In this age of cyber attacks: An interview with Vineet Gupta
Vineet Gupta tells Control Engineering Asia the sectors frequently hit by cyber attacks and how many organisations are adopting IIoT but brings with it more cybersecurity risks.
July 5, 2017
By Lim Guan Yu
Vineet Gupta is senior technical presales manager, critical infrastructure protection, Asia Pacific, Kaspersky Lab.
More than half of the top 15 countries that are most vulnerable to ICS system attacks comes from Asia. Southeast Asian countries like Vietnam, Indonesia and Malaysia are among the top 10 countries. Why is this so?
These findings are based on the ICS CERT report that was released by Kaspersky Lab in June last year.
One of the main reasons we see is the lack of education in terms of cybersecurity in the ICS sector in these regions. They know there is a cybersecurity risk at stake but the majority of the mindset is that if they have not been breached, they believe their network and infrastructure is sound. However, the mindset needs to be switched. They need to be proactive into thinking that you just have not been targeted.
If we look at the trends across the region, companies are still focusing on isolation as a form of security. But it is impossible to isolate the entire system, there will still be vulnerabilities. A classic example is the Ukraine incident.
Security is not just about technology alone, it is the people, process and technology. Companies are spending 98 per cent of their security expenditure on technology and hardly spent on training the people, changing their behaviour. For example, when we talk to an engineer in the ICS environment, he understands that security is vital. However, he does not know that there are still people in the organisation, thinking that they are isolated, plugs in their USB or phone charger without realising that once the phone is connected, you are on the internet and open to vulnerabilities.
Another factor to consider in this region is regulation; most of the countries do not have a regulation forcing them to implement various measures of security. So some are going with some basic firewall requirements, VPN, antivirus but not a comprehensive and holistic solution catered particularly for the ICS sector.
A constant challenge that companies also face is deciding which anti-virus solution is the best for their company. That is why training, awareness and overall education are very important. It is something that companies need to begin with to realise and understand the risk and then go for the implementation rather than talking about implementation at the beginning.
Which countries are regarded highly in terms of cybersecurity and what do governments, companies and institutions do to achieve that?
Regardless of territory, I think the weakest link in any security environment is people. So education is essential to educate employees, vendors, etc. A secure ICS environment is not just based on a strong network security but also securing the entire ICS environment.
Secondly, from a technology perspective, is implementing the right solutions for your organisation. Implementing security is not just about the technology products, it is about the service. It is important for companies to choose someone who has been in the business for a long time. What these vendors can offer is not only the investigation or the solution services but most importantly how companies can predict if their network is being targeted. Companies do not want to wait for something to happen. They need to know what kind of risk they have as an organisation and how do they mitigate those risks and then we can talk about implementing the solution.
Which industrial sectors are frequently hit by cyber attacks? Unlike traditional IT networks where it priorities confidentiality, ICS system demand continuity and consistency. What is the damage faced by a company after being attacked?
In general, we see attacks in the critical energy sector such as oil and gas companies or power plants. Hackers find them lucrative as these companies can impact and disrupt the larger population such as causing blackouts in the city and resulting in a very high profile attack.
But if you look at Kaspersky Lab’s data on the ICS CERT security network, we found that most of the companies that have been breached were from the manufacturing sector.
A breach that occurs in the ICS sector can and will have serious repercussions. For example, if a hacker is able to take control of the plant in the oil and gas company, it can lead to safety issues such as fires, accidents and it may even result in deaths.
If we look at the utilities sector, an attack on the utilities plant will have extreme consequences on the entire country and population. Imagine if a hacker gains control of a utilities plant that supplies water to the population, they can cut off the water supply, contaminate the water that can result in a national catastrophe.
For sure, a breach on the ICS industry can be very costly and it can impact the greater population. Organisations should look at security companies that will help them do a “cyber physical impact” analysis”. The customer will be able to know which are the critical equipment in the complex and from this, we can find out what are the possible attack vectors and if the hackers managed to attack it, what will the effect be and more importantly how to prevent it.
In the past, production networks were not connected to IT. But now with Industry 4.0 and IIOT, how does cybersecurity play a role in the field of automation?
The introduction of Industrial Internet of Things (IIoT) are making industrial control equipment to be reliant on information technology. IIoT involves enabling self-learning machines, big data methods, M2M (machine-to-machine) communication, and industrial automation technologies. Organisations that adopt them will undoubtedly reap many benefits, but it also means new cybersecurity risks.
The risks vary from financial risk of possible manufacturing downtime to penalties from the information security regulatory if organisations fail to meet the cybersecurity requirements. For a successful security implementation, organisations need to have the appropriate tools to provide a reliable later of protection, without disturbing the technological process.
When we implement security in the ICS environment and when we talk about industry 4.0, there is a slight difference in the approach.
In the case of most companies in the ICS sector, they typically will be using the Brownfield process approach. What this means is that security will be embedded to the existing equipment.
However for Industry 4.0, the sensors and the devices are new and what they need is a “secure by design” approach. First, we will secure the device and the sensors and then move on to securing the communications and thereafter securing the whole infrastructure such as the networks.
The “securing by Design” concept has its set of challenges and this is why Kaspersky has come out with our own operating system (OS) that allows the customers such as manufactures to embed our software in their device to make it a more secure infrastructure and environment.