When we talk about IT attacks in an industrial environment, the parameter that defines the extent of the Incident is defined RTO.
The RECOVERY TIME OBJECTIVE represents the time in which our system becomes efficient again, basically the tolerated DOWNTIME. It goes without saying that the more expensive production is, the more our RTO will tend to 0 (it is not possible to have interruptions): this is especially true for regulated industries and critical processes.
The question to ask is therefore: ONCE THE ATTACK NOW, HOW LONG DOES IT TAKE TO START AGAIN? DO I HAVE A PLAN B?
Here is ServiTecno's “plan B”…
Platforms for Change Control and Version Monitoring address a critical aspect of security that is in no way addressed when it comes to the most talked-about topics in the cyber security field (ed. “data privacy” and “anomaly detection”): the intellectual property contained in the applications that manage the process (and not only that).
The industrial sector and in particular the manufacturing sector is the second most targeted sector by cyber crime and many attacks are successful due to the numerous vulnerabilities present in the production environment.
Regardless of how a threat occurs, these platforms can:
GET READY: Protect the intellectual property of your APPLICATION. Autosave saves a copy of each program revision in a central repository. Access to folders and application backups is managed through a flexible privilege system.
DETECTS: Detects unscheduled changes that are made on different systems and devices. It is important to be able to compare the last saved and validated copy of the program with the one physically running on each device to identify any differences. If differences are found, the appropriate people are alerted and variation management begins.
RECOVER: Quickly recover from unauthorized changes. With an archive of all program revisions, you can quickly restore the last approved program after an unauthorized change.
Some food for thought:
1) Employees and resource management: in 2016, 60% of all attacks were carried out by internal personnel; employees or anyone with access to a company's resources.
2) Internetworking: the new business models related to the Internet of Things (IoT) have made manufacturers more vulnerable as both industrial and corporate networks are interconnected to the Internet (and no longer separate), expanding the perimeter and attack surface .
3) The automation layer: one of the simplest and most successful ways to launch an attack in a production plant is to modify the application that runs on a PC but above all on field devices (PLC, RTU, sensors or similar).
“While a predefined set of process parameters can be changed via HMI-SCADA applications, the logic maintained on the controller defines the flow of the process and its safety settings. Therefore, changing the controller logic is the simplest and most effective way to cause such an interruption."
[1] IBM X-Force® Research “2016 Cyber Security Intelligence Index” [2] “Cyberthreats Targeting the Factory Floor” IndustryWeek article, Barak Perelman, August 2016 TRUE OR FALSE? There are some questions in the Cyber Security field whose answer would seem obvious but it isn't... or even the same question 5 years ago could have had an answer and today has a different one. Any examples? Read below…
