Has your organization initiated a risk assessment and created a threat model that would have covered some of the following incidents over the last two years?
The local branch of a shipping company updates the accounting application that is dominant in their region. With the updated application, they anticipate that they will better enable business with their customer’s use of the same package. Unfortunately, what they are unaware of is that malware has been inserted into the download, which will in turn unleash what is arguably the most expensive malware incident ever. Cisco’s Talos discovered the link between the me.doc financial package hijack and the Petya/Not-Petya incident that stopped ¼ of the world’s shipping, hospitals throughout the UK, and factories worldwide in 2017. Who has “corporate finance” as a part of their threat model?
Does your organization feel compelled to tie inventory, production state with your overall budgetary and financial planning systems? Probably so; and in pursuit of that goal there will be an eagerness to open up communication channels between the operations and finance groups. If so, then how should that be done and by whom? Are your automation engineers well versed in secure API programming practices? Are your finance business analysts competent in capturing telemetry data from a production run? Probably not. Are either of them in a position to understand and execute secure data capture and transmission? Again, probably not.
Some organizations have already created pretty strong policies about segmenting the operations space from the enterprise side with the kinds of controls that would have stopped WannaCry/Petya/Not-Petya equivalents. So let’s consider another incident.
Suppose you have your ERP / operations data sharing working well and securely. In fact, it is working so well that you realize that adding more modern capacity to the production line would drive increased output and profits. So now your organization turns to one of your trusted machine makers for a new production skid. The new machine arrives, the builder assembles it all, and the team connects it to the production network, which results in the factory shutting down. What happened? It turns out that the machine builder’s systems themselves, were infected with the same class of malware that came from the finance system mentioned above. A factory that was well enough protected from such infections from the outside in was not ready for a threat emanating from within. Several hundred million dollars in losses later, and the avoidable lesson is well learned:
Adopt a zero trust stance and segment accordingly. Doing so while continuing to allow for integrated systems and process visibility for business success is not difficult, but takes planning, effort, and commitment.
Now let’s set the stage for our next blog with another scenario for your consideration.. When your organization contracted with the accounting software company and the machine builder for their products and services was there any clause that described their security responsibilities and compensatory obligations for those shut downs?
Learn more by visiting the Trust Center’s Critical Infrastructure IoT page.