Business continuity may be impacted by many factors including acts of violence or terrorism, or even by the actions of a disgruntled ex-employee. Extreme weather events can also bring about disruptions to business continuity. In New Jersey in 2021, Hurricane Sandy caused most homes and businesses to lose power for at least a few days, with many impacted for several weeks. This demonstrated that industrial operations cannot maintain functionality under such conditions without thoughtfully crafted contingency plans and careful system lifecycle management.
Even absent a catastrophe or attempts at sabotage by malicious actors, process equipment requires maintenance of varying complexity, and over time industrial equipment can give way to wear and tear. Planning for these inevitable eventualities creates industrial environments that can stay productive even under adverse conditions.
One area that’s critical to fostering business continuity is the never-ending battle of cybersecurity. As organizations create mitigation strategies to stop future attacks, hackers are always looking for new ways to bypass these strategies and infiltrate industrial systems. These attacks focus on disrupting business continuity by interrupting the system operations via one or more vulnerabilities. In this second article in our series on maintaining business continuity, we’ll focus on how critical asset management is to uninterrupted production.
Business Continuity: The Impact of Downtime
The pandemic is an example of when unforeseen situations can disrupt business continuity. The need to reduce the risk of spread of infection often requires plant staff reductions on the plant floor, which can severely impact production throughput for many organizations. Other impacts occur when employees become ill, particularly in food and beverage production, where contamination can shut an entire facility down. Advances in industrial automation have certainly helped with situations like these, including allowing the remote monitoring of industrial systems.
Maintaining systems and keeping up with current technology can help prevent shutdowns due to equipment failure. Equipment can fail due to wear and tear or poor and irregular maintenance or due to events such as power surges. Failing to have a business continuity plan in place can lead to dire financial consequences as well damage a business’s reputation, and reduce the prospects of gaining contracts in the future.
The 2015 Ukraine Sandworm Attack: Business Continuity Lessons Learned
In December 2015, 230,000 consumers experienced power outages in Ukraine. This was due to a carefully coordinated cyberattack by an organization now known as Sandworm. The IT systems of three separate energy distribution companies were targeted in a successful attempt to disrupt the power supply. For most people, the maximum length of the outage was around 6 hours, but it was a frightening milestone in cyberattacks on critical infrastructure. A single home can usually manage without power for a few hours. A hospital, however, could potentially lose patients relying on life-saving equipment if the power supply is disrupted for too long. Other industrial settings could also have production severely impacted. For example, industrial automation at water plants could be interrupted, leading to water shortages or water that’s not fit to drink.
How Cybercriminals Performed the Sandworm Attack
In the Sandworm attack, the attackers focused on the controllers that could take down several systems. They also attacked serial to ethernet communication devices, limiting the utility’s ability to communicate the problems and failures that were suddenly occurring. Remote sensors were another part of the system cybercriminals targeted. Most industrial settings include these devices, which shows that there are risks inherent in all systems without proper systems lifecycle management.
In this instance, the connection to the UPS or uninterrupted power supply was broken. Thorough protection would ensure backup connections to a UPS or protection from that type of malware before it goes anywhere near the UPS. The Siemens relays within this system were partially compromised, showing that they, too, are a vulnerability within the system. However, systems analysis post-attack showed that some of the security systems in place around the Siemens relays actually prevented a more devastating attack from occurring.
Vulnerabilities in Industrial Systems
Regardless of the type of industrial setting, any system lifecycle management strategy that misses the following steps the Sandworm attackers took could be leaving industrial systems open to attack:
- Reconnaissance and intelligence gathering over a period of several years
- Malware development and deployment
- Delivery of a remote access trojan (RAT)
- Installation of the RAT
- Establishing a connection to the command and control (CC) systems
- Delivering malware
- Harvesting credentials
- Lateral movement and target identification on ICS network
- Developing and deploying malicious software
- Creating a server connection to remote or field devices
- Telephony Denial-of-Service (DoS) attack
- Disabling of critical systems via UPS outage
- Destruction of critical system data
It’s more useful, in terms of system lifecycle management, to consider the steps taken than the specific type of malware used. That’s because when industrial systems are protected thanks to careful business continuity plans and contingencies, it shouldn’t matter what type of malware is used. Proper prevention protects industrial automation and other critical systems from a range of threats.
System Lifecycle Analysis – How It Helps
Proper system lifecycle management and analysis require a full evaluation of the systems in place. It looks at legacy systems and what updates are required to bring them in line with current regulations and expectations. It considers risks and what contingencies will mitigate those risks. It looks at gap analysis — literally the difference between where you are now and where you need to be. Then it requires a full remediation plan to get your industrial automation and manual systems, plus any remote or field devices, as protected as possible.
Some experts believe that these cyberattacks in Ukraine, the most recent of which was January 2022, are the efforts of cybercriminals honing their skills and testing strategies before moving onto prominent organizations in Western Europe and America. With that in mind, it’s never been more critical to ensure your industrial asset management and business continuity plans are regularly reviewed by a team of experts.
In our next article, we’ll be exploring the key considerations for industrial organizations in terms of security and specific risk mitigation. If this article has made you think more deeply about your own systems integrations, industrial automation protection, or systems lifecycle management, get in touch with ICA engineering to learn more.