“The biggest threat to UK systems isn’t the hackers,” says Derek Burton, Company Leader at Cougar Automation. “It’s the lack of ongoing oversight and review by organisations providing critical services. In the same way that many NHS systems were affected as a result of operating out-of-date systems, it is likely that most industrial control systems are highly vulnerable to this particular attack.”
Cougar Automation is a well-established supplier of System Integration Services. Their team of more than 100 engineers has been offering such services as industrial control and automation, cyber security and safety for more than 25 years from their offices across the UK. Their customers include oil and gas storage facilities, water supply companies, and the transportation industry.
Burton warns that the recent attack gives us a glimpse of what could happen if other critical systems went down across the country.
“We take these kinds of warning signs of what could happen if areas such as our energy or water supply were hit,” explains Burton. “Cyber security is a relatively new concept in the world of industrial automation and control systems used to manage such life-essential areas. And most systems were installed without considering cyber security. There are a lot of systems out there that are older legacy systems. Cyber attacks were the furthest thing from anyone’s mind when they were developed and installed.”
The bad news is that the patch created for this particular ransomware probably hasn’t been applied to many computers that are part of industrial control systems. Even worse, some computers that form part of industrial control systems are likely to be running very old versions of Widows that may not be able to be patched.
Burton also warns that some companies don’t keep up with the needed fixes developed to protect them. “Some organisatons are leaving themselves unnecessarily vulnerable to attack. The ransomware that hit the NHS had a fix developed for it in March, but it managed to get through to numerous unprotected systems.”
The Health and Safety Executive (HSE) recently issued guidelines for operators of major hazard workplaces to ensure they are managing cyber security appropriately. Inspectors will be visiting all such sites across the UK to ensure they are taking the steps needed to protect their sites from cyber threats.
“This guidance offers a great way to ensure organisations are protected where cyber-security could pose a major accident risk to the health and safety of employees, members of the public or the environment,” says Burton. “But these inspections don’t cover the protection of critical infrastructure, such as utility networks, process plants or manufacturing systems.”
The cyber-security team at Cougar recommends that organisations providing goods and services critical to the daily lives and working of the UK take steps immediately to ensure they are safe, including:
Identify all computers in their industrial control system that are running Windows operating system.
Apply the security patch (and any other missing security patches) to computers running Windows versions new enough to be patched.
Unless they are critical to your ongoing operations, immediately shut down any machines running older versions of Windows that cannot be patched until they can be upgraded to secure versions of Windows.
While these actions will protect against this specific threat, and increase security in general, it is vital that all operators of industrial control systems put in place ongoing security against the wide range of evolving threats they faced.
“The good news is there are ways to protect systems easily and reduce the vulnerability of UK networks,” says Derek. “We work with customers to ensure they are taking the steps needed, and that they understand the need to never let their guard down.”