Cyber protection of industrial networks is in a poor state despite the growing sophistication and number of attacks, said leading cyber security expert Eugene Kaspersky.
The CEO and founder of Russian cyber security firm Kaspersky Lab spoke during an event at London’s Science Museum, where he launched the company’s new product for securing critical infrastructure and industrial facilities.
The Novorossiysk-born entrepreneur said that although only a limited number of successful cyber attacks on infrastructure have been reported so far, the situation is far worse, as companies frequently don’t disclose the problems or aren't even aware of them.
“Many enterprises don’t even know that they are hacked, especially when it comes to SCADA systems (systems for remote operating and control),” Kaspersky said. “They know what to do with office network attacks, but they are clueless when it comes to industrial cyber systems, even the police don’t have a clue.”
Wiping out SCADA servers was part of the sophisticated attack that caused a massive blackout in Ukraine in December last year. The Ukrainian engineers were only able to restore power by manually overriding the digital control – but such a solution may not be available in more modern systems, where the option to manually override the electronics simply doesn’t exist.
“In many companies, we see a disconcerting approach to industrial computer systems - as long as these systems work, they don’t touch them,” Kaspersky remarked. “As a result, you would see some totally outdated systems, like MS DOS, or Windows 3,1 powering systems of critical infrastructure companies.”
The problem will only become more pronounced, not only due to the increasing resourcefulness of hackers, but also with the growing factory automation.
“In the past we have been designing system to have redundancy in case of failure,” explained Cevn Vibert, industrial control systems security evangelist from Solutions PT, speaking during the Kaspersky Lab event. “But we haven’t been designing them with the situation in mind that someone maliciously harms them, overrides them. We need a complete change of mind set.”
With the increasing connectivity of industrial systems and the rise of the Internet of Things, cyber security concerns spread far beyond the traditional computers and networks. Even those designing wind turbines need to be aware of such issues as a possible hack of a wind turbine control mechanism could have widespread consequences.
“Protecting an office network is much more difficult than simply downloading an antivirus,” Kaspersky said. “But for industrial systems, it is even more difficult because every plant is different. It’s not about deploying a product, it’s an ongoing project.”
According to Kaspersky, the problem starts with missing regulations.
“Critical infrastructure is about national and global security and economy so I think that the leading role is for the government,” Kaspersky said. “They need to understand the problem, educate enterprises and design strategies how to protect the infrastructure. There should be clear guidance for companies on how to build cyber security systems, now there is nothing.”
The antivirus supremo stressed that the problem is not going away. Quite on the contrary: with the development of autonomous cars and the spread of smart house technology, the risks are only going to get more elevated. In the past months, hospitals in Australia, USA and Germany have been effectively locked out of their computers by attackers using ransomware to request payment for making the systems operational again. That is only the tip of the iceberg.
“My answer to this is don’t pay ransom – have better cyber security in place,” Kaspersky said. “Securing infrastructure against hackers is a massive challenge, but I believe that one day we will achieve the state when you can have a wind turbine connected to the Internet, but still be absolutely secure. My dream is to achieve the level of security where it would cost more to hack something than are the possible gains from the attack.”
Kaspersky’s new Industrial CyberSecurity product represents one of the first steps towards this goal. It provides a multi-layered approach to securing the most hack-prone elements of industrial systems including SCADA servers, engineering workstations and human-machine interfaces.