Words of Wisdom from an Industrial Ethical Hacker

October is National Cybersecurity Awareness Month (NCSAM). The annual collaborative effort between government and industry aims to raise awareness about the importance of cybersecurity and ensure all have the resource to be safe and secure.

Led by the United States’ Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA), this year’s theme—Do your part. #BeCyberSmart— encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability, and the importance of taking proactive steps to enhance cybersecurity. At Mission Secure, cybersecurity is what we do. In support of NCSAM 2020, we’ve put together short “Interview Bytes” to discuss cybersecurity from an operational technology (OT) and industrial control system (ICS) perspective.

Interview Bytes | Week 2: Securing Devices at Home and Work.

“It’s that chain of attack. It’s not necessarily one bad thing. It’s three bad things that lead to a terrible situation.”

The ramifications of an attack on Operational Technology (OT) or cyber-physical systems are far-reaching. According to a new Gartner report, by 2024, 75% of CEOs will be personally liable for cyber-physical security incidents. By 2023, a cyber-physical attack’s financial impact resulting in fatalities is expected to reach over $1 billion dollars. Gartner states, “Even without taking the actual value of a human life into the equation, the costs for organizations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant.”

Despite the heightened level of awareness, risks, and repercussions, there are few reported industrial cyber incidents. Stuxnet, TRITON, Havex, CrashOveride, NotPetya—the known examples of OT cyber-attacks are widely pointed to by practitioners and cybersecurity experts, but often seem more anecdotal than factual.

Even industries with more stringent cybersecurity regulations like bulk electric power have relatively limited reporting requirements. FERC (Read more...)