Skip to main content

Why you need defence-in-depth: a lexicon of cybersecurity

June 10, 2016
“The industrial sector has become a prime target for cyber attacks. Whether through malicious outsider intent or accidental insider actions, critical infrastructure is at risk of infiltration, infection, and disruption,” says Adrian Marziano, ANZ Enterprise Account Manager for GE Oil & Gas.
Marziano is part of a GE team helping companies in the field of liquefied natural gas (LNG) to discover and defend weaknesses in the cybersecurity of their operational technology—the machinery and processes that are rapidly being digitised and connected to computers and cloud-based networks with the aim of refining operations in an intensely competitive market. Although such organisations may long have had advanced IT security systems in place, operational technology (OT) can be a blind spot.

In 2015, the US Industrial Control Systems Cybersecurity Emergency Response Team (ICS-CERT) responded to 295 reported incidents of cyber-infiltration of critical infrastructure in the United States. (The Australian equivalent body CERT Australia does not isolate industrial-systems incidents in its reporting.) Underreporting is believed to be rife, given that companies fear appearing vulnerable, and are likely to want to get their house in order before admitting that their defences have been breached or that, in fact, they have no defences.
The commercial drivers of digitisation are driving connectivity faster than the awareness of security concerns that come with it.

Connecting machinery to the Industrial Internet is an asset-performance-management opportunity that industries, from resource extraction to water utilities, manufacturing and healthcare, can’t afford to ignore. But because the Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems used to manage and automate many machine processes have not been designed with inherent security capabilities, connecting them to the internet or other internet-connected computer technology opens a new playground for hackers and “bad actors” of all motivations.

“It’s critical that our customers secure their industrial environment as a first step, even if they plan to defer their full digitisation journey to a later time,” says Rajiv Niles, global director of industrial cybersecurity at Wurldtech, a GE Digital company. “With the pervasiveness of malware, even environments that have limited connectivity can become compromised, sometimes inadvertently from within the organisation.” In this video, Niles gives a couple of examples of how unwitting human error can lead to the breach and compromise of company systems.

“Spear phishing”, in which outsiders target employees with bogus emails, with the intention of gaining access to a company network or installing malware, is another hacker approach that staff may innocently accede to.

More persistent malicious attacks are frequently automated, says Marziano. Would-be infiltrators “build a virus or a bot that just travels through the internet and keeps trying to find vulnerabilities; they’re self-fulfilling in the sense that they will find a way in somewhere at some time.”

Compared to the IT environment, in which sensitive or proprietary data can be stolen or tampered with, the risks for infrastructure such as power grids, gas pipelines, drilling rigs, medical installations and natural-gas-liquefaction plants are life-threatening.

“Our customers’ two biggest concerns are the safety and well being of their staff and the risk to the environment,” says Marziano. “If they were to get hacked, the result might be a flash fire or an explosion that could harm personnel and also cause major environmental problems. The third risk is to efficiency, losing production output due to a hacker-initiated malfunction; and after that, there’s loss of operational data to a competitor or hostile state.”

GE, with its vast installed base of machinery in industries as diverse as mining, aviation and wind farming, acquired Wurldtech, an international leader in cybersecurity for operational technology environments, in May 2014, as part of its efforts to protect critical infrastructure and its customers’ operations.
Industrial environments have a legacy of being ‘air gapped’, which implies that they are closed networks, but they are slowly getting connected.

At that time, the Industrial Internet was a vision, nascent. Sensors on locomotives, wind turbines, subsea Christmas trees, lighting systems ... were proliferating. Operators were hopeful of learning from the streams of data emitted by their own machinery. The development of cloud computing enabled greater analytical capability and comparative analysis than ever before. It was big-data crunch time as a new level of asset-performance management became a reality.

“People are really keen to find out the digital truth. You get to the digital

truth by collecting data from different points and different machines, people and sites, and benchmarking—finding out what’s actually happening rather than an interpretation of what’s happening,” says Marziano.

Adrian Marziano is part of the GE team helping companies in the field of liquefied natural gas (LNG) to discover and defend weaknesses in the cybersecurity of their operational technology.

Marziano believes that no industrial company can now afford to be an island: “Traditionally these companies have worked in isolation and each one has become a closed loop, which made it difficult to compare one operation to the next.” Recently, he says, there’s been a dynamic change, first within companies and their different sites: “Data is enabling comparison of one plant with an other, operating shifts and engineers with one another. Data is bringing whole companies together with a holistic view of what is going on in the organisation, often on a global scale.”

Anomalies in comparative data from different company sites can be sifted to provide best-practice examples, and to predict the performance of machines, to optimise and plan maintenance procedures for least disruption to production. Being aware of the digital truth and acting on it will increase profit margins, and help eradicate wasteful practices.

The other change taking place is a realisation by company managers that “if they keep working in a unique fashion, without benchmarking of operational excellence between companies, they’re going to fall behind,” says Marziano.

Within organisations and between them, interconnectivity requires OT system gates and checkpoints to identify breaches of security and also unintended changes in machine operation—which may indicate a breach, or flag a genuine malfunction or deviation. It requires policies that employees are trained and motivated to adhere to. It requires what’s known as defence-in-depth:

Defence-in-depth, explains Niles in brief, “is multiple layers of system fortification that allow for the highest level of risk mitigation from cyber threats”. The best systems don’t assume they will repel every attack, but are rather designed to reduce an organisation’s attack surface, detect breaches, and stop the progress of infiltration before it reaches core processes and fulfils its potential to cause damage or disruption.

Niles gives Wurldtech’s Opshield as an example of a flexible, versatile defence solution, Built on more than a decade of experience with OT protocols used in ICS and SCADA environments, its machine-learning capabilities enable Opshield to automatically discover and monitor communications between devices. Opshield identifies protocols used, source and destination addresses trying to use the protocol and compares them with the context of normal operations. Only the right commands for the right devices are executed in the intended operational process, thereby protecting systems from inappropriate commands that can interfere with operations, and safeguarding people and physical assets.

Operators reluctant to expose their OT weaknesses to the kind of OT cybersecurity audit that GE offers as a first step to assessing vulnerability, need to “look at security as an opportunity to innovate”, says Niles. He’s referring to the evolving security landscape, and that security should never be viewed as locked down. It’s never done and dusted. Like any area of technology it requires constant evolution and innovation to foil the evolving capabilities of hackers and attackers.

In another sense, implementing reliable, flexible, constantly adapting OT security systems provides companies with the confidence to innovate, on the back of data intentionally and safely gathered, shared and compared.