Industrial environments are no longer an exclusively tangible space, and a large part of productive activity is now made up of digital infrastructure. Protecting it is essential for the success of companies and for global economic balance.
The interconnection of devices and the automation of processes in industrial environments have undoubtedly generated significant improvements in efficiency and productivity. However, this same connectivity has exposed vulnerabilities to cyber-attacks that can have serious consequences for producers, collaborators (such as providers or logistics chains) and even customers.
Experts in the field are working to improve prevention and action systems, aware that future challenges will be increasingly complex. We discussed this with Francisco Lázaro Anguis, associate professor at the Higher Technical School of Engineers in Telecommunication at the Polytechnic University of Madrid (UPM).
The transformation of operating systems
“In the industrial field, we find assets known as OT (Operational Technology) systems, which are production process management technologies,” explained Lázaro Anguis. The term OT covers everything from industrial automation and control systems (or ICS, Industrial Control Systems) to data processors and SCADA (Supervisor Control and Data Acquisition) systems. These systems are characterized, as the specialist explains, for being “equipment that interacts with physical processes (sensors and actuators), provides industrial control systems, and operates under extreme conditions.”
Lázaro Anguis highlights how OT systems, which until a few years ago were isolated from the public Internet, are now being integrated into more open networks. This involves the use of standard commercial operating systems, such as Windows or Linux, and the adoption of Ethernet networks for communication. On top of this, remote maintenance works are being carried out, taking advantage of the existing IT infrastructure.
In this context, the control that these systems exert over critical physical elements, such as pipelines, electric motors, and railroad tracks, is key, in addition to the strategic relevance and migration towards more common technologies and, therefore, with known vulnerabilities.
“The threats respond to different motives and range from economic interests (materializing with ransomware attacks, for example) to geopolitical ones (through denial of service or destruction of information, among others),” said the UPM professor. The targets in both cases would be assets such as switch opening and closing controls, increased centrifuge rotation, like in the Stuxnet attack on nuclear power plants, water treatment plant mixers to alter the water supply, or temperature sensors and actuators, which affect both production and firefighting.
Fortifying industrial cybersecurity
Some of the most common vulnerabilities affecting assets in industrial environments are sustained by outdated or insecure equipment due to lack of upgrades, a lack of segmentation, such as isolation in specific networks, or a lack of protection against intentional attacks. A basic roadmap for creating a secure space would, according to the expert, go through certain essential phases:
- Cybersecurity training. Personnel using the systems should be trained in issues related to this topic. It is also advisable to designate a person or team responsible for cybersecurity within the organization.
- Identify legal obligations. Knowing and complying with existing industry regulations involves establishing an appropriate regulatory and procedural framework to guide actions within the organization.
- Complete and correct asset inventory. This consists of having a record of all existing resources, including equipment, devices, and software. This helps to have better control over them and facilitates the implementation of appropriate security measures.
- Conduct a formal risk analysis. This involves systematic assessments of the cyber risks faced by industrial systems, such as identifying possible threats or assessing their probability of occurrence in order to establish security controls to mitigate these risks.
- Monitor communications and systems. The objective is to detect and respond to potential security incidents in real time. This involves monitoring communications and network traffic, as well as continuously monitoring systems for anomalous behavior or indicators of compromise.
One of the main complexities of this integration is the dichotomy, which is still unresolved, according to the expert, of two approaches to security:
- safety (protection against fortuitous risks)
- and security (prevention of intentional damage).
In the industrial world, a system certified on day X is safe on day X+1 if it has not been modified; in which case it would have to be recertified. In the cyber world, a product that is secure on day X will still be secure on day X+1 as long as it is upgraded. The expected life cycle of OT systems (very long-term) in the IT environment (where transformation is continuous) poses a challenge for risk management.
A future merged with technology
According to Lázaro Anguis, facing this challenge is only possible by integrating best cybersecurity practices with crisis management and business continuity processes, designing strategies to deal with incidents in critical infrastructures. This ensures an effective response and rapid recovery from potential threats.
The dangers lurking in industrial environments will become increasingly complex, although more effective and efficient prediction and prevention systems are being developed alongside the risks. Technology is advancing very quickly, and companies are absorbing new contexts to protect, such as Blockchain, Internet of Things, or Cloud stations. “If I had to choose a future threat, it would be Artificial Intelligence as an adversary; that is, the use that criminals will make of it to facilitate their attacks. Paradoxically, the main countermeasure as an ally of cybersecurity will be AI itself, by making it possible to detect and respond more quickly to attacks,” he concluded.
Contributors to this article:
Francisco Lázaro Anguis is an associate professor at the ETSI (Escuela Técnica Superior de Ingenieros [Higher Technical School of Engineers]) in Telecommunication at the Polytechnic University of Madrid, and in various University Master’s Degrees in Cybersecurity and Data Protection.
Among his extensive career, it is worth mentioning his role as a member of the National Cybersecurity Forum, his qualification by the Spanish Ministry of the Interior as Director of Security, and his ASLAN, SIC, and Huella awards, among others
