When you think about the threats to your company’s cybersecurity, you probably think of malicious emails and spearphishing, hacks and data theft, ransomware, malware, spyware, and all the other kinds of -ware. Chances are, you’re not thinking about your thermostat. Or your electric meter. Or your garage door.
But you should be.
These and other industrial control systems—like smoke detectors and fire alarms, HVAC systems, elevators and even lights—are found in every office building and are, in most cases, more vulnerable to attack than any of your standard information technology. And yet, it’s rare anyone wants to take on the task of protecting them.
Daryl Haegley is a senior program manager assigned to the Office of the Assistant Secretary of Defense for Energy, Installations and Environment. He spoke to WashingtonExec’s Cyber Council last week about some of the challenges of securing industry control systems, also referred to as SCADA (or Supervisory Control And Data Acquisition systems) or OT (for operational technology as opposed to IT.). “Where you may update or overhaul your IT every few years, OT systems can go untouched for more than 20 years,” he said. “When was the last time you got a patch update for your heater? Never.”
The Double Threat
Connecting ICS to their own network generated significant efficiencies for vendors and buyers, as specialists could access systems remotely to optimize or repair them. With the advent of “smart” technology—devices connected to the internet—these devices collect and analyze data in real time and optimize themselves. You don’t have to manually check your energy meter; it will automatically send an invoice to billing… efficient and secure.
Or is it? That invoice could contain malicious code that steals the recipient’s username and password, or releases ransomware into your network. A thermostat can be turned into a listening device, as the Chinese did in 2011. The Stuxnet virus can blow up a centrifuge. Target was hacked through its HVAC contractor.
So Now What?
It’s no small task to secure these systems. A single office building might have 20,000 IT devices (laptops, servers, routers, etc.), and more than twice as many OT devices—almost all of which come from different manufacturers.
“These are very real threats to enterprises and the nation,” Haegley said. This is especially true for government contractors, who are regularly the victims of international corporate espionage. “The C-suite needs to figure out who is responsible for securing those control system networks. Is it the role of the chief information officer, the facility engineer or public works department? Where will the funding come from?” Haegley said.
The first step to addressing cyber risk is quantifying it. “Chief executives need to ask their information security officers to include control systems in vulnerability reports,” Haegley said.
Being prepared is the best defense. Know your risk, work with your vendors and establish a comprehensive incident response plan.