Cevn Vibert

www.Vibert.co.uk
cevn@vibert.co.uk
+447909 992786

Industrial Cyber Security in 2016

We are all going to die! was the repeated phrase at a recent Cyber Security Conference Key note
address by Eugene Kaspersky of Kaspersky Labs. He said it tongue in check as most of the
presentations at Cyber Conferences are doom and gloom.
Cyber Attacks on Industrial Control Systems are increasing both in complexity and in frequency. All
the statistics from the industry back this up. The attackers dont need high complexity or advanced
skill sets to attack most Industrial Control Systems. Its almost childs play.
Attackers used to be a wide range of groups from a script-kiddie to nation-states but now the
primary volume of successful attacks are from organised crime. Crime gangs have widened their
business models to now include Hacking-as-a-service HAAS where you can define your attack and
target and strategy online with an Attacking Service and pay for the attack, delivery, telephone
support and service level agreement SLA, all online, using PayPal.
Many conferences now are haranguing the audience as being incompetent, again tongue-in-cheek,
but aiming at the people who do not implement Security-by-Design in their products and systems
together with the industry as a whole who have not yet eradicated Cyber Attacks by Leap-Frogging
the bad guys with innovative new defences and solutions.
We have got to stop talking about Stuxnet and start talking about Innovation and new ways of
thinking. Keynote speakers are talking about the soft skills of the Cyber War. Cyber-attacks are made
by humans, often exploiting human weaknesses as key building blocks of their attacks. The Cyber
Defence industry must recognise this more and build Security Improvement Programs which include
humans as the core to the solution.
The typical myths which bolster the prevalent inertia in organisations IT and ICS systems are well
known and have been debunked a thousand times.

Myth:
Fact:

We are disconnected.
Most systems have at least 10+ information connections to the World.

Myth:
Fact:

Firewall protected.
Most firewalls set to allow any on inbound and poorly understood by each department..

Myth:
Fact:

Hackers dont understand SCADA/OT/ICS.

Increase of hackers specifically attacking ICS/OT/SCADA due to kudos of accomplishment.

Myth:
Fact:

We are an unlikely target.

Can be collateral due to proliferation of attacks and own supply chain. E.g. Stuxnet variants.

Myth:
Fact:

Safety backup system will protect us.

Safety systems just as likely to be hit as control systems. Often similar systems deployed.

The myths are certainly well entrenched in Industrial Control Systems owners as the current systems
work well and they have not seen lots of local news about their neighbours and competitors
suffering the negative consequences of cyber-attacks. The cost of a Security Enhancement

programme is seen as prohibitive by the Board and Senior Management. What is not so well
recognised are the business and operational improvements a Security Programme will bring about.
This is typically reduced insurance premiums, reduction in the cash safety float, improved operations
and increased resilience. These business improvements are often enhanced by better staff moral
and clearer understanding of Operational Technology and the current risks landscape.
Over 60% or Information breaches took months to be discovered, not days or hours or minutes.
Around 70% or respondents to a recent survey admitted being victims to a cyber-attack.
Organisations are not reporting the attacks, the effects or the remediations carried out, due to strict
corporate embargoes.
The steps to climb the stairway to security can be very high, certainly for organisations with
extensive legacy systems, but the steps need to be climbed. The best approach is to build smaller
steps, parallel steps, and think differently.
Remember that the bad guys are always improving, so it is essential for organisations to also keep
improving but also looking for that giant leap ahead in defences. There is talk of new Secure
Operating Systems, new Secure Trusted Computer Systems, and of the increased lock-down and
monitoring of The Internet. All these advances are being made but are they appearing on the market
quickly enough to make that giant leap forward in the Cyber Arms Race?
We all hope so as We all want to live!.