Picture: HAMMLAB, Espen Solli, 2018

A Holistic Approach to Cyber security

The capabilities and motivations of attackers to go after operational systems in infrastructures critical to society’s resilience are omnipresent. But these sectors are traditionally not prepared to deal with such security threats. It is time to wake up!

Power production and distribution, railway signaling, flight control, traffic light control, water management, oil and gas installations, plants and factories. These are just a few of the kinds of facilities where cybersecurity is becoming increasingly important. The recent ransomware attack on Hydro illustrates how cyberattacks target an organization’s production systems as well as its IT environment. Many of these systems are vital to a nation’s resilience and resistance. For all, safe and reliable operation is essential.

It doesn’t take that much to become a lot better

Nina Hesby Tvedt is the Sales and Marketing Director at Secure-NOK in Norway, a company focusing on cybersecurity surveillance for operational systems. 

- Today we can see a trend where attackers target industrial production systems, sometimes by first exploiting connected IT systems. There are even examples of Safety Instrumented Systems designed to protect critical plant systems being attacked in parallel. This is a complex issue that most security specialists are not aware of, says Nina Hesby Tvedt. 

Despite the complexity of the issue, companies facing these possible threats could become much more well-prepared with relatively small efforts.

Communication between operators and security specialists is vital

There is a need to facilitate collaboration and communication between operators/controllers and security specialists. This is an aspect of cybersecurity that is oftentimes overlooked. The operator must first and foremost be notified of an ongoing security incident and must also know how to report the incident and how to coordinate with the other parties, for example the security team, on handling the breach/incident.

Integrating the human factor

In order to develop security solutions that take into account both the technological aspect of cyber security as well as the human and organizational aspects, Secure-NOK and the Institute for Energy Technology (IFE), are collaborating. Vikash Katta is a Senior Scientist at IFE.

- At our Cyber security Centre for industrial control systems and HAMMLAB (human factors laboratory) we can test not only to what extent a security solution is able to detect a security event and able to present the operator with understandable and relevant information. We can also test how the operator perceives the potential stress of an attack and how he or she responds. This is crucial for developing procedures and training to successfully mitigate such attacks, says Vikash Katta.

Together, Secure-NOK and IFE have been running a demonstration experiment simulating an attack in a hardware-in-the-loop simulator of a power plant. As a part of the attack, equipment controlling steam pressure to a turbine in the power plant has been compromised allowing the attacker to make minute variations to the pressure. The attack also compromises the HSI (Human System Interface) where pressure indicators will show wrong information to the operator. The pressure continues to increase until pressure-controlled safety valves opens, and the plant no longer functions. This is a demo-case covering both the human, technological and organizational aspects. It was carried out by experts from several disciplines – security, safety, human factors, automation – from IFE and Secure-NOK. 

At Paranoia 2019, Nina Hesby Tvedt and Vikash Katta will explain their approach to holistic cyber security and tell us more about this demo-case. They will explain the threat picture, provide example attacks, and talk about the vulnerabilities and the crucial steps in protecting cyber assets of industrial installations.