It’s a company’s worst fear to have its information technology (IT) system hacked, sensitive documents leaked, websites altered or data wiped. The government’s recent Cyber Security Defence Strategy is a strong step in the right direction and is further evidence that discussions on cybercrime are more vital than ever. But despite a $230 million budget on initiatives, such as a Cyber Security Growth Centre and the appointment of a Cyber Ambassador, an essential consideration of how cyber security can implicate critical infrastructure at the operational layer with the growth of the IoT (Internet of Things) is one conversation that should be making headlines.
While the focus is often on the protection of data (the IT level), the silent threat is to the operational technology (OT). This is the “nuts and bolts” machinery that keeps Australia’s biggest industrial networks running smoothly. Think mining, manufacturing, electricity, water organisations or gas networks. At its most basic, OT is the equipment that monitors and alters physical devices such as pumps or switches. In our increasingly connected world this operational technology is now prevalent in most businesses. From simple lighting and cooling automation to complex motor control.
Make no mistake, the protection of business operations beyond information is an essential frontier, which must be reinforced. Organisations need to act on the threat of cyber attack before they implement new technology, not after. This isn’t just a theoretical idea either; it’s had very real consequences.
The risk of cyber attack becomes even more serious as organisations increasingly use smart technology (for example, sensors) to connect industrial devices. To give perspective to the impact, research organisation Research and Markets valued the sector at $93.99 billion in 2014 alone and expects it to be worth $151.01 billion by 2020.
Industrial equipment that previously worked in isolation becomes part of a network that is only as strong as its weakest point. Consider the impact of a water system malfunction that cuts off water to an isolated town or a small factory mishap that shuts down a production line for hours.
In the Ukraine just months ago, hackers remotely installed malware and switched breakers that were part of an electrical grid. The result of this simple alteration was a blackout affecting 225,000 people. The attack was the first known successful cyber intrusion to knock a power grid offline. Although it is the first known such attack, it certainly isn’t the only one, and it isn’t the last.
These sorts of attacks aren’t uncommon, but they are rarely spoken about unless it causes significant damage.
In 2000, a disgruntled Queensland resident used simple radio commands to remotely control sewerage equipment which this person had previously worked on. This caused 800,000 litres of raw sewage to spill out into local parks and rivers – an entire system brought to its knees by a simple weak point.
The associated costs of having vulnerable technology targeted can vary from significant to astronomical, especially considering large scale operations like mining, manufacturing or utilities.
It isn’t just big industrial operations that are at risk of having their OT threatened. Everyday business offices could be shut down by hackers simply targeting susceptible building management systems. They have the potential to cut ventilation, disable heating/cooling systems or simply set off alarms.
Cisco estimates the IoT will consist of 50 billion devices connected to the Internet by 2020. We’ve never been more linked by technology, and we’ve never been more at risk. We couldn’t agree more with the government’s belief that cyber security belongs at the centre of business strategy and what is most needed is cultural change to foster this.
Part of this cultural change must be the open discussion of OT protection. While the government’s strategy touches on the topic, there not enough linked to the protection of operations. When protecting the OT, it isn’t the information that is most precious, but continued operation. Without key OT operating, business cannot function. Conversations around this need to happen now, rather than later. We need to grow awareness, and make cyber-security part of our business culture.
The game has changed. Leaked documents can’t be our foremost concern when addressing the cyber security threat. Hacking one piece of industrial equipment can now be the same as attacking a million. And when considering the types of organisations at risk, the scary part is that millions of people can be directly affected.
Australia has robust knowledge of IT protection and experts in the field that have long worked to keep the nation safe. Now it is time to consider IT and OT together and provide industrial protection at all levels.
Brad Yager is a cyber security expert at Schneider Electric.