The progress of a society is mostly measured by the level of infrastructure is has to support its inhabitants. From school buildings to transport to water, electricity, health to internet infrastructure. Among all, there are some that are deemed vital to the survival of the population. For example water, electricity and health are among the vital ones. The computerization of the 21st century has seen the automation of most part of these infrastructure installations to improve the efficiency and effectiveness of the services they provide. This led to the deployment of automation software like the SCADA (Supervisory Control and Data Acquisition) system to help control the machinery that deliver the services.
We are all aware of some of the challenges in deploying software in general i.e. on our desktops, laptops, tablets, etc. and the issues of cyberspace security that comes with them. Therefore, if vital installations like our power grids, water generation and health-care delivery even transport are being automated these days, considering the environment and size in which the deployment will be done and the number of people it is going to affect, then the question of security should be really thought through thoroughly.
In 2015 and 2016, power delivery in Ukraine was attacked by cyber attackers and affected west and northern Ukraine respectively with millions losing connection to power from 1- 6 hours.
Again in 2016, Verizon reported the breaching of a water supply company; Kemuri Water Company where the attackers through a web faced system entered the operational Technology systems responsible for the distribution, control and metering of their water supply. Programmable Logic Controllers (PLCs) which regulated the water flow and the chemicals use treat the water for safe use ware tampered with and caused unusual movements in the level of chemicals used to treat the water.
Shipping Industry leader Maersk also saw interruptions in its IT system in 2017 due to the ‘notpetya’ computer virus which disrupted the scheduling of its cargoes around the world; essentially its core business.
Cyber security simply is security within cyber space and the reason why managers of key installations must take it seriously is that, these facilities e.g. power grids are spread-out in different locations and are connected and managed through networks. Some of these networks are faced with the internet which is very unsafe and a haven for cyber criminals and all kinds of malicious people who are continually scanning the space to see who their next prey would be. If measures are not taken to protect the installations that provide us the basic essentials of life, nations and communities will be one day wake up to the catastrophe.
Before we look at issues of its safety, let’s first look at whether or not we should care. Indeed we must care about whether the systems that generate and distribute water and light to us or the health systems that aid in the delivery of health-care to us are safe from any form of exploitation or not . We must be concerned because they have implications on our lives.
With the first example of a compromised power grid in Ukraine, imagine what will happen to the several companies which might have been in the middle of production before the lights went off or the surgeon that might have been performing one surgical procedure or the other. That is revenue and Life being implicated right there.
Consider the second example of a compromised water supply system with abnormal chemical level movements. That is heavy contamination of your drinking water which can cause you a terminal illness or take your Life outright or seize the flow of your tap for days.
Contemplate the last example of Maersk. As a business that operates in a time conscious industry imagine the delay the cyber attack has caused the delivery of cargos and the accompanying financial ramifications. Also the effect on brand it has built over the years as an industry leader.
Indeed a lot can go wrong that is why we must be very much concerned about cyber security at key infrastructure installations.
Now onto whether they are safe or not. The safety of softwares are of two ways. The first is from the software developers where in the development process they factor in the security of the software they are building and the other comes from the client who after purchasing the software takes steps to protect what he/she has bought. In addressing the safety of our vital installations none of the above mentioned options are to be neglected.
Most of the softwares to automate the functioning of these vital installations are customized softwares which means they were designed specifically for a particular company per a set of specification. With this, the companies must be proactive to specify a set of security specifications to be embedded in the software during its development to make it robust against any cyber infiltration. Without this, the software will work perfectly but will be porous to cyber space attacks and it will be just a matter of time for attackers to intercept the network and shut it down. But where the software itself is security robust, it can survive a network breach.
In the second option, after the company has taken delivery of the finished software product, and have deployed it in its environment successfully, it is now their responsibility to ensure that they protect the environment and the software. This is where network and network access policies among others are developed and must be strictly adhered to guide the operations of staff to ensure they don’t create an occasion for a network breach.
To make sure this measures and many more are taken to prevent a cyber space infiltration into vital installations which could result in a life threatening catastrophe, regulatory bodies of these industries must develop cyber security guidelines and action plans for the sectors they regulate. They must be firm with regular system auditing and reprimand non-complying companies with fines, license revocations and suspensions etc. to prevent the “we are sorry” cliché.
As a client, you must speak up and demand effective industry leadership from the regulatory bodies so they can ensure you get good service always.