No company can exist without computers, which means that each and every company must consider cyber security. CHARLEEN CLARKE reports that this is one of the greatest risks of this century
Think cyber security is a bit pie in the sky? The actual facts suggest not. James Willison, a recognised international leader in security convergence and enterprise security risk management, cites many examples of recent cyber attacks.
“Recently, a major artery within Israel’s national road network was shut down after CCTV cameras were attacked by Trojan Horse. A German steel mill was unable to shut down a blast furnace as normal after hackers accessed the mill’s control system through infected emails. The operating systems of German and South Korean nuclear power plants have been attacked.
“PlayStation’s network has been compromised three times. Hackers, who claimed responsibility for the 2014 attack, said they had done it simply ‘because they could’. And Jeep had to recall vehicles because someone got into a car’s management system and crashed it,” Willison reports.
“We have to face the facts that as our physical systems connect to the internet they become digitalised and so are vulnerable to cyber attack and cyber crime,” he stresses.
PwC’s Global State of Information Security Survey 2016 reports that the numbers relating to cyber attacks are nothing short of “numbing”. “Year after year, cyber attacks continue to escalate in frequency, severity and impact. Prevention and detection methods have proved largely ineffective against increasingly adept assaults, and many organisations don’t know what to do, or don’t have the resources to combat highly skilled and aggressive cyber criminals,” it warns.
“Many executives are declaring cyber as the risk that will define our generation,” adds Dennis Chesley, global risk consulting leader for PwC.
Mike Gillespie, managing director of Advent IM, also warns of the cyber security risk. “Some 40 billion devices will be connected to the internet by 2020 and if something has a computer attached to it, it has the potential to be hacked. Cyber security poses the biggest threat to insurers’ balance sheets since 9/11, yet so many organisations have no real strategy to deal with it. Stop thinking that cyber security is an IT problem, because it’s not; it’s a business problem,” he was recently quoted as saying on the IFSEC Global.website.
Kaspersky Lab, a global cyber security company founded in 1997, believes that this risk is so great that it holds an annual Cyber Security Weekend to which it invites company experts, journalists and business guests. This year, the main topic of the event was industrial cyber security; an area that is becoming increasingly important, especially following a series of high-profile incidents in recent years.
“Today, the cyber security of industrial systems and critical infrastructures is of vital importance. An increasing number of such systems are using devices and channels that interact with the outside world. Sometimes they use equipment that was never intended for external access, not to mention software that was created decades ago and has not been upgraded since! This is a very serious issue, because not only is the continuity of the production process at stake; the environment and even human lives can be at risk,” Eugene Kaspersky, the company’s CEO, warns.
The aforementioned conference focused specifically on the Middle East, Turkey and Africa (META) region, and the cybercrime statistics pertaining to this area are downright scary.
In the first three months of 2016, 45 percent of users of Kaspersky Lab technologies in the META region encountered security incidents related to local networks and removable media, and 15 percent of users faced web-related threats.
The total number of cyber-incidents detected by Kaspersky Lab’s products in the Middle East during the first quarter of 2016 was up 15 percent compared to the same period in 2015; in South Africa the increase was 20 percent!
Ransomware continued to spread globally and in the region, affecting both organisations and home users. The number of attacks detected and prevented by Kaspersky Lab technologies grew in all the countries of the region, compared to the first quarter of 2015: in South Africa the number of ransomware incidents nearly doubled; the Middle East saw an increase of 67 percent; Turkey 58 percent; and Azerbaijan 14 percent.
That’s the scary news. What are the solutions? Kaspersky has been piloting Kaspersky Industrial CyberSecurity (KIS), a so-called “specialised solution designed to provide holistic cybersecurity for industrial networks and critical infrastructure, regardless of the level of industrial automation”. KIS has already been successfully piloted and integrated in a number of projects, including at the VARS petrochemical terminal.
Roman Yanukovich, SIA VARS technical director, explains that VARS continuously monitors the evolution of the cyber threat landscape. “As such, we realised that we were an increasingly vulnerable target for attack. Left unprotected, an IT security breach could severely disrupt and disable our automated operations. This could have severe implications for the port’s commercial viability, the safety of our employees and the population of the nearby town of Ventspils, not to mention the risk of potential contamination of the Baltic Sea. KIS enables us to protect the terminal and its customers from such an attack,” he comments.
Taneco, the oil refinery giant, has also tested KIS, and Marat Gilmutdinov, the head of its industrial control systems department, appears impressed.
“Having analysed the potential threats faced by hi-tech oil refineries, we opted for the KIS solution. It was important for us to buy more than just a security solution. We needed to put comprehensive security measures in place to protect our operations against cyber threats at every ICS level. We also needed to work with a vendor capable of assisting with any possible issues during deployment and operation.
“The capabilities of KIS exceeded all our expectations. Just months after deployment, KIS detected an unauthorised connection attempt by an outside laptop to one of the controllers. The attackers were attempting to modify the operation settings of a sensor,” says Gilmutdinov.
The PwC Survey has found that companies are more willing to invest in systems as such KIS; respondents to the survey reported that they had boosted information security spending significantly, and many are gearing up to tackle the cybersecurity juggernaut head on.
Companies are also investing in cloud computing. Research firm IDC predicts that spending on public cloud computing will soar to nearly $70 billion (about R1 trillion) this year, and that the number of new cloud-based solutions will triple over the next four to five years.
Addressing the issue of cyber security requires more than just investing in systems. “Technology alone won’t turn around the state of cyber security, however. Smart organisations have always known that the human side of the security equation is equally essential,” the PwC Survey notes.
As such, businesses are expanding the roles of key executives and boards of directors to allow for enhanced communication of cyber threat information and help build better prepared, more resilient cyber security capabilities. They also are implementing awareness programmes to help educate employees and executives about cyber security fundamentals and human vulnerabilities like spear phishing, which remains a very successful attack technique.
It’s ultimately all about the humans, you see. Humans created computers and cyber technology – to make our lives easier. Now they’re making our lives considerably more risk-filled too …