The weakest link
The more devices are networked, the more hackers threaten not just organisations’ data security but their physical assets and employees’ safety. We set out what OSH practitioners can do to protect them.
Words: Dr DF Merchant
The past year brought record-breaking data breaches, including those at UK telecoms provider TalkTalk and the US Government Office of Personnel Management. In parts of the British Isles it also brought record-breaking floods.
As responsible businesses, most of you will have a business continuity plan safely stored on your desktop. Come the day when the water is lapping at your office door, you have a system to divert your mail and a vague idea where to find the mops.
Of course if you knew in advance that you were based on a flood plain, wouldn’t it be irresponsible not to have some kind of flood protection system in place? Perhaps a sandbag or two or an exercise to see whether the office furniture you think will fit upstairs really does? Surely a company that was expecting to be inundated at any moment would not just have its manager sitting around hoping that a lifeboat would float past the window.
With computer systems, that’s precisely what businesses do. The number of organisations, from SMEs to petrochemicals multinationals, that actively prepare defences against cyber attacks or accidental damage to their process control equipment is miniscule.
If you identify network-connected devices that can present a physical hazard, the OSH team has to deal with them
When someone hacks into a website and steals customer data, all but the most switched-on businesses simply dig out their continuity plans and thumb through them, looking for “how to put the website back” – the electronic equivalent of “hand me a mop”.
In the days when all you risked losing was a one-page website, there was little reason to care – but now we not only have vast stores of valuable customer data and proprietary secrets to protect, we also have computers that control mechanical systems that can endanger workers and others. Damage to those networks, whether it is caused by a malicious intruder or an inept employee, can easily lead to real emergencies.
Safety and health practitioners should not just be involved in meetings about cyber security, they should run the programmes. Cyber vulnerability stops being an IT problem when people can be hurt. A public water company, which must remain anonymous, left its IT security to its IT department, until hackers changed the chemicals added to the tap water of thousands of residents.
This year there have also been successful attacks on energy companies, trains, hospitals and even cars. The control room of the Bowman Dam in New York State was broken into from outside the US by hackers with links to the government of a hostile nation. Their attempt to flood the area was thwarted – but only because, by chance, a valve had been unplugged for maintenance.
In 2014 the German Federal Office for Information Security announced that a steel mill had suffered “massive damage” after hackers gained access to its control system through a USB stick sent as a gift to an unwitting employee and left the plant’s operators unable to shut down a blast furnace.
VNC (Virtual Network Computing), the software that controls computers in remote locations, should be a major security concern for an organisation because it opens up a channel for hackers to operate as if they were sitting at your keyboard. They can see your screen and move your mouse. In March, a short-lived hacker site collected and listed more than 500 “accidentally-open” VNC addresses. This gave anyone who visited the site full control over everything from hospital X-ray machines to SCADA (Supervisory Control And Data Acquisition) remote monitoring desktops that ran entire factories.
VNC should be password protected, but too many people rely on the assumption that nobody will find their unprotected servers. That’s like leaving your front door open because the street seems quiet. Researchers estimate there are at least 100,000 unlocked business terminals at any time, almost always because the last people who used them forgot to log out.
Intruders don’t have to set out to cause targeted destruction; simply by playing with things they can cause it anyway. Some of the people who visited that X-ray machine’s control page tried to overheat a patient, others drew smileys on the display screen.
Increasingly, hackers encrypt vital documents and demand a ransom for the decryption key. Hospitals are favourite targets; they have an imperative to recapture the data at any price. Would-be intranet intruders will also go after small suppliers, looking for weaknesses to attack major sites further up the food chain.
The “internet of things” (IOT), which gives everything from access controls such as interlocks to settings on the machines they guard its own internet protocol (IP) address and patches it into the network, is ultimately the reason that cyber-attacks create physical hazards. If you’re controlling a chemical plant from a computer terminal it doesn’t take a genius to realise the operators shouldn’t be watching “adult entertainment” on it, but they have been found doing just that. The IOT offers ever more integration and connectivity. Sensors report to computers on another continent. It saves a fortune in travel, but it has to be hedged with strict controls.
