Originally published by Bloomberg on 6 September 2022
Cyberattacks cost the global economy around $1 trillion each year,[1] as malicious actors exploit vulnerabilities in our increasingly interconnected world.
High-profile examples such as Stuxnet and WannaCry emphasize what’s possible in terms of cyberattack scale and ambition. For instance, the WannaCry ransomware attack in 2017 hit notable targets, such as telecommunications companies and hospitals, in more than 150 countries.[2]
While most companies have bolstered their defenses against hackers who target IT networks to steal data, other businesses – notably in the manufacturing and production sectors – are failing to protect themselves against attacks on the operational technology (OT) that controls critical physical infrastructure such as industrial production lines and power generators. This is in part because OT systems have traditionally been “air-gapped” and not connected to the outside world, thus minimizing external threats.
But OT and IT networks are converging and exchanging huge amounts of data and information in the rush to embrace digital transformation. While this brings performance and productivity benefits, it also creates a bigger and more attractive attack surface as more assets and devices become connected. This can lead to outages, equipment failure, financial losses, and even human fatalities.
“As industrial machinery and processes become connected to corporate IT networks and the Internet, it opens them up to cyber threats that could severely disrupt critical operations and affect public safety,” explained Nikki Saunders, Cybersecurity EcoSystem Manager, Pacific, at Schneider Electric.
In 2015, the first known cyberattack on a power grid was carried out in Ukraine, leaving hundreds of thousands of people in the dark in the middle of winter after several power substations –and their back-up systems–were taken offline. According to investigators, operators using the Supervisory Control and Data Acquisition (SCADA) network that controlled the grid were not required to use two-factor authentication. This allowed hackers to acquire their credentials and gain access.[3] Though the power outage lasted a matter of hours, the grid still wasn’t fully operational months later because attackers had compromised firmware on critical devices.
Legacy systems
Much of the OT that is now being modernized was installed and developed decades ago, and was not designed with security in mind. As a result, it can be difficult to install security updates within these outdated operating systems. And if an attack does happen, typical defenses such as antiviruses are either too slow or ineffective, while operators may lack the knowledge to recognize certain threats or know what to protect.
In addition, many OT environments rely on third-party vendors for ongoing support. These vendors often connect their own laptops and external storage devices directly into OT networks without prior cybersecurity checks.
“As a result, many companies choose not to upgrade OT, mainly because it can produce instability in the systems," said Saunders. "Many of these organizations need to run 24/7 year-round and can’t have downtime like an IT organization can. To combat this, OT has an operational lifespan of anything from 10 to 30 years before an upgrade is even required. So organizations often have the mentality that ‘if it still works, and if it isn't broken, then don't fix it’. But that doesn’t enable digital transformation.
Shared responsibility
For Schneider Electric, cybersecurity is everyone’s responsibility. Manufacturers and equipment suppliers should provide the safest, most up-to-date devices, together with security training for operators – including guidelines on what to do in the event of a cyber incident – while end users must be responsible for keeping their devices updated, and passwords secure.
The global digital automation and energy specialist adheres to a set of industry-leading cybersecurity standards – ISA/IEC 62443 – developed by the International Electrotechnical Commission (IEC) to secure its operations across the supply chain. Measures include a designated “cybersecurity leader” for each Schneider Electric factory, who is responsible for ensuring all workers complete cybersecurity training and adhere to strict protocols; remote access controls for subcontractors with firewalls to separate networks; and the division of factories into zones that are isolated from each other to contain potential breaches.
“Cybersecurity is as much about people processes as it is technology,” said Saunders. “A recent global study revealed that 70% of employees don’t understand what cybersecurity is.[4] Consequently, training and awareness is crucial to implementing any strategy.
“To practice what we preach, we up-skill our people through mandatory annual cybersecurity certification, and we have a customer-facing Cybersecurity Virtual Academy,[5] an online resource providing educational cybersecurity content, as well as opportunities to engage with industry experts through webinars and Q&As.”
However, the efforts of individual organizations are not enough; collaboration and unity across industries is essential to ensure security – and safety – for all. For instance, Schneider Electric is a founding member of the International Society of Automation (ISA) Global Cybersecurity Alliance, whose mission is to advance cybersecurity awareness, education, readiness, and knowledge-sharing, with the focus on people, processes and technology.
Schneider is also a member of the Cybersecurity Coalition, a collection of companies that work with government policymakers globally to look at ways to improve how governments, regulatory bodies, vendors, and their customers come together to tackle cybersecurity risks.
“We believe the cybersecurity journey is better with a trusted partner,” explained Saunders. “Working for the greater good of the digital economy is essential. We partner with other leaders in the cybersecurity space so we can help our customers to maximize the investment they've already made in their existing, mature IT environment and to provide a deep understanding of the requirements OT environment. This will help them to gain a competitive advantage, increase their brand health, and be regulatory compliant.”
[1] Bloomberg [2] Bloomberg [3] Wired [4] Hashed Out [5] Schneider Electric Global