The Robots Taking Your Job Could Get You Killed

bcg-ex1-chart_800_499_80.jpgBoston Consulting Group  recently released a global robotics market study that projects industry growth of 10.4% CAGR.

The rush to automate more factory processes may look like it’s saving money, but to Ken Westin, a senior security analyst at Tripwire, it’s a dangerous trend that’s spreading cyber vulnerabilities across entire industries. And it will only get worse. Westin says that too much or unsafely implemented automation in chemical and pharmaceutical plants will result in a catastrophic, and largely avoidable, cyber attack in the next two years.

That automation is on the rise is no secret. Boston Consulting Group has forecast that between this year and 2025,1.2 million industrial robots will make their way into factories across the United States (in addition to those in factories today.) Some projections commonly cited among the chemical and pharmaceutical industry suggest that automation in more factories could increase throughput by 20 percent on a yearly basis and reduce energy consumption by 8 percent.
“A lot of businesses see value in automating a lot more of the processes when it comes to manufacturing,” Westin said at the Black Hat cybersecurity conference here. “They’ll actually let a lot of these people go, like the engineers. And they’ll focus on the automation. What they fail to do is look at the increased risk that that poses to the organization.”
“These systems were designed decades ago,” he went on. “They’re using protocols that are pretty ancient. They were designed for reliability and efficiency. Security was not a part of that. The security occurred on the physical end, protecting people who came in and out of these physical systems. Once you connect that to a corporate network? What happens is the corporate network now gets connected to the manufacturing plant, which was not designed to be connected to the Internet at all. When you have that connection that increases risk to the organization. That’s something that’s not assessed in their analysis of risk.”

How ubiquitous is open Internet connectivity in supervisory command and control systems? You would be surprised. “Where and when something happens is almost completely under cyber control,” said Jason Larsen, a principal security consultant at the group IOACTIVE. “Opening and closing valves is almost always under cyber control.” Larsen spoke during a demonstration that showed how un opening and closing of valves can cause heat and pressure buildups as well as massive container destruction, and leaks of volatile or poisonous chemicals.

Of course, you, as the plant operator, could just call in engineers to monitor or fix the problem, but you fired them to save money, remember? Westin calls it “a perfect storm in a lot of ways.” He predicts the compromise of a major manufacturing plant in the next two years. “It will be something where we see a loss of life. That’s going to change everything.”

While his clients trend toward energy companies, it’s the chemicals and pharmaceutical plants that cause him the most stress. He singled out companies like Bayer and Pfizer, based just outside of Pittsburgh, as particularly attractive targets. “I flew into Pittsburgh and looked down at some of these plants along the river. Imagine the environmental impact if some of chemical leaked out?”

It’s that classic cyber-Pearl-Harbor scenario that former Defense Secretary Leon Panetta warned of in a 2012 speech, and which has since prompted massive increase in cybersecurity spending, much to the benefit of people like Westin. But he says many companies could implement solutions to fix some of these vulnerabilities themselves, do so quickly, and at not necessarily by hiring a fancy hacker team to hunt for bugs. For starters, simple two-factor authentication and other means to keep passwords safe should be much more common. They’re exactly the sorts of measures that the Office of Personnel Management was able to quickly put in place after a major breach. Westin says that password and credential loss is the most common major vulnerability and a lot of that springs from human error, rather than brute force attacks, that don’t use stolen credentials.
Humans are the solution, but they’re also still the problem.
DefenseOne: http://bit.ly/1WoONX4

 

« Switzerland & Austria Investigate Claims of Electronic Spying at Iran Talks
Artificial Intelligence: Myths, Facts and Future »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

SABSACourses

SABSACourses

SABSA is a development process used for solving complex problems such as IT Operations, Risk Management, Compliance & Audit functions.

F5 Networks

F5 Networks

F5 products ensure that network applications are always secure and perform the way they should—anywhere, any time, and on any device.

MarQuest

MarQuest

MarQuest provides services and systems to enhance network reliability and security.

Kaymera Technologies

Kaymera Technologies

Kaymera’s comprehensive mobile enterprise security solution defends against all mobile threat and attack vectors.

techUK

techUK

techUK represents companies operating in the tech sector in the UK. Focus areas cover all aspects of ICT including cyber security.

Introspective Networks

Introspective Networks

Introspective Networks (IN) is a Cybersecurity company focusing on securing data in the network and automating knowledge work to decrease vulnerability points to critical infrastructure.

ISARA Corp

ISARA Corp

ISARA Corporation is a security solutions company specializing in creating class-defining quantum-safe cryptography for today's computing ecosystems.

VKANSEE

VKANSEE

VKANSEE offer the world's thinnest optical fingerprint sensor for mobile device protection.

GuardSight

GuardSight

GuardSight is a provider of specialized cybersecurity services to safeguard businesses, government, and remote workers against sophisticated cyber threats.

Sylint

Sylint

Sylint is an internationally recognized cyber security and digital data forensics firm with extensive experience discretely addressing some of today’s biggest cyber breaches.

Core Sentinel

Core Sentinel

Australia's #1 Penetration Testing Service. Make Your Systems Fully Compliant With Our OSCE CREST/CISA Certified Penetration Testing.

Data Priva

Data Priva

Data Priva is the UK's leading subscription-based data protection, governance, risk and and compliance service.

Pessimistic Security

Pessimistic Security

The team behind Pessimistic helps blockchain startups meet modern security challenges since 2017.

Data Defenders

Data Defenders

Data Defenders provide information security technology solutions that empower consumers, businesses and governments with safe and secure IT and cybersecurity infrastructures.

Papua New Guinea National Cyber Security Centre (PNG NCSC)

Papua New Guinea National Cyber Security Centre (PNG NCSC)

PNG NCSC is a jointly funded initiative enabling PNG to benefit with the most advanced cyber protection of its critical information and communications technology infrastructure.

Hive

Hive

Hive is a leading provider of cloud-based AI solutions to understand, search, and generate content, and is trusted by hundreds of the world's largest and most innovative organizations.