norsk hydro cyber breaches

Digital transformation is alluring. It’s an opportunity to use computers to streamline operations, connect physical infrastructure to the internet, collect data in real time, optimise operations and improve productivity and performance. For example, sensors from Australian agtech company The Yield now give oyster farmers early warning of changing water temperatures and salinity, barometric pressure and tidal information — all via their mobile device. This technology assists 300 oyster growers to better work around environmental conditions.

Meanwhile, Rio Tinto’s autonomous heavy haul train in Western Australia’s Pilbara region uses data from connected sensors and artificial intelligence (AI) to guide the way the train is driven, delivering product to the port nearly 20 per cent faster than a manned train.

Blue colour banner to Cyber for directors course

According to management consultants McKinsey & Co, “If policymakers and businesses get it right, linking the physical and digital worlds could generate up to US$11.1 trillion a year in economic value by 2025.”

What if they get it wrong?

There is mounting evidence that in the race to transform, some organisations are downplaying, not appreciating, or are even unaware of the cyber risks that can arise from connecting physical equipment to the internet — which links operational technology with information technology.

Councils, manufacturers and utilities around the world are already counting the cost of cyber attacks on physical infrastructure. ZDNet, the business technology news site, reporting from the Gartner Security and Risk Management Summit held in Sydney in August, reveals Ramsay Health Care audited the equipment in its 74 hospitals after seeing a demonstration of an ultrasound device being compromised by hackers in 30 seconds.

The Australian Energy Market Operator had also aired concerns about an attack on our power grid as more household solar panels are plugged in. And Western Australia’s Horizon Power is vetting personnel with access to its networks.

According to the Internet of Things Alliance of Australia (IoTAA), at the end of 2018 there were 10 billion IoT devices in operation globally. That is tipped to reach 20 billion by 2022 and more than 60 billion by 2025. In May, technology analyst Telsyte calculated more than five million Australian households have at least one IoT device. It predicts the average household will have 37 such devices by 2023. Without proper security and governance, each of those connections is a potential backdoor for attack.

Retired Major General Patricia Frost is the Washington DC-based director of cyber at Partners in Performance, a global management consulting firm. She has 32 years’ experience in the military and was, until 2016, director of cyber, electronic warfare and information operations for the US Army.

Frost notes that many of the industrial systems used to manage utilities, water purification, gas and steam turbines are legacy systems. They are built standalone, often using supervisory control and data acquisition (SCADA), which although not immune to cyber attack have been somewhat protected by the air gap between them and the internet. There is now a race to connect these legacy systems to modern information technology networks over the internet.

“That is creating a new attack surface and vulnerability,” says Frost. “Systems in the past were literally separated and isolated in air gap networks. My concern is we are rushing to digital transformation without truly understanding the operational risk based on threats the business is now exposed to.” This stretches from criminal “hacktivists” to nation-state attacks.

Frost warns boards need to understand what equipment is being connected to which networks — and for what purpose — and also to assure themselves the organisation is properly prepared to deal with a cyber attack. She says boards should make serious assessments. “Ask where does the value of the business sit, what are our most critical assets and then overlay the digital domain and connections between the IoT and business information network,” she suggests. “Why are we making certain connections, is that truly of value to the business? Or is it just ease of access? In some cases, technology has made us a little lazy. We want the data now, even though it’s not bringing much value to us.”

Certainly, there is enthusiasm to connect the physical and the digital. Extrapolating McKinsey & Co research through to 2025, IoTAA CEO Frank Zeichner estimates that IoT can deliver an economic kicker to the local economy worth up to $116b and a two per cent hike in national productivity. This is not to be sneezed at.

Belinda Cooney GAICD is chief financial officer of Interactive, an Australian IT services provider, and a non-executive director of the 86 400 neobank. She believes that while directors have not been blindsided by the integration of information technology and operational technology, the pace at which it has proceeded has caught some unawares.

Five cybersecurity questions for directors and CEOs

  1. How is our executive leadership informed — through their systems, processes and governance — about the current level and business impact of cyber risks to the organisation?
  2. What is the current level and business impact of cyber risks to the organisation? What is our plan to address identified risks?
  3. How does our cybersecurity program apply industry standards and best practices?
  4. How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying the executive leadership?
  5. How comprehensive is our cyber incident response plan? How often is it tested? What is the role that board directors play and are they included in annual exercises?

“When I think about security and risk as a director, it is very hard to decouple IT risk from operational technology because you have people using the systems,” says Cooney. “You can’t think of them as isolated things. When asking questions at board level, a lot of people think cyber risk is mitigated by doing a penetration test to figure out if anything has happened. In my experience, it is a lot more than that. You need to extend your line of questioning. Who is using the system and what is the access to our physical environment?”

Cooney notes directors have tended to focus on cybersecurity as it relates to data, rather than physical equipment. “Many don’t realise how much IoT is used in their business,” she says.

Besides good oversight of the cyber risks associated with information and operational technologies, Cooney says directors must ensure that organisational culture provides “enough psychological safety for people to speak up if they see something funny, to report it if it’s not quite right”.

Frost says directors must be curious. “If you look at the output from a wind farm or a solar array — could that be used as a vector to cause instability to the complexity of power grid and other generators of power because that fluctuation of power is so fragile?”

Directors need to consider how decisions are being made about connecting the digital and the physical. “Who is responsible and accountable?” asks Frost. “The governance may need to change in companies when connections are made in the digital domain that could bring a detrimental operational risk to the company.”

She also recommends more granular monitoring of physical assets. “Most of the security controls we’re seeing in cybersecurity are at the upper layer of operational technology, not down at the asset,” she says.

Learn the lingo

Packet squirrel/Plunder bug Devices hackers use to connect to a network providing stealth access

Trojan Malware loaded onto computer systems for nefarious intent

SCADA (supervisory control and data acquisition) Long-established systems architecture used to manage physical equipment

Frost also believes implementing security to monitor the asset output could help protect an organisation. “When you see that baseline disrupted or changed, that will be your first warning something malicious is happening to your assets.”

Jeff Hudson, CEO of global security firm Venafi, agrees with the need for greater cybersecurity at the machine level. “Gartner says we spend US$10b a year protecting human identity — but we are just getting started in protecting machine identity,” he says. Hudson also believes this is increasingly important because everything from lifts to cranes to autonomous vehicles link to the internet.

“This is very poorly understood,” he says. “There is a blind spot. Everyone assumes it has been taken care of, but it hasn’t. Machines are making real-time life-and-death decisions about humans. We spend a lot of time making sure humans have the credentials to do a job, whether it’s in the operating room or stock trading. Now algorithms and robots are taking over and we have to do the same thing.”

A Director’s Guide to Governing Information Technology and Cybersecurity by Nicholas and Alexander Tate (AICD Books).

Cyber attack case studies

October 2019 Access to systems blocked and providers forced offline by ransomware attack on several Victorian regional hospitals.

June 2019 Florida’s Riviera City pays extortionists Bitcoin worth US$600,000 after ransomware attack paralyses its online systems.

March 2019 Cyber attack on Norway’s Norsk Hydro ASA forces it to isolate metal manufacturing plants and revert to manual operations.

October 2018 Onslow Water and Sewer Authority in US experiences Ryuk ransomware attack that spreads throughout network, encrypting data and halting operations.

June 2017 Production at Hobart’s Cadbury chocolate factory impacted after global attack by NotPetya ransomware.

December 2015 Ukrainian power companies suffer unscheduled power outages after reports of BlackEnergy malware on its networks.