De afgelopen week zijn er verschillende artikelen gepubliceerd over de Industroyer malware. De technische aspecten zijn duidelijk belicht en veelal door de cybersecurity community zelf opgepakt. De cybersecurity community heeft de verantwoordelijkheid om alarm te slaan als er (cyber) gevaar op de loer licht, maar hoe gevaarlijk is Industroyer eigenlijk? Zou de gemiddelde operations manager hier wakker van moeten liggen?
Deze blog is alleen in het Engels beschikbaar.
First of all, let me be clear on the purely technical side of things. Yes, this piece of malware can pose quite a destructive threat to an industrial environment matching the malware’s target habitat. And there is a good amount of circumstantial evidence that indicates an active track record for this piece of malware. But there are considerable constraints to the applicable environments in which it will thrive. And as such, Industroyer in its current form appears to be a targeted attack tool for specialized scenarios. Unsurprisingly, one of the major established antivirus vendors classifies Industroyer as a “Low Risk” threat. The industrial community should take this seriously though, and consider the discovery of Industroyer a wake-up call. Successfully assessing and coping with such a threat is a collective effort by the various stakeholders in the organization. For illustration, let’s explore 3 different roles that could be of importance and how they can affect the organization’s overall cybersecurity level.
What does this mean to a plant operations manager?
This means that the focus of plant uptime should be considered in the light of Advanced Persistent Threats (APTs) in general. APTs aren’t a new class of malware to be feared beyond reason. We know APTs by now, and in that light, Industroyer can be seen as just another kid on the block; yet one with considerable potential. Without speculating on what Industroyer variants may bring in the future, this simply means that any plant operations manager would do well to assess his/her plant’s resilience to APTs: Review your procedures. Remind staff of the procedures and clearly stress the impact of a moment of carelessness in handling spear fishing emails. If deemed necessary, likewise remind external stakeholders with technical involvement, such as equipment vendors and consultants. For they too can be an infection vector. And of course, there is some good technology available to help raise a plant’s protection against APTs: firewalls, malware scanners, monitoring solutions, and the ultimate barrier: the Fox DataDiode. Plant environments are unlikely to fall victim with a properly applied mix of procedures, tooling, and architecture. Be familiar with the cybersecurity maturity model and how it applies to the plant’s systems and organization.
What does this mean to the marketing manager of an industrial organization?
The marketing manager should be aware of the impact of plant downtime caused by an APT. Losing face publicly is never a good thing, and can be prevented when the right measures are taken. Where the plant operations manager aims for maximum plant uptime, the marketing manager could aim to keep the positive image ‘uptime’ maximized as well. The potential danger eminating from Industroyer should motivate a marketing manager into checking up with the rest of the organization. For example, we can think of proactively asking the other stakeholders following questions: Are we secured against this threat? How safe are we? Do we have our procedures in order? Is an internal heads-up broadcast warranted?
What does this mean to senior management of an industrial organization?
Being responsible for the overall organization performance and integrity, it makes sense to actively assign APT resilience to the right people. Be sure to put cybersecurity on the agenda. Additionally, it is important to keep in mind that this is never a one-man show; motivate team members to work together constructively (as this is not as logical as it may seem). Besides all that, the other stakeholders should be enabled to implement the required security measures; help them to do their jobs with sufficient support and funding. Before the plant is taken down by malware and hackers… Twice…