These electronic devices might not be designed with cyber security in mind

Ransomware and privacy breaches may be among the top cyber threats on your radar, but are you aware of all of the connected manufacturing and other industrial control systems that may be at risk, a commercial insurer warns.

“These production environments are highly vulnerable, in that they simply weren’t built with security in mind,” Jeff Tilley, vice president of cyber hazards at FM Global, told Canadian Underwriter this past Thursday. “However, they are being connected in a way that exposes them to the same potential threats as the business environments that were built with security.”

Tilley was talking about things like building automation, heating, ventilation and air conditioning, complex manufacturing processes, or heavily automated infrastructure.

FM Global announced Jan. 21 that it is offering its clients a cyber risk assessment of industrial control systems. Available to Canadian clients, this service includes evaluations of client sites by boiler and machinery loss prevention engineers as well as cyber consultants.

Industrial control systems (ICS)  are used in the manufacturing, transportation, energy, and water treatment industries, computer security firm Trend Micro notes.

“ICS are responsible for everything from the electrical current that powers our computers, to the water that flows through our buildings, to the traffic lights that manage our daily commute,” says Public Safety Canada.

How can you tell if such a system is vulnerable?

“In essence, it comes down to whether or not data transmission could be intercepted or manipulated,” Tilley told Canadian Underwriter. “If you had an individual transformer sitting in a corner, not connected to anything, of course we would not be interested in it.”

So the first question would be whether such a device is connected to a network that could potentially be exposed to a cyber event.

“If the answer to that question is ‘Yes,’ the next question is: What does that exposure represent to the site or the organization?” said Tilley. “If it’s significant from their perspective, then we move into a deeper evaluation of management practices and policies of their industrial control systems.”

IBM warned earlier that newer industrial control systems are built on “general-purpose” computer operating systems, such as Windows and Linux, and can potentially be connected to the Internet.

There is an increase in the number of cars, industrial control systems, and other non-computing devices that are connected to a global computer network; and some of these devices are sold without security testing, IBM warned at the time. But most corporate information technology departments are not responsible for managing the security of such devices, IBM said in its X-Force Threat Intelligence Quarterly, 4Q 2014.

An attack on Iran’s uranium enrichment program, dubbed Stuxnet, “was definitely an eye-opener to the potential vulnerabilities on the equipment side from cyber,” Tilley said Thursday.

IEEE Spectrum magazine, published by the Institute of Electrical and Electronics Engineers, reports that Stuxnet infected software at a uranium enrichment plant in Iran, by targeting machines running the Microsoft Windows operating system and then seeking software provided by Siemens AG that is used to program industrial control systems and operate equipment.

“When you get past the ones and zeroes, the cyber-based manipulation of physical systems, I suspect Stuxnet was an example of what potentially could happen,” said Tilley.