To be given by Cliff Martin, Principal Engineer, BAE Systems Submarines, at our “Smart way to Industry 4.0 with PROFINET Based Technologies” series of seminars to be held in Coventry and London this March.
In 2015, approximately 225,000 Ukrainians suddenly found themselves with no electricity at Christmas as a result of a successful phishing email. It is widely believed that Russian operators were responsible for this in support of their hybrid warfare strategy in Ukraine; further to this, they were also successful in slowing remote remediation efforts (between 3 & 6 hours). These attackers are some of the most capable and well-funded in the world, yet they carried out the power-down segments of their attacks with shocking simplicity; they logged into HMIs and pressed soft-buttons using valid user credentials.
There has been much reporting around the Ukraine cyber-attacks, particularly in the Operational Technology space, however, it is important to draw attention away from the Fear, Uncertainty and Doubt, and towards those aspects that can help us learn and better model threats. One lesson we can learn of the Ukraine attacks – that attackers, whilst focussed on effectiveness, will invariably follow the path of least resistance. Operational Technology security has always required a different approach to traditional IT, and whilst technically, OT security improves technically, year on year, it is important that security programmes continue to take account of the architecture and people/process aspects that influence their risks; in a complex space of multiple suppliers, contractors, customers and sites, evaluating the path of least resistance can be difficult, and the mobile and reactive nature of third-party support can further compound these issues.
This talk will draw on the path-of-least-resistance considering lessons from the Ukraine and similar types of attacks, discussing, from an introductory level, good practice secure architecture models and the challenges posed to their implementation by emerging technology and support requirements. Attention will be paid to the way real-world support & operations solutions can unintentionally, or invisibly bridge security enforcement zones, and what this means for your threat model.