Only in recent years have asset owners become more aware that their companies can also be vulnerable to cyber threats. From ransomware to life-threatening process disruptions: anything can happen. Cyber Resilience Team helps the industry with a defence plan.
It almost went wrong: a cyber attack threatened a huge explosion in a chemical plant. The incident took place in Saudi Arabia about three years ago and was not made public until a year later. Notorious recent examples in the Netherlands are the digital attack on the Maersk transport company in the port of Rotterdam, the attack on Citrix systems, which made it impossible for many authorities to work from home, and the attack on the University of Maastricht, which eventually paid tons of ransom money after a ransomware attack.
Delusions of SAFETY
In the industry, many asset owners feel safe because, according to them, the operating systems of the installations (OT) are disconnected from the internet and office automation (IT). Delusion is the right word here,' says Ewald Coenraad, 'because at many companies there is a link between the operational operating systems and the internet, sometimes unnoticed. Unfortunately, this leaves the gates open to malicious people'. Ewald works as Consultant Cyber Security at Cyber Resilience Team, a sister company of KH Engineering. They work together with colleagues from our Israeli parent company Ludan, which also has a great deal of expertise in cyber security.
disconnected FROM THE INTERNET?
In order to get companies secure, they can call on Ewald and his colleagues for advice. ‘It's been a very popular service lately,' says Ewald. ‘And rightly so, because it's actually remarkable that asset owners invest so much in process security without thinking about cyber security’. There's a little bit of history behind this, Ewald knows. ‘At the time when electronic process control was introduced, the internet did not yet exist in its current form. What's more, these systems actually stood on their own, ran on UNIX and were only connected to the control room. But in the course of time, office automation, including Windows, made its entrance into the control room. As a result, process information - in the form of KPI dashboards, for example - was also made visible in the boardroom. More and more modern systems have also been built using off-the-shelf devices from the IT world, including Windows PCs. And the system supplier is also promoting the fact that it is convenient for him to be able to watch remotely in the event of malfunctions, which also creates a link to the internet. When I start my research at a customer, in forty percent of the installations I find a connection to the internet that was not yet known about.'
To make the company resilient against a digital attack ("cyber resilience"), Cyber Resilience Team offers various solutions. ‘We usually start with a "maturity check", in which we determine how cyber conscious and resilient the company actually is,' Ewald explains. ‘We also map out where the weak spots are and whether they can be prevented. And if not, what protective measures you can take. We can implement these with technical tools, such as equipment, tools, apps or an adaptation in the architecture, but there are also organisational and human aspects to it. That's why we can also train management and staff in safety awareness. After all, a serious hack does not happen in a matter of seconds, as in the film. It often takes months of preparation. During such a period, it is also mapped out who employees are and what roles they have. You also have to be aware of that.'
In their risk inventory and advice for measures, the Cyber Resilience Team employees always try to strike a balance between being well protected, workability and an affordable price. ‘You may want to disconnect and shut everything down, but that's often far too expensive,' says Ewald. ‘We can give sound advice on the actions the company can take to become a lot safer without it becoming unaffordable. This can significantly reduce the risk of a cyber attack.’
As a sister company of KH Engineering, Cyber Resilience Team is the perfect partner for this type of work. ‘From our expertise, we know how an installation is put together and we know the operational technology behind it. We also know how to work in the chemical process industry, which is of course very different from an office environment where IT is renewed every three years', says Ewald. ‘In a factory, the installation and the controls are usually set up for about twenty years. What's more, the factory usually has to continue to produce 24/7 while in an office it's best to shut things down at night. The combination of in-depth process knowledge and cyber security makes us unique.’