Industries: The new sitting ducks for cyber-attackers
Sairaj Iyer
In these days of automation, claiming complete safety is foolishness. The open world-wide internet does not bestow that pretention to anybody more so to those offices of power that are vulnerable to cyber-attacks of all kinds. India recently witnessed two cyber-attacks where hackers could access valuable data stored in high-profile nationalized banks. It is rumored that post those cyber-attacks, fake trade documents were made, to raise money or facilitate large illegal deals abroad. Without any further delay, the Indian Prime Minister’s office signed MoU’s with the global internet security provider Kaspersky.
According to Vicente Diaz, Kaspersky’s Principal Security Analyst based in Barcelona, we are living in a world of APTs (Advanced Persistent Threats) and ransomware. In fact, digital espionage cases involving social media and advanced persistent threats have far-reaching consequences. In the recent US elections, the spotlight turned on Moscow, speculating if it really had any hand in influencing the voters and rigging the elections. The blame later got shifted to the Chinese. Such cases leave a lasting impact on the governments and its people.
Cyber-attacks on industries and factories is not new anymore. In fact, not many in the world of business would relate to Shamoon. Shamoon is the code-word for a cyber-attack. Such is the intensity of this attack that it is claimed to have targeted 35,000 computers all at once, making them go off the network grid. These computers belonged to Saudi Arabia’s largest petrochemical company- Aramco. “One among the most valuable companies on earth was propelled into using typewriters and faxes. In fact, everything was wiped clean, and there was no possibility of data recovery. This year, the code for new Shamoon, involves elements of ransomware, which shows that these attackers are learning and recouping, and so should other people,” he warned.
Conversing with people like Diaz could force one to believe that the world is coming to an end this very moment! Such is the power that computers, machines and web have over the world. In the quest to equip everyday computing with intelligence, humans have tragically directed every kind of risk onto themselves. Diaz asks “Imagine the vulnerability Aramco would be in if it was dealing in nuclear supplies, or was a chemical manufacturing company? What then?”
The motivation for such attacks could be money or fame, but Diaz believes that organizations should understand the risks involved when taking their businesses online. The industry today is rife with practices of unpatched networks, and then, there are cases that involve Wifi networks begging for their passwords to be changed. “Most business systems were written about 20 years ago, and nobody wants to touch them, because it will be difficult to fix them back,” he answers when asked why businesses are not re-looking at their IT-practices.
Technology is a great keyword that symbolizes the revolution in India’s changing business landscape. Most of us are aware of keywords like e-payments, digital signatures, electronic data interchanges, and a digital network or grid of smart-connected cities and organizations. It took, Kaspersky a simple test to throw open the reality.
Kaspersky simulated two sub-stations opened it to a team of students who used ethical hacking techniques. “The students took merely 3-4 hours to bring down the two sub-stations. We are talking of smarter cities, and technological proliferation?” quipped Vikram Kalat a Senior Account Manager at Kaspersky sarcastically.
Kalat believes that there should be preparedness to involve operational technology. This technology will ensure things such as SCADA units, plant machineries, PLC (Program Logic Controllers), ERP (Enterprise Resource Planning) tools and accounting software risk-free. Surprisingly the solutions being suggested are mere patches and not solutions per se. “We are speaking of larger companies collaborating to create industry 4.0, but when industries converge, the devices will also connect, and attackers will look for the weakest link to gain entry. That itself should increase the risk.”
For all the negative news, Kaspersky evangelizes that industries and organizations should put in an operational security while ensuring confidentiality, as well as availability of data.