“The sky is falling! The sky is falling!” goes the famous line by Chicken Little (or Henny Penny for you Europeans reading this). People in the cyber community have been accused of being “Chicken Littles” for predicting that cyber adversaries are going to bring down economies, if not our very way of life itself.
As a member of that community, I will readily admit the message can be overblown at times and even used as a classic FUD (Fear Uncertainty Doubt) sales technique in others. This does a great disservice to the real risk that does exist.
“What is that alarm?” the operator yelled above the din. “Not sure, I’ve never heard that particular one before, but alarms are going off all the time.” Everyone continued to go about their business as usual.
This is a common occurrence in industrial environments. People have become numb to alarms going off. Fortunately, this time, it was just a false alarm. It was determined to have been caused by a software glitch, but it could have just as easily been caused by a cyber breach (malware, an adversary who gained control of the system) and resulted in significant loss of production, or worse, loss of life.
As someone who has spent much of his past five years traipsing around coal mines, pulp mills, manufacturers and chemical plants, I’ve seen firsthand the rise of OT (Operational Technology)-related cyber breaches. And we are only at the beginning.
Many have drawn the parallel between OT cyber security and safety only to be rebuffed by those who say that is overly dramatic. It is not. The proliferation of OT (including the Industrial Internet of Things or IIoT) has changed formerly isolated, air-gapped industrial control system (ICS) networks into a haven for cyber criminals, disgruntled insiders and hacktavists looking to do harm or get a high-payoff.
As a result, we will see an acceleration of real industrial alarms due to cyber breaches. Until we all wake up to this reality and treat cyber as seriously as we do safety (create a “cyber HIRA*” for example) we are prone to viewing these alarms as just more “the sky is falling” overreaction and not the serious threat they truly represent.
* Hazard Identification and Risk Assessment – A risk assessment tool that can be used to assess which hazards pose the greatest risk in terms of how likely they are to occur and how great their potential impact may be.