The latest corporate gift to hackers is the IP-connected webcam; these are almost invariably left with the default password and provide not just a gateway into the rest of an organisation’s network but a handy way to see what sort of company the intruder has chanced on. There is an underground search engine familiar to most hackers that scans the net looking for IOT devices so, if you want all the unprotected SCADA controllers in Scunthorpe, it’s a click away.
This January Marty Edwards from the US government’s Industrial Control Systems Cyber Emergency Response Team said of critical infrastructure projects in the US: “I am very dismayed at the accessibility of some of these networks … they are just hanging right off the tubes.” Closer to home, the HSE’s 2016 business plan promises to “build on the work of other government departments to assess the potential changes to the risk profile of the major hazards sector from an increased cyber threat”. The problem isn’t going away.
So what should businesses be doing? It’s too easy to email the IT department and read superficially comforting responses about firewalls. Instead, start by asking some questions they probably thought too simple to consider. If someone logs in from a hotel business centre and forgets to close the session, what’s the worst that can happen? If someone hacks into the company network, how long before we notice? Will we ever notice?
When we dismiss someone or make their job redundant, do you change the password on the webcam? If I leave a bunch of virus-riddled USB sticks in the car park, how many of our employees do we believe will use them despite all those memos about security? (Studies suggest the answer is likely to be half of them.)
If you identify network-connected devices that can present a physical hazard, the OSH team has to deal with them as such. The technical aspects of the risk assessments and control measures may be beyond your skills but they are still your responsibility. IT staff can help with the technical details, but they aren’t trained in risk evaluation. So, identify all the networked devices in your organisation, think of the worst hazard they could present if they were misused by an outsider, and ask the experts to check whether that’s possible.
The threat doesn’t have to come from a hacker on the internet; it could come from an employee deleting a set-up file by accident or plugging in their iPad to charge. In a recent survey, 38% of young adults stored important passwords as plain-text notes on their mobile phones. How many copies of your Wi-Fi password are scattered around? How far does the signal reach outside your premises?
For critical systems, cyber-resilience exercises are essential. As with continuity plans, you can run table-top exercises playing out a scenario between departments: one person tries to break in and the others try to stop them. Suppose the plant manager’s laptop is stolen from a car on Sunday night – what could it be used for? How long before the prevention systems detect it has happened and shut down the account? If this was a flood you should be looking for sandbags, not mops.
Plan of attack
The next stage is penetration testing, when an external contractor really does try to break in. They will not X-ray anyone to death, but they will show you a terrifying PowerPoint slide about what they could have done. Penetration testing can be expensive, but you can carry out a simple version in-house with tests such as trying to log in to every device with the default password; someone in the organisation should have done it already.
Monitoring is the final barrier, and one often overlooked. Computer software updates itself regularly, new things are plugged in, employees bend the rules. There are two sides to monitoring: keeping a weather eye on press reports and signing up for security alerts from your equipment and software suppliers, so you know if one of your devices has become the target; and watching the traffic inside and at the borders of your network. Attackers are stealthy; they want plenty of time to dig around, so it’s the little things that give them away. Monitoring systems should watch for employees logging in at unusual hours, old files moving around on the server, emails setting themselves to already-read.
Of course, nothing is guaranteed; we’re talking about a risk assessment leading to reasonable control measures based on the damage that could be caused to people, property or the environment. Aircraft manufacturer Airbus, which has more than its fair share of security people, is attacked a dozen times a year – but it stops thousands of attempts every day. If you have one valve to worry about, you have one password to change.
Cyber resilience need not be just a drain on resources, it’s a valuable business tool. Proving your systems are secure helps you win tenders. Customers trust you with their data. Watching where your website visitors come from detects unusual spikes in traffic, and shows the marketing team where potential customers live. Fostering an open policy where employees can report issues and ask for advice helps them protect their own families. They may even help you round up those mops, not that you should need them.