implement preventative measures.
The type of data being stolen is particularly revealing. While sensitive personal information like financial or health records remains a key focus, hackers are increasingly targeting higher-value data relating to infrastructure systems and large industrial facilities. Based on research from cybersecurity firm FireEye (Milpitas, Calif.; www.fireeye.com), 18% of the data exfiltrated through cyberattacks in Europe in 2016 related to companies' industrial control systems, building schematics and blueprints, while a further 19% related to trade secrets.
The threat is real
The potential for performance improvements by using live process data as an input to an operation is largely uncontested in operations and manufacturing. On the whole, it is understood that these types of data are essential to improving operational performance and that data technologies provide opportunities for more accurate risk assessment and control of safety-critical systems (Figure 2). But statistics confirm that the threat of unauthorized data access and cyber-crime is serious and growing – and hacking of these systems or data can directly impact a company's ability to control its own safety systems.
According to the Cost of Cyber Crime Report from the Ponemon Institute (Traverse City, Mich.; www.ponemon.org), the number of breaches is up by an average of 27.4% year over year, and 86% of companies around the world reported that they had experienced at least one cyber incident in 2017.
In 2012, the attacks on Saudi Aramco and Qatar's RasGas entity raised the profile of industrial cybersecurity. At Saudi Aramco, hackers replaced data on hard drives with an image of a burning U.S. flag, prompting the then U.S. Secretary of Defense Leon Panetta to label the incident, "a significant escalation of the cyber threat." Two years later, it was reported that between 2010 and 2014, hackers had stolen source code and blueprints to U.S. oil and water pipelines, as well as power grids, and had infiltrated the U.S. Department of Energy's networks on some 150 occasions. More recently, high-profile breaches at Sony, U.K. telecommunications provider TalkTalk and others have accelerated and amplified concerns about the risks associated with cyberattacks. Understandably, businesses of all sizes are looking at how they can improve their resilience.
It is important that industries are prepared to equip themselves with mitigation measures to defend against cyberattacks. As industries become increasingly dependent upon digital technologies, operational and technology security is a key concern across all sectors.
The chemicals, oil-and-gas, nuclear and renewable-power-generation sectors are diverse regarding the implementation of cybersecurity technologies. Wind- and solar-power generation tend to be on the forefront of advanced connectivity and analytics, while oil-and-gas tends to lag in the same technology area.
While the information technology (IT), data management and communication ends of the operational spectrum have been seen as a major opportunity for cyber theft and corruption, this focus must expand as industries change. To date, this has been a focal point of cybersecurity efforts in all energy and manufacturing sectors. However, the next big area of cybersecurity concern for the oil-and-gas and chemical processing sectors is the rapid advancement of connectivity among previously isolated operational technologies in the field to massive data-management pathways. This is where cybersecurity efforts now need to be focused so that machinery and objects are protected from manipulation and potential compromise.
The highly organized nature of espionage malware is of special concern. For example, Careto (or "The Mask" when translated from Spanish) was discovered in 2014 and believed to target government bodies. More recently, The Mask has been directed at energy companies, and another such threat, known as the Phantom Menace, aimed to compromise the control systems of a marine vessel by stealing data. Malware can remain in the background and run unknown, and then pop up when triggered at a certain time or by an event. Malware has been used historically for stealing confidential data or taking over communication systems and using them as a backdoor to gain access to other systems.
Alongside the increased threat and heightened profile, antivirus software products struggle to keep up. Most virus checkers search for and detect only the most common viruses and malware. It is critical for industries to re-evaluate and further develop those systems for the protection of important assets and infrastructure.
Indeed, cybersecurity is still at an early stage of development across many industries, and not enough is known about the sources and frequency of attacks. Of course, responses and capabilities vary, with some companies committing resources and focus to advancing in this area. Other – usually smaller – companies lack the scale required to develop and affect solutions, so they will look to external sources.
However, the policies and strategies being developed by the E.U., U.K. and U.S. governments on how to manage and control cybersecurity will hopefully help companies to evolve. Industry regulators for each sector of industry have worked to generate policies or directives based on information from strong participants in the cybersecurity community. Each policy specifically addresses infrastructure concerns that are relevant to that region's citizens. It will take constant effort in perpetuity to ensure a company's infrastructure stays as secure and stable as possible. Even if present policies may be sufficient for current known threats, enhanced planning for longterm diligence should be the next immediate effort.
Connectivity equals vulnerability
The increasing digitalization of the energy, chemicals and marine industries has elevated the risk associated with cyberattacks, because hackers can now access data and systems from the outside.
In addition to hardware-based threats, software presents a different type of risk. A software tool may be tied into a company's vulnerable information, which could be, for example, a data-logging entity, the drilling control system of an oil rig or even a company's financial information. So, if a cyber attacker gained access through the physical elements (such as ports, servers and so on), now they have access to a company's financial data – just by inserting a push email. Using a simple email, a virus can embed itself into metadata and continue to spread. In this instance, the very specific nature of the virus means that it is unlikely to be detected by antivirus software.
Knowledge-sharing is a defense
Cybersecurity skills are vital for today's industry. This means training or investing in specialist, as well as operational, teams, so that actions and processes are thoroughly considered in the context of cybersecurity. Comprehensive procedures to help companies tackle cybersecurity issues may include a complete overview of the systems, equipment and personnel at a particular facility and a means of evaluating which elements are most vulnerable to attacks and then comparing their condition to international and regional standards.
