Risky travel: The missing piece for holistic cyber security risk management

Abstract

What types of risk might the following professionals introduce to their business during a business trip with corporate information assets: CEO travelling to initiate acquisition negotiations; engineer travelling for impact analysis of new inventions with a business partner; VP Marketing travelling to ‘sell’ the benefits of his company’s latest product; cyber security expert responsible for network architecture design traveling to attend HACKFEST conference? The risk common to all these professionals is the exposure of their network to a sophisticated cyber security attack by infection, wiretapping, interception, substitution or sessions replay. This paper defines and considers Operational Technology (OT), as opposed to Information Technology (IT), which refers to computing systems that are used to manage industrial operations rather than administrative operations. Operational systems include production line management, mining operations control, oil and gas monitoring, etc. Due to the nature of the impact of potential threats, OT networks require maximum protection, not only in terms of data but also — and above all — to avoid security breaches that may have an impact on national security or even human life. Stuxnet, Dragonfly and BlackEnergy are well-known malicious programs that have damaged many OT networks, with major consequences for power production, storage and distribution. Stuxnet destroyed much of the centrifuge of Iran’s uranium enrichment programme. Germany revealed in a government report that a steel production furnace had been damaged in a cyber security attack by Dragonfly. At Christmas 2015, several Ukrainian companies in the energy sector were attacked by BlackEnergy, causing blackouts in at least eight regions of Ukraine. The paper concludes by encouraging OT professionals to focus on a model that leans on human, process and technology in order to provide the most appropriate mobility services.