In the winter of December 2015, when temperatures were barely reaching above freezing, a cyberattack took place on the Ukraine power grid, cutting off power to 230 000 people. Hackers successfully compromised the systems of three energy distribution companies and switched off 30 substations. At the same time, they destroyed or disabled IT infrastructure components and files stored on servers. All while launching a denial-of-service attack on call centres to keep up-to-date information from consumers during the blackout.

This was first known successful cyberattack on a power grid. Rather than going just for the tradition information technology (IT) targets, hackers had been able to take over operational technology (OT).

“One of the most terrifying things about this hack was that it didn’t start on the day that the power went down,” says Laith Amin, Senior Vice President at Advisian Digital. “It started long before that in the form of spear-phishing emails that contained the BlackEnergy malware. You see, successful cyberattacks are the ones when you don’t know the hackers are there until it’s too late.”

It is not simply the cost of these cyberattacks that need to be considered, but also the potential risk to human life with OT hacking is massive. Infrastructure, power plants, hospitals – all these rely on OT as well as IT.

Why the air gap is no longer a safe space

Traditionally, companies have focused on the ‘air gap’ when it comes to keeping their plant safe from a cyberattack. This air gap assumes that a company’s IT is in no way connected to its OT. However, as technology becomes more sophisticated this is no longer the case, or even desirable. Laptops, iPads and mobile phones are now being utilised more than ever in plant environments but often with the focus still being on the fact that the air gap will protect. It will not.

Moreover, continuing to maintain the air gap offers no value to customers. “Everything we know at Advisian Digital says that the real value comes from connecting your operating technology to your information technology,” says Amin. “Digital asset transformation itself means connecting your IT infrastructure to your plant OT. You can get a lot of value and productivity benefits by doing that, as you are able to control things like predictive maintenance, preventative maintenance, and condition monitoring remotely using your IT.”

In with the new but not out with the old

So where IT has firewalls, virus protections and regular patches made by Microsoft, Apple and other technology companies to help safeguard it, what is in place for operational technology?

“In the US, there’s National Electrical Reliability (NERC), which has standards that guide asset owners on how they can reduce their vulnerability in terms of cybersecurity. There’s also the  UL Standard for Software Cybersecurity for Network-Connectable Products (UL 2900), which was published in 2017 and created after evaluating the complexities and challenges associated with cyber risk,” explains Amin. “But that’s all very new.”

However, while technology vendors may now be releasing OT equipment that does keep plants secure, this does not remove the question of existing OT and whether it is protected. “Buying the latest secure technology for one aspect of your plant is pointless if you’ve still got ageing technology elsewhere. Or your operators don’t understand the importance of software updates, closed ports and other risks. Outdated equipment, either through lack of updates or age is a weak spot that hackers will find,” Amin points out.

Simplifying the concept

“When you apply it to everyday life it makes perfect sense,” explains Amin. “You might have heard of the Black Hat hack of the 2014 Jeep Cherokee where – in a controlled demonstration to expose the weakness – hackers took control of a car from a remote location? They could change everything from the radio music to the effectiveness of the accelerator and blasting the car with air conditioning. Hackers had discovered that a vulnerability in the car’s built-in Wi-Fi service enabled anyone who knew the IP address of the car to access the car’s functionality.”

Changing cybersecurity culture

It is a cultural change, too. The operator’s workforce has got to be behind the changes. Employees have got to play their part in updating the software, be aware of the risks of creating vulnerabilities, and looking for anomalies in the system.

Again, it helps to translate this into everyday scenarios, explains Amin. “You update your phone software. You know you should have complicated passwords that you don’t share. You have firewalls. You don’t open attachments from people you don’t know. And one step further than that. If someone was peering through your neighbour’s window, you’d probably investigate, or if someone was opening a car with a crowbar, it might get your attention. If something looks odd in your data, it probably needs checking out.”

“It’s about getting your workforce to apply that level of thinking to their office technology, and hammering home the message both within WorleyParsons and to our customers that cybersecurity is everybody’s problem and that anyone can become an expert in safeguarding their company’s assets,” he adds.

Creating cybersecurity customer solutions

“At WorleyParsons, we talk about clients’ digital transformation journeys a lot, but that doesn’t mean we’re neglecting our own,” says Shawn Kenyon, Director of Digital Integration, Advisian Digital. “Digital is part of our daily narrative. It’s a part of everybody’s daily work life and each one of our 26 000-plus people needs to play their part.”

Amin agrees. “If we can do this, then things like cybersecurity will automatically be considered during all our client-facing conversations,” he says. “It will no longer become a retrospective addition to our client assets but a built-in concept at bid stage. We also speak to our clients about it in a way they can understand. We remove the technical jargon and make it relatable to their business.”

Three steps to cybersecurity success

Amin breaks down his advice into three easy steps for operators to understand. The first is making them aware that there is an international cybersecurity standard to be able to test and verify conformity to that standard for all your control systems. “If it doesn’t meet the standard, you don’t install it,” says Amin bluntly. “Or that’s your weak point for the hackers.”

The second? “Don’t assume a successful attack is when you’re going to know about it, when your plants been shut down, or something’s been tripped. That’s not a successful attack, that’s a failed attack. A successful attack means they’re in your plant environment now and they’ve got control but you don’t know it yet. The only way to detect this is to monitor everything. Look for little changes, anything unusual and collect the data for analysis so you can detect any anomalies early on.”

And finally? “Make sure every single piece of equipment you have is 100% covered and kept that way. Build into your business culture the importance of updates, of not leaving vulnerable ports open, of the fact that there is no longer an air gap between IT and OT. Use the UL2900 as a design standard for security and act to maintain conformity permanently during the operating phase of your asset.

It sounds so simple, but Amin estimates that only 1% of the industry has secured its OT in part because a lot of this technology is still very new – the standard itself only came out last year.

Find out more about digital transformation is helping clients create safe and secure digital ecosystems at Advisian.com.