In the light of the passivity of the industry to secure their increasingly networked systems, the researcher and director of cybersecurity at Tecnalia, Óscar Lage, warns that the risks are ever increasing.
by Jose Carlos Sánchez
Any paradise has its hell. The fantasy outlined by the defenders of ultra-connected society and the Internet of Things (IoT) also has a less dreamlike side to it, dominated by hijacking systems, data stealing, identity theft and destruction of files.
A networked industry is also a more threatened industry. And right now, “there is a load of systems that work very well because they have been designed like that, but for which cybersecurity has never been taken into account”, stated the director of cybersecurity at the Tecnalia research centre, Óscar Lage. Accordingly, his work consists of closing gaps and minimising business risks through technologies such as cryptography, block chains and artificial intelligence.
Last May, the WannaCry attack dominated the headlines when it blocked not just companies but also hospitals and factories. Are we facing a new golden age for cyberattacks?
I believe they are cycles. Around 15 or 20 years ago, we were talking about securing networks. However, now this field is mature and we are working in other spheres. Whereas 15 years ago, it was banks, governments and defence who suffered the most attacks, nowadays the majority of attacks (almost 40%) are on the manufacturing industry and energy sector. Attacking a bank or government continues to top the ranking but they are already so well protected that it is much more complicated, even though total security does not and will never exist.
The industrial and energy environment is suffering the real attacks. Ransomware affects everything, but most notably hospitals and factories. We are talking about industrial systems that are designed to work in isolation and which, all of a sudden, are connected under the paradigm of Industry 4.0 to exploit data and do predictive maintenance. And now is when the problems start.
What cyberattacks are the most common?
In the first few months of this year, most incidents came from zombie networks, computers which are used to attack. The most dangerous attacks are distributed denial-of-service (DDoS) attacks. These can paralyse the services of a bank, Amazon, or even a domain name system (DNS) that resolves the web address of a large number of companies, as occurred last year. Many of these computers and IoT devices are “enslaved” pending the launch of an attack. This is what happens the most, although it is obviously less startling than ransomware that blocks the computer.
And in companies? Are there any special features of the attacks they receive?
In the industry, stealthily and without halting the computer, what the attacks are doing is to steal information. We find people who, when they submit an international tender, discover that a company – a Chinese firm, say – has purchased the data and submitted the same offer but is two dollars cheaper. This is impossible without an information leak. When things are analysed, it turns out that the company is missing logs (registering the behaviour of the systems and programs), etc. Nobody knows exactly what has happened, but someone from the competition has obtained this information. These are contracts worth many millions and there are people who pay to get this information through attacks aimed at specific enterprises. And this is happening to Spanish companies. We are not talking about science fiction.
Who is behind these attacks? Is it possible to find out?
In many cases, you can never tell, but there are hacker groups and networks devoted to this. Even certain governments can be behind it, but there tracing it back is very difficult. Clues can be found but this type of attack is extremely stealthy and nor is it easy to find out who it has actually been.
The so-called Industry 4.0 and IoT consider the total connection of any element. But doesn’t connecting more devices and machines also entail more risks?
It is clear that interconnecting everything is a new risk. If we had secure, authenticated industrial protocols, with confidential, encrypted communications, we would not have these problems. But all these data [from industry] are made to be in isolation and all of a sudden we connect them and put them together with things like IP cameras, which we have bought on the cheap and do not know very well either how they work or how secure they are. The manufacturer can think, “Where is the problem with them seeing two images of the factory?” However, starting from the camera it is possible to access the rest because they are all part of the same network.
The first thing to do is to segment the network, define exactly what connection needs each element has and set up protective measures at the entry and exit points of each of these segments.
Why do companies not take action from the start?
The problem tends to be that that process of connecting the company is often led by the IT department, which wants to wash its hands of the issue and says it is part of the industrial department. Then, suddenly, all the responsibility falls on someone from production or operations. At the same time, a bunch of firms come by to offer the advantages and benefits of exploiting the data, sensoring and all the rest. That is their task, but often these companies are not concerned about security either. They assume that somebody will do it, but the reality is that, at that time, right in the midst of it all, nobody is concerned with it.
There is a lack of awareness. Just think that every six months, the number of machines connected to the internet goes up by 19%. It is no longer about whether they are protected or not, it is that they are directly connected to the internet. It is a huge problem.
There remains the supplier option, of the machines being made secure at origin.
We try to talk to manufacturers, so that their new generations of devices are secure and include the appropriate measures. But these wouldn’t reach the market for another five years. Moreover, this equipment has a useful life of 20 or 30 years. It is necessary to work with the manufacturers, but also with the people who install them: customers have to increase their awareness.
However, there is always the risk of connecting from the outside. Everything is pointing to systems increasingly becoming controlled via the cloud and remotely.
The good thing about an industrial network is that, although people connect from outside, it tends to be fairly stable and its way of operating is very similar, and its behaviour can be modelled with artificial intelligence. For example, a very simple pattern which tends to be detected very quickly: if the change in parameter of a machine tends to occur two or three times a month and suddenly happens three times in a single day, the algorithm detects that something is happening. It may be that they are only servicing the machine, but something is up. Based on that, the person responsible for the infrastructure can check whether this is a problem or not. If it is not, the algorithm learns it and labels it as ‘maintenance’.
It is what we were working on while cybersecurity and cyber-secure equipment are reaching the industry. You are not going to protect the protocols, but at least you will detect what is happening until then. If we talk about a new plant, maybe in six years’ time it will be totally secure but we still have many years of non-secure machines and industries ahead of us.
Artificial intelligence becomes a bit of a watchful eye, but could it also become a threat?
Attackers are also increasingly powerful and use this type of artificial intelligence to make the leap. One example is the use of intelligent agents which simulate the behaviour of a network to avoid suspicion. These things are incredibly complicated and increasingly difficult to detect.
MIT Technology Review en español is the Spanish edition of MIT Technology Review, a magazine published by Technology Review Inc., an independent media communication firm belonging to the Massachusetts Institute of Technology (MIT). Founded in 1899, it is the world’s oldest technology magazine and the global authority on the future of technology on the internet, telecommunications, energy, IT, materials, biomedicine and business
The content under the MIT Technology Review seal is protected in its entirety by copyright. No material may be used in whole or part without permission