Booz Allen Hamilton, the global consulting and technology firm, has highlighted the most significant threats to Industrial Control Systems (ICS) in 2016 and 2017, and the most effective measures to counter them, in a recent report titled Industrial Cybersecurity Threat Briefing. These systems control and automate significant portions of our connected lives today, and impact industries such as manufacturing, pharmaceuticals, transportation, energy and petrochemicals, among others.
In a 2015 survey of 314 organisations operating ICS around the world, 20 per cent of whom are based in the Middle East, over 100 respondents indicated that their control systems were breached more than twice in the last 12 months1.
Industrial Control Systems are unique in terms of cybersecurity, as the systems sit at the intersection of the digital world and the real world, where cyber-attacks can cause physical destruction and even death. Recent statistics continue to drive home the seriousness of industrial cybersecurity: across sectors and industries, average annual losses to companies worldwide from cyber-attacks now exceed $7.7 million according to the Ponemon Institute2.
Industrial sectors such as energy, manufacturing, utilities and transportation are amongst the most at risk. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has reported more than 800 cybersecurity incidents globally since 2011, with most occurring in the energy sector3. Cyber-attacks against oil and gas firms in the Middle East made up more than 50 per cent of registered occurrences in the region, according to Repository of Industrial Security Incidents (RISI) data. Conversely, in the US and other Western countries, they account for fewer than 30 per cent of recorded instances.
The Industrial Cybersecurity Threat Briefing warns of a cyber environment that has become more hazardous than ever before to ICS operators. The report provides a broad perspective of:
- The diverse uses of ICS and the expanding list of industries that rely on these systems that impact the daily lives of millions of people
- The current threat landscape, as indicated by major incidents over the past year and a half, such as trends in targeting, threat actors (criminals who have an interest in disrupting these systems) tactics and objectives
- The most significant threats that ICS operators are likely to face throughout the rest of 2016 and 2017
- Steps to mitigate these risks, complemented by an overview of previous events. By analysing the methods used, targets selected, and effects of observed incidents, the report provides a comprehensive guide to tackling these threats and minimising their impact
Strategies to prevent and control damage
The report also recommends an incremental approach that focuses on high-impact, low-cost initial steps, while providing the foundation for a long-term strategy.
Understand and Enumerate the Risk: It is extremely difficult, if not impossible, to protect any environment without full visibility of the critical digital components that are deployed within the field.
ICS Threat Intelligence: Understand the threat actors, their motivations, their tactics and techniques.
ICS Architecture, Monitoring, and Situational Awareness: It is important that you identify potential risk early and that you quantify and communicate the potential impact to your business quickly.
Awareness and Training: Effective training from C-level executives to the team of operators and engineers on the plant floor is a critical activity to create awareness around priority threats and risks to safety and environment.
Industrial Incident Response: Understanding what areas to focus on, and what needs to be done in a complex environment in support of incident response, is critical to recover to a safe mode and to smoothly return to normal operations.
Operational Technology (OT) Governance: Effective change management allows organisations to avoid costly incidents in the future.
“The path to success lies in ensuring a comprehensive approach that enables stakeholders to collaborate in addressing shared, multidimensional cyber issues,” explains Dr. Mahir Nayfeh, Senior Vice-President at Booz Allen Hamilton. “Mitigating risk requires more than just tuning firewalls and applying patches; it also involves investing in human capital, and training on policies and procedures. All facets of the cyber domain must be considered: technology and standards, policy and governance, leadership and culture, planning and operations, and management and budgeting. GCC leaders who successfully collaborate with relevant key stakeholders to create an integrated vision for cyberspace will help to ensure continued economic growth in the region, and will establish a global standard for other developing regions to emulate.”