Nothing illogical: on the ground, the maximum impact became the obsession of the attackers. The most sensitive systems, especially industrial systems, attract lust. Given the security vulnerabilities caused by widespread telework conditions due to the COVID crisis, cryptowares redesigned to sabotage industrial computing are feared for the second half of the year. Their potential magnitude will probably exceed that of the first generations of attacks of this type (Stuxnet), with an implementation cost that will remain very low for attackers.
In “real life”, Lubrizol recently reminded us of the impacts of loss of control and lack of preparation in the industrial world. Major industrial accidents (AZF, Fukushima, etc.) incite us all to be modest in the face of the unthinkable and systematically point to our lack of preparation.
Does the world of cybersecurity escape this? No reason to think so.
A growing exposure of industrial IS
The attacks are now thought to alter the functioning of businesses and cause maximum harm. With 18% of cyber insurance policy claims in 2019, cryptowares are becoming one of the first scourges. These attacks combine two characteristics: easier implementation and colossal damage.
A targeted implementation of cryptowares with a sabotage purpose on industrial IS is a step closer to the unacceptable. Because if the financial impacts can be untenable for a company, environmental or human impacts are for the whole society.
The prospect of this type of attack, distributed in mass, is already giving cold sweats to manufacturers of equipment whose reliability is vital for people (planes, cars, road signs, etc.). But it is also increasingly invading the minds of leaders in sensitive industries.
The vectors of these large-scale attacks already exist (Ekans, Snake: basis of a new generation of cryptowares) and have a greater potential for harm than the precursors of the Stuxnet type. Clearly, these attacks are in preparation to cause the maximum damage to the greatest number of industrial installations. Those who designed them have repeated their ranges in recent years and will certainly take advantage of the vulnerabilities created by the break-up of work organizations in recent weeks to break into systems.
In risk models, these scenarios must be urgently invited. They carry a high probability and maximum impact. Everyone must take the necessary protective measures in order to be prepared for the worst and reduce the consequences.
A regulatory context is already imposed on industrial players to avoid the worst. It is very structured in France and in Europe, or even too much according to certain companies. But it has the advantage, taken as a reference by cybersecurity, of giving a frame of reference.
These standards translate into industrial risk prevention plans at the group level, and “danger studies” at the local level. These versions of the protection principles are in particular related to:
The European Seveso 3 directive, reviewed in 2012 and transposed in each country. It sets high requirements for industrial sites with a strong link between each industrial site and the local administrative and civil authorities. With more than 1,300 sites classified as Seveso (high threshold and low threshold), France has not been outdone. The sites must in particular be armed to inform and protect local populations. The directive aims to reduce major accidents involving dangerous materials.
The Risks law, promulgated in France in 2003, post-trauma AZF, deepens this system with a reinforced control logic over the security means implemented. It focuses on “danger analyzes” specific to the local context, targeting both populations and employees. The inspections by the authorities are central. This law also relies on capitalization with the ARIA database which unites events, and remains, to date, very poor in incidents of cyber origin (some events out of more than 40,000).
The LPM which targets OIVs (Operators of Vital Importance), a significant proposal of which includes industrial sites. The level of requirement for cybersecurity is significantly increased for the detection of compromises, and incident response from a cyber angle. This frame of reference is not focused on the reduction of human or environmental disasters.
Cybersecurity was strongly invited via the LPM in industrial IS. But not in terms of reducing the physical or environmental consequences of cyber claims. Seveso, Risques and LPM therefore remain partly separate. There is a blind spot to deal with, that of the consequences of a cyber industrial accident.
Responding to a cyber industrial accident
Industrial accidents are almost always the cause of a chain of main causes and aggravating factors. And among these aggravating factors, there is one that is particularly critical: the loss of IT control and therefore of access to sensitive information on a site.
We can identify 4 imperatives that apply to managers and for which minimal IT capacities and up-to-date information are essential.
Imperative 1: Access safety and security procedures and data
The procedures for responding to an industrial accident (securing equipment, discussions with the authorities, etc.) are always a double system: IS and paper. An industrial accident caused by a cyber attack can render these procedures inaccessible. However, their accessibility must be guaranteed upstream in an autonomous, invulnerable and up-to-date system. In addition of course to essential information such as the list of people on site.
Imperative 2: Have up-to-date production, shipping and stock reports
Lubrizol, among others, has been criticized for not being able to report on the state of stocks of hazardous materials in quantity and kind of product. Data tracing hazardous materials, generally from SCMs, must be sheltered, on the fly, in an unassailable sequestration system (cluster). This data must be accessible from the first seconds of an accident. They relate to all stages of the product life cycles, from raw material to dispatch, including manufacturing or storage.
Imperative 3: To be able to coordinate action on the ground
In the event of a local and targeted cyber attack, it must be assumed that no more IT tools are working. Workstations, applications and ICS environments will be the first targets. An industrial site that has neither an autonomous system to coordinate its teams, nor the vital information mentioned will suffer more violently the attack and its consequences.
Imperative 4: Restart as soon as possible after the attack has been neutralized
To restart following a cyber attack, backups and back-ups are essential, but their implementation often requires prerequisites: operational working resources, technical information (configuration plans, restart scripts, IOT reference databases, etc.), procedures. up-to-date back-up systems, etc. The company must have a Computer Recovery Plan made immune to attacks that paralyze both nominal and back-up systems.
This article can be extended on each dimension it addresses, the lack of preparation to deal with the consequences of a “industrial cyber accident” is too high in France as in many countries. Each industrial group decision-maker should be reminded that, beyond the regulatory requirement, it is their responsibility to urgently mobilize means of response adapted to this type of accident. It is vital to ensure, in all circumstances, access to essential data for the security of each industrial site, and to be able to coordinate teams and their relations with the authorities. Going from better protection to better resistance is a priority.
* Cryptoware: data encryption software for destabilization or ransom