Just like any fast-growing innovative sector, the industrial cybersecurity market largely remains a mystery to many. And where there is mystery, there are myths. In the era of all things being connected and of cybercrime becoming a structured business, the cybersecurity challenge is a daunting one for many companies. This article debunks some of the myths that leave industrial organizations dangerously exposed. While not an exhaustive list, here are five of the big ones:
I’m protected because my industrial networks are isolated
False. Industrial information systems are often connected to enterprise networks and sometimes even directly to the internet. It is not uncommon to count a dozen or more internet connections per site, although managers are convinced that their industrial control systems (ICS) are completely isolated. Moreover, laptops and USB drives used by maintenance contractors are major vectors for spreading malware, even on isolated systems.
My firewalls protect me from cyber threats
Building a demilitarized zone (DMZ) between the enterprise and the industrial networks offers a necessary first level of protection. But isolating industrial networks can be an obstacle to industry digitization projects, which require data to flow seamlessly between IT, operational technology (OT), and cloud domains. Organizations need to connect more devices, enable more remote accesses, and deploy new applications. You might even find third-party vendors installing cellular modems to gain remote access to your OT environment so that they can easily update or troubleshoot systems and devices. And what about new applications that require access to the cloud? Do you know what all your industrial devices and are you certain they are protected by your firewall? The truth is, the airgap approach to IoT/OT security is no longer sufficient.
My industrial installation is not a potential target
This cannot be any more false. Even small companies possess sensitive data and can become the target of a cybercriminal. But the biggest threat might come from ransomware. The criminal business model of ransomware is now well established with ransomware-as-a-service (RaaS) making it even easier for anyone to launch attacks. As the fight against these cybercriminal organizations is becoming a priority all over the world, the FBI observed many hackers redirecting ransomware efforts away from ‘big-game’ and toward mid-sized victims to reduce scrutiny. And because these malware are more numerous, the probability of being unintentionally hit increases. A few years ago, WannaCry and NotPetya affected tens of thousands of industrial control systems, causing hundreds of millions of loss revenues, demonstrating that malware generally spread independently of any targeting strategies.
I am protected because my industrial systems use proprietary protocols
False! Tenacious hackers can very well understand proprietary protocols. These are often intrinsically even more vulnerable because they have not been subject to much public analysis, unlike standard protocols, which have gone through many public reviews leading to continuous security improvements. Furthermore, taking control of an industrial workstation is all a hacker needs to disrupt production. These workstations usually run Microsoft Windows, which is well known by cybercriminals!
Adding cybersecurity measures will complicate my daily work
To the slightest extent, yes. Securing your information systems might sometimes force you to operate in downgraded mode or might require modifying some operating procedures. However, downgraded does not mean stopping operations. Security tools are designed to prevent endangering your operations by identifying threats in advance. Letting malware disrupt your systems? Now that will complicate your daily work!
Want the latest industry news on IoT security delivered straight to your inbox? Subscribe to the Cisco IoT Security Newsletter.