The people who want to destroy you (and how to stop them)
Somewhere in the valleys of South Wales, a team of hackers is quietly working out how to take over your production facility. They are ruthless. They are relentless. And they are very, very good at what they do.
Fortunately, they are there to protect you. And by the end of this article you’ll be very glad that they are.
These ‘white hat’ or ‘ethical’ hackers work in the National Digital Exploitation Centre (NDEC), a world-class technology hub in Ebbw Vale, about 30 miles north of Cardiff. Their mission is to defend manufacturers of all kinds and sizes from a worrying rise in attacks against ‘Operational Technology’ (OT) – defined here as industrial equipment that is automated or connected.
One of few such facilities around the world, NDEC is a kind of ‘Top Gun’ for hackers, jointly funded by the Welsh Government and Thales. It houses a ‘Cyber Range’ – a highly sophisticated training and testing facility which can simulate even the most complex networks.
You can think of the Cyber Range as a kind of firing range where real attacks can be mounted against real targets right in front of you, then analysed and neutralised. It can be quite dramatic. Seeing your own equipment effortlessly hacked and taken control of is an experience that you will never forget.
It wasn’t an experience that an employee of a water treatment plant in Oldsmar, Florida is likely to forget any time soon, either.
A real and present threat
Just a couple of weeks before I wrote this, the Oldsmar plant was hacked remotely. The operator didn’t think anything of it at first because the plant uses software which allows supervisors to control it remotely.
A few hours later there was another intrusion. This time the hacker attempted to increase the levels of sodium hydroxide (also known as lye, or caustic soda) being fed into the water supply from 100 parts per million to 11,100 parts per million.
As far as can be determined, the Florida attack wasn’t perpetrated by a rogue state or criminal organisation. There was no ransom; no pay off. But there wasn’t a warning, either. Someone, somewhere, probably did it just to see if they could.
Fortunately, the operator noticed what was happening and was able to reverse the action. No damage was done.
But not all systems are monitored all of the time. Are yours?
Understanding and mitigating the threat
NDEC’s team has a wealth of experience in simulating and defeating attacks ranging from intruders just having a quiet look around, to causing damage which is reputationally embarrassing and operationally expensive, right through to the disruption of critical national infrastructure and state-sponsored attacks from rogue states.
An attack against your particular enterprise will probably fall into the ‘embarrassing and expensive’ category. The crux of the matter is that complacency is a killer and you shouldn’t just wait for it to happen and hope it will be OK. Actually, it might be OK… But what about the one after that and the one after that? Because, by now, your details will be on the dark web: playground of the black hats.
With a little inside knowledge and a solid understanding of the threat landscape such attacks can be reliably neutralised. It sounds easy but it’s an enormous challenge. How do you know what form the attack will take? What might it look like? And where will it come from? It’s a complex problem.
Control systems. Automation. Measuring and monitoring systems. Robots. Emissions testing. Even a modest-sized factory can have tens of thousands of connections. Some of your equipment is probably new. Some will be so old that no one fully understands it and maybe it will have been modified at some stage. A great deal of it can be hacked from afar.
The bottom line is that anything that is automated to any degree is almost certainly connected to other systems, often through the cloud or your IT networks, or perhaps even by a direct 4G connection that was quietly installed for the convenience of engineers. That’s great for remote support but it can also give hackers a way in.
Seeing is believing
The science of cyber security is difficult to get to grips with. So although we can talk theory all you want, the best way to understand that there is a real and present danger – and how damaging a successful attack would be – is to see one in action. Because if we can do it, so can they.
NDEC’s mission is to make industrial facilities as secure, robust and resilient as possible. We start from the premise that it is impossible to predict where an attack might come from, when it will happen what form it will take and how destructive or disruptive it will be. Once you understand that, the only appropriate action is to look at everything. In detail.
Top to bottom, step by step
The process starts with asset discovery. Probes can be used to identify and map everything that is connected to your network and to the outside world. That’s the start. The next step is a thorough and methodical follow-up, with hands on inspection by trained engineers who understand your technology and know exactly what they are looking for.
Firewalls must be tested and new ones installed if necessary. Connections must be secured. Software should be upgraded to the latest version. Threat vectors analysed. Business continuity and recovery plans created and tested.
We look at human behaviours, too, as we crawl through your site. I have lost count of the times when a password has been scribbled on a Post-it Note or a piece of tape stuck underneath the keyboard. Bluntly, there is no point in securing your site if your people don’t do their bit, too.
If there’s a weakness, the cyber experts of NDEC will find it. And when they find it they will fix it.
Seeing your production equipment being hacked is kind of fun, actually, but it has a deadly serious purpose. The fact is businesses of all kinds are being attacked all the time. Some recover. Some don’t. And although watching your equipment being attacked on a Cyber Range is interesting, experiencing a real attack from a black-hatted hacker is your worst nightmare.
If this worries you – and it should – it’s time to let the white hats of NDEC have the first and final say.
Dene Yandle is the Lead Industrial OT Cyber Engineer at Thales. He has more than 30 years’ experience in engineering management and systems design, gained from leading large scale projects in the automotive, aerospace and nuclear industries. Today, his main focus is on bringing class-leading cyber security to industrial and automated equipment and its connection to IT networks.