Increasing digitalisation creates a weapon for hackers, criminals and hostile states to employ far beyond traditional targets. With a huge array of data and their critical role in industry and government, labs must develop sophisticated defences, advises Chris Whyborn.
As a facilities owner or operator, we have responsibilities to our employees, clients and shareholders to ensure that we have taken appropriate and proportionate measures to provide a safe and secure environment to work, protect their information and guarantee service levels.
The difficulty with security and safety, is that threat and risk can seem to be intangible qualities; until they materialise.
Conducting a Threat Vulnerability and Risk Assessment (TVRA), in accordance with ISO 31000:2018, is a demonstrable means of understanding risk and evidencing due diligence.
These steps include:
- Asset characterisation to determine the impact of loss, damage, or harm (Critical Function Analysis).
- Threat characterisation including insider, criminal, activist, and terrorist and adversary pathways.
- Identification and analysis of vulnerabilities.
- Evaluation and prioritisation of risks, specific to the facility purpose and user groups.
The resultant TVRA then underpins the strategy and design. Having these activities performed by an independent security advisor allows for mitigations to be proposed and considered, and an Incident Response Plan to be designed. It also demonstrates, cost proportionate, due diligence to the facility/business stakeholders, insurers and regulators.
The cyber threat
In May 2023 the UK National Cyber Security Centre (NCSC) issued advice to help organisations detect state-sponsored activity being carried out against critical national infrastructure networks. The US authorities had previously warned of persistent and increasingly sophisticated malicious cyber campaigns that threaten the public and private sectors.
Unusually, specific reference was made to the vulnerability of operational technology (OT) and safety critical systems.
Most common attack vectors
So how are your facilities’ cyber physical systems vulnerable to attack?They’re air-gapped, aren’t they? Well, less and less so nowadays. Many laboratory systems and processes are now externally connected, often for good business reasons. For instance, remote access for operators or engineers, vendor access for maintenance or connection to the enterprise IT system to support billing and logistics. All of these create vulnerabilities, unless managed correctly, which is why knowledge of attack vectors and pathways is so important.
TTPs
“Tactics, Techniques and Procedures” (TTPs) summarises the activities of attackers to compromise a facility’s systems. For example, attacks can target related enterprise systems for credential theft and to gain intelligence on related facility systems. The attacker can then use the business system’s own links to the physical system (pivot attack) to compromise performance. Alternatively (see right), they can attack the system directly; remember Stuxnet?
The physical threat
The physical threat to commercial and government facilities and their employees over the years is on record, with activists and extremists making threats and attacking facilities, vehicles and individuals. Firebomb, paint attacks and physical violence against scientists and other employees are rare but require consideration. A comprehensive risk assessment will include perimeter, parking, facility infrastructure and access control amongst other measures.
Due diligence
Sabre is a security risk management certification standard that can be applied to assess new and existing buildings, infrastructure and managed space during design, construction and operations. An increase in business resilience is a measurable benefit of such a risk assessment. Any effective assessment must address the growing importance of IT/OT network segmentation as underlined by recent high-profile cyberattacks.
A comprehensive risk assessment will include perimeter, parking, facility infrastructure and access control amongst other measures
These results need to be understood and any risks addressed either by preventative measures or by mitigating the impact, by adding resilience in the event of an attack or outage. These assessments will assist in prioritising safety and maintaining uninterrupted business operations.
It is important to acknowledge that threats exist both inside and outside traditional business boundaries. Whether malicious or accidental, the exploitation of a vulnerability and business reliance in any one element, node, or service might result in a single point of failure and should be acknowledged and addressed. Having a third party perform a comprehensive Threat Vulnerability and Risk Assessment, against the requirements of relevant industry regulation and legislation, is a cost effective way for asset owners to understand the risks to their business resilience and demonstrate due diligence to the board, insurers, regulators and government.
Environmental System Attack
In 2022, a refrigeration facility in the Moscow region was the subject of a Control System attack. An unknown user nicknamed ‘Supervisor’ penetrated the refrigeration remote monitoring network and changed the temperature settings from -24°C to +30°C in a facility where 40 tons of frozen meat and fish were stored.
Ransomware Attack
A Russian medical laboratory was reported as having had its systems compromised by a ransomware attack in July 2023, resulting in the extended disruption of services that delayed medical result delivery to many of its customers. Whilst physically segmented, the apparent dependency of the laboratory physical processes on a functioning business IT system created an operational vulnerability.
Stuxnet
In 2010, a uranium enrichment plant [in Iran] was compromised by a computer worm resulting in the destruction of its centrifuges. The laboratory systems are suspected to have been breached by a technician directly introducing the malicious code on a USB drive. This bypassed any systems segregation and demonstrated the importance of not relying exclusively on perimeter security controls. Stuxnet versions are available for download by any malicious actors.
Chris Whyborn is Associate Director – Cyber Security, Protective Design & Security, at Thornton Tomasetti