Most cyber threats today gain access to operational systems via connected personal and professional computers. The most effective way for future protection of critical infrastructure is to combine efforts and resources to quickly identify common platforms for machine learning and edge computing that will remove the need for human connectivity to operational technology systems.
Additionally, unintentional potential breaches of cybersecurity are common. There have been several notable examples where a USB drive is supposed to be scanned before it goes into any system at a petroleum refinery or other facility. A person may use the drive, then pass it to the next person, and so on and plug it into various systems or devices. This is obviously not secure, but the practice continues, since using USB drives has been the routine practice over and over for third parties, contractors, equipment manufacturers and others.
For this reason, an assessment should always include human and social factors, as well as technical, process and equipment aspects. This includes gaining a deep understanding of how people actually behave, rather than assuming that policy and procedure will manage the reality.
Awareness through training
The 2018 Global State of Information Security Survey conducted by PricewaterhouseCoopers (PwC) found that current employees remain the top source of security incidents. Further, it is estimated that upwards of 90% of successful cyberattacks continue to succeed because of human error – the unwitting actions of anyone in any role within an organization.
This is why an attitude of "awareness through training" is essential (Figure 3). Companies must work with their personnel and engage in conversations with them about the threats that are out there. More-effective employee training is a key factor in reducing the occurrence of cyberattacks and the costs of dealing with breaches after they occur.
Companies may employ an interactive learning platform that allows them to tailor content to suit their employees and specific critical cyber risks. Ideally, such a training platform requires no complex integration, and includes the option for employees to also access the content remotely for increased flexibility.
Also available are diagnostic tools that can assess employees' existing levels of security knowledge and build personalized learning pathways. This allows companies to provide the modules they think are necessary for different roles and levels of knowledge. This tailored approach, together with regular built-in assessments, ensures maximum training effectiveness, increases employee engagement and improves operational efficiency.
Comprehensive training can help to align people, processes and technology with their company's priorities and risks, including threat intelligence, governance, risk and compliance, security testing, training and strategy, managed security services and incident response. Understanding the risk environment of the digital world can help to identify gaps in systems, as well as knowledge gaps with inexperienced employees, and bring awareness and resilience for cyber threats to businesses.
What will be the new norm?
What is on the horizon for the cyber world? Cyber-domain experts are seeing a lot of new trends; specific areas that are evolving include increased exposure due to internet of things (IoT) technologies, increased ransomware attempts and expanded regulations. Ransomware attacks may threaten to release sensitive information unless terms are met or a certain price is paid to the attacker.
Globally, nations and governments are responding to higher levels of cyber-threat mitigation. For example, Singapore's Minister for Communications and Information recently introduced a new standalone Cybersecurity Act. Singapore is reviewing the policy and legislative framework for cybersecurity. The Cybersecurity Act reflects the Singapore government's calibrated and balanced approach towards countenancing cybersecurity threats. It is borne out of an attempt to strike a balance between the need for regulatory authorities to designate, investigate and receive information on critical information infrastructure and cybersecurity threats vis-à-vis the burdens imposed on companies and private individuals in the IT industry.
Cyber risks are rising, and society's technological advances appear to contribute to their proliferation. Experts suggest that beyond industrial threats, the number of cyber incidents involving geo-location systems may cause disruptions in energy supply chains and shipping, as well as risks to consumers who are reliant on GPS-based products. Furthermore, as bitcoin and other cryptocurrencies become more widely adopted, experts expect to see more frequent and severe ransomware campaigns.
Clearly, no organization – or for that matter, nation – can afford to ignore the potential impacts of cyber threats and attacks (Figure 4). No sector of the economy is immune from attack, whether it be industry, government or the not-for-profit sector. The best effort is a change in mindset, particularly between government and industry, emphasizing collaboration. Staying ahead of the advancements in technology, and keeping open communication channels for potential capabilities to access any vulnerability in any part of an operation or a company's supply chain, will be critical. A more open and rapid transfer of threat information from both public and private sectors is the best way for everyone to keep progressing with threat mitigation. While cyber criminals become more sophisticated, so too must our response and proactive defensive measures.
Edited by Mary Page Bailey
Authors
Kristina Drage-Arianson is a principal consultant and the department manager of the Lloyd's Register Risk Management Consulting business (Drammensveien 169, 0277 Oslo, Norway; Phone: +47-400-03-500; Email: kristina.arianson@lr.org). She joined Lloyd's Register straight from graduating with a M.S. in engineering cybernetics. During her 12 years with Lloyd's Register, she has been involved in a wide range of projects, mostly related to oil-and-gas operations, where she helps clients make their businesses safer and more reliable. Her key qualifications are within reliability and availability studies, in particular for safety and control systems. She has also carried out a number of other safety studies, including risk analyses and process safety studies.
Don Crouch is global technical manager – Electronic Control Systems at Lloyd's Register (1330 Enclave Pkwy #200, Houston, TX 77077; Email: don.crouch@lr.org). He also serves as the company's lead for customer-focused cybersecurity development and support in the energy sector. He manages field and office personnel who specialize in evaluating industrial automation control systems, assisting in correcting problems, providing recommendations for improvement of equipment operation and maintenance, ensuring adherence to government and industry regulations and reducing equipment downtime. His expertise is in design, maintenance, diagnostics and repair of all levels of automated electronic and electrohydraulic control systems from component level to full system integrations. With more than 25 years of experience in automation, Crouch began his career training in electronics while serving in the U.S. Navy. Post-service employment included Raytheon and Lockheed Martin. He is a participating member of the Institute of Electrical and Electronic Engineers (IEEE) and the International Society of Automation (ISA).