Another high profile attack on the industrial world makes the headlines (step forward Colonial Pipeline), and once again the importance of efficient cyber security controls in this field is brought in to sharp focus. As this article says, for many, if not the majority of people outside the field of industrial automation, the perception is of an environment which is mechanical, oily, greasy, low tech etc. When in reality sites such as power plants, oil refineries, automotive manufacturing, FMCG - I could go on...they are actually home to some of the most sophisticated systems of automated control and data collection and analysis in any field of industry.
At every stage of this process, at every point of data collection, every sensor for control and every automated process there is a potential vulnerability. With every vulnerability, if breached, there is a the potential to wreak havoc. Whether that is harming countless innocent people by poisoning vital provisions (see the attempted attack on Florida's water supply) or the having the ability to increase fuel prices by 4% within 24 hours!
I spoke at length with a candidate today about the resistance often encountered when trying to locate budget for cyber security, particularly in the field of Industrial Automation. She spoke about how it was so often an after thought - and the best way to bring it in to the discussion was either to build it in to a solution or to introduce the theme through the threat of data corruption and theft. Almost like data is the gateway threat to bigger issues - and what was it that the hackers here held to ransom on the Colonial Pipeline?
Almost 100 gigabytes of data...
Wherever there is data there is risk, wherever there is risk there is the opportunity for attack. The Research and Markets report on the global OT and Cyber market estimates it to be worth $18.13bn by 2023 - sounds a lot, and it is. However when the average cost of one cyber attack is $3.86m (https://www.ibm.com/uk-en/security/data-breach) and ransomware attacks estimated to cost $6 trillion by 2021 (!!!) (https://purplesec.us/resources/cyber-security-statistics/) - the issue is not the cost of protection, its the price to pay by not being protected.
The hack on Colonial Pipeline is being seen as one of the most significant attacks on critical national infrastructure in history. The pipeline transports nearly half of the east coast's fuel supplies and prices at pumps are expected to rise if the outage is long lasting.