Cyber security continues to be a very hot topic in the media. At one point, 2011 was widely described as the year of the “Mega Breach,” featuring cyberattacks that scooped up the personal information of hundreds of millions of people worldwide. Then in 2013 more than a half-billion identities were compromised, surpassing all previous years. The escalation continued in 2014 with some very high-profile companies suffering security breaches, including Target, Home Depot, JP Morgan/Chase, etc. By 2015,it was clear that not even the U.S. Government was completely capable of protecting personally identifiable information (PII), when the Office of Personnel Management announced social security numbers and other details of more than 20 million federal employees had been stolen.
According to security software maker Symantec’s Internet Security Threat Report (ISTR Vol 20 April 2015), while breaches continue to rise year over year, attention in the internet security community is “beginning to shift from just what was being ex-filtrated to increasing the emphasis on the methods and tactics being employed.” Attackers are moving faster, and their techniques are becoming more deceptive and stealthy. While the majority of malware is still non-targeted and just looking for low-hanging fruit, there is also growth in more focused attacks and advanced persistent threats which are much harder to detect and defend against.
A skilled and patient opponent
While the majority of media and criminal cyber attention is still outside of the industrial sector, there are clear indications that all is not quiet within our industry. In the U.S., the Industrial Control Systems - Cyber Emergency Response Team (ICS-CERT) has reported and investigated hundreds of incidents in each of the last several years. Moreover, the internal data shows some disturbing trends. While the energy sector has been targeted with the highest percentage of attack incidents, the number two target has been the critical manufacturing sector, some of which were from control systems equipment manufacturers.
Recently, the ICS community has had to deal with targeted malware attacks such as Havex/Dragonfly and Black Energy. These may utilize some traditional malware techniques, along with more sophisticated approaches such as fake websites with download links to industrial control software, also known as ‘watering holes’. In a few cases, even the web sites of actual industrial control product providers were infected! The latter was likely accomplished via an email campaign, where selected executives and senior employees at the target companies receive emails containing a malicious PDF attachment, also known as ‘spearfishing.’ Employees remain the easiest way for hackers to breach internal systems, via infected email downloads or mass storage devices.
While the recent activity has not resulted in widespread outages or general damage to industrial systems, there is evidence that detailed information about these systems was collected and returned to the perpetrators. Also some of this malware seems to be aimed at quietly establishing backdoors in the infected infrastructure, allowing cyber attackers to return and reuse stolen information at a later date. Connecting the dots between such realities points to disturbing conclusions.
A transformed industry
While power facilities may have always been somewhat vulnerable, this was perhaps less clear because systems tended to be more isolated and more diverse than today. The industrial sector has gradually shifted from proprietary systems to common technologies like Windows OS and standard TCP/IP networks, which has opened opportunities for malicious actors already experienced with these platforms. There were perfectly good reasons for making this transition, but now the shift requires cyber protection systems that previously weren’t considered. This protection should be multi-layered, including security that is not just built around systems, but also physical infrastructure and human awareness.
According to ICS-CERT, a summary of data from 2014 showed that out of the total number of incidents reported, roughly 55 percent involved advanced persistent threats (APT), or sophisticated cyber attackers. This is signifi cant because a decade ago the notion that ICS would be of interest to hackers was just theory. After some actual infections by worms like Slammer and Confi cker, the issue was viewed by many as consequential due to the use of common operating systems and networking technology.
Today it is clearly understood that hackers from various nation states as well as cyber criminals are not only active in our segment, but are growing in sophistication as they attempt to gather information and establish footholds inside industrial control systems. The industrial community is no longer unaware and has set about the challenge of securing these systems on which much of our critical infrastructure relies. Governments are moving to establish regulations and metrics, but the speed and effectiveness of our response to these challenges still requires increasing attention.
Commitment to a secure, defense-indepth approach
At ABB, cyber security is beyond the hot topic of the day. The matter of protecting our employees, our organization and the integrity of our products is a foundational responsibility which helps protect our customers and their operations. This requires a systemic approach involving our information systems, our product development teams, project engineering resources and on-site service personnel.
The protection of the Internet of Things, Services and People’s (IoTSP) interwoven systems of information technology and operational technology is central to the company’s Next Level strategy. With more than half of ABB’s products related to software, the company and its thousands of software developers, commissioning engineers and service personnel recognize the vital importance of integrating cyber protection across the life cycle of systems. To manage our approach to cyber security across the enterprise, ABB has established a Group Cyber Security Council and cyber security teams at unit and division levels to ensure that security controls and best practices are shared across the company.
No single solution can keep increasingly interconnected systems secure, so ABB works with customers to create a defense-in-depth approach where multiple security layers detect and deter threats – if, where and when they may arise. ABB is active in cyber security standardization efforts through many external initiatives, and participation with groups such as International Electrotechnical Commission (IEC) and the International Society of Automation (ISA). ABB has also joined the Industrial Internet Consortium (IIC), and is working together with global companies, groups
and universities to accelerate the secure adoption of the IoTSP.
ABB is committed to meeting this security challenge through continuous participation with industry stakeholders as a responsible partner. Our project and service teams are diligently working to ensure the ongoing security of the systems delivered and deployed at our customer’s sites. With the solid support of senior management, dedication on the part of every employee and valuable coordination with the customers we serve, ABB remains focused on improving industrial control system cyber security in every detail.