USBs are among the most common devices used for cyber attacks’

 Client :
Shivendra Kapoor
 Technologies :
Cyber Security
 Services :
Cybersecurity and Information Security Compliance & Risk Analyst

Shivendra Kapoor, Sr Manager – Functional Safety, Chola MS Risk Services.

The flipside of connectivity is the vulnerabilities that come along. How serious is the threat?

In today’s highly connected internet based world, everyone must have had an encounter with a cyber attack. Be it
while online banking, at office, hospitals, using social networks or even in operating plants/industries.

As more devices get connected, so does the vulnerability to cyber attack increases. Vulnerability in simple terms is
the weakness in a system that is an easy entry point for the attacker to gain a foothold in your system so as to gain
unauthorised access and create havoc in your system while enjoy access to the wealth of information your exposed
system has to offer. Industry estimates believe the cost of cybercrime damages will be USD 6 trillion by 2021. Have
we forgotten – WannaCry, Stuxnet, Night Dragon, etc? Definitely not? But most importantly, have we learnt any
lessons from these attacks or are we still confident that nothing bad would happen to us?

How can organisations address the issues of cyber attacks and IT security in the age of connected plants?

Organisations should get moving quickly on performing unbiased security gap assessments (especially for existing
systems) and accordingly implement more robust cybersecurity practices and thoroughly follow documented
policies. It’s like if you don’t know that you really have a gap in your security system, how are you going to solve
the problem? Rather it is often observed that organisations that skip the gap assessment and risk ranking exercise
end up wasting money on risks that actually need less attention but forget to invest money in risks that need urgent
action. Path forward to develop counter measures to reduce the risk to a tolerable level shall be developed after
recommendations from the gap assessment exercise. This would be the most effective way to progress in the
cybersecurity journey and ensure that at every stage correct and most appropriate solution is being executed.
One major threat comes from growing proliferation of IIoT devices and storage (cloud). How can users deal
with such threats?

First, organisations have to accept the fact that there is difference between IT and OT. In IT, data confidentiality is
of prime importance whereas in OT, availability is the topmost priority. Integrity of data is no doubt a key factor
always to be ensured. It should be ensure that personnel maintaining IIoT devices, systems are different than those
maintaining IT devices and that there should be clear understanding about scope of work, responsibilities and
boundaries between these two teams.

Access to control systems, logic programs, logs, other stored data and connected smart sensors and final elements
shall be under strict administrative control and a layer of protection approach shall be followed. Under no
circumstances shall these be bypassed. This would definitely act as a strong preventive layer of protection that will
help in effective protection against cyber attacks.

A leading cybersecurity player recently demonstrated internal vulnerabilities like USB devices. Are
employees adequately trained?

USBs have been found to be one of the most common devices used for cyber attacks. If the organisation doesn’t
have any cybersecurity policy in place, the USB port is bound to be open and prone to misuse. It’s just so
comfortable to plug in and attack! That’s it! Many times in industries; especially in control rooms, the hard disks of
workstations (connected on the control network or even to enterprise network) have been found to be fully loaded
with videos, images, inappropriate content- all copied through USB.

Organisations have to be cautious of internal disgruntled employees and external third party contractors and should
aptly train personnel and necessarily percolate strict cybersecurity documented policies within the organization with
well-defined terms of use, expectations, responsibilities and implications of misuse. I would suggest it should be
treated as ‘Law’ within every organisation.

Do companies compromise security by their unwillingness to spend, attributing it to risk appetite?

Yes – especially for those who think SAFETY is not that important and it can be pushed for the next Financial Year
when cash flow improves. They may believe that by opting for cyber insurance in their insurance policies they
would be protected in case of a cyber attack. This encourages them to procrastinate most safety related activities
like: general safety, process safety, functional safety including cybersecurity, etc., till an accident actually knocks
them off – sometimes to the extent of catastrophic accidents beyond which no repair is possible as the damage
(especially financially and to reputation) is already done. Cybersecurity is a part of overall safety, yet, it is one of the
most misunderstood subjects.

Even today, industry personnel believe that by installing anti-virus software and having restricted user access they
have cybersecurity systems in place and are free from cyberattacks. It’s a big mistake. These steps, though are
crucial, yet, are just a miniscule part of an overall healthy cybersecurity system. Industries have to gear up to the
beckoning world of cybersecurity and implement it as a ‘lifecycle’ concept especially for industrial cybersecurity
where they need to follow IEC 62443 series of standard.

Is there an ideal solution that reaches a fine balance?

With mounting expenses and stiff competition it’s becoming tedious for organisations to maintain healthy bottom-
lines. But this does not mean that basics should be compromised. In this ever increasing digital age where
everything is connected and extensive networking is on the rise, there is need for strict discipline in the way we
currently look at and deal with cybersecurity.

Just compare it with the human body. If we don’t follow a disciplined and healthy lifestyle, we are vulnerable to
attack by external viruses, bacteria and at times diseases caused by these may prove fatal.
Similarly, in the cybersecurity world, we need industry personnel to be trained by competent professionals so they
can correctly understand, implement and maintain the requirements set by their respective cybersecurity standards.
Without a disciplined approach and involvement of top management it would be impossible to achieve true
protection from cyber attacks.

Shivendra Kapoor is an Instrumentation & Controls System engineer from Mumbai university, TUV SUD
Functional Safety Certified Professional (FSCP), exida FSP (IEC 61511) and has 16 years international industry
experience in design & detail engineering, EPC, LSTK, site support, process and functional safety consulting,
training and publishing. He is currently employed as Sr. Manager- Functional Safety with Chola MS Risk
Services in Mumbai. He has numerous technical papers published in reputed publications and is a freelance
writer with +25 internationally published fiction, non-fiction and short stories.