As health and safety threats, terror and online data attacks are often seen as distant risks confined to the news headlines. In practice, they are becoming daily realities that in large and small ways ordinary SMEs need not only to be aware of but also to plan against. Jon Herbert looks at the potential impacts.
The first reaction of many managers is likely to be that risks falling under the label of ‘cybercrime, security and terrorism’ are freak events that shouldn’t trouble the ordinary hard-working company simply trying to provide a service, maintain employment, generate wealth and be good business neighbours.
Unfortunately, a range of new and rapidly evolving contemporary risks are making everyone vulnerable. Whole countries can be shut down! And the weak point can be your own computer.
Some threats are extremely simple and direct. Others are complex, remote, affect the commercial community at large and can easily have lethal, injury and trauma consequences.
As recent international news events have underlined, firms should have effective evacuation procedures in place, even though official advice as to what individuals should do if caught up in an incident in a public setting is not clear.
Closer to home, it is not inconceivable that an ordinary firm will have to deal with simple but potential injurious forms of protest. Curious powders sent by post, sharp and pointed objects arriving by mail, the possibility of firebombs, and even in some cases the herding of livestock into commercial premises have H&S implications.
Straightforward though these might seem to be, one of the largest impacts is often the lasting trauma felt by routinely involved staff members.
The retail and distribution sector is a particularly vulnerable industry. Motives may be linked to disgruntled ex-staff, objectors to products up for sale, links to specific countries, or even parts of a company’s business history.
More commonly, so-called cybercrimes are damaging companies. Even though they can be sophisticated and extremely well planned, or simply the result of a talented ‘geek’ keen to show his or her IT prowess, the most common vulnerability point is a company’s own staff. This is an immediate area for education and explanation.
Even the most advanced online attacks often gain entry by fooling and leading unaware employees into accepting and opening contaminated emails that allow first-wave malware into company systems.
Once inside, they can wreak havoc within increasingly IT-based operational and management systems. Seemingly innocuous phishing emails can open up the digital equivalent of a postern gate allowing cyber intruders into the castle.
One cybercrime expert recently pointed out that while this threat mainly concerns corporate IT experts, associate control system failures can result in serious incidents and human injuries.
He added, “The biggest threats are the people you work with, your staff. These are the people who let these threats into you system. This can be through breach of internal policies, or just plain ignorance, meaning people are using computer technology who don’t necessarily understand its power or understand its weaknesses.”
How bad can it get?
One of the worst cyber-attacks crippled industry throughout the Ukraine on 23 December 2015. The country’s electricity network was closed down for several hours, leaving 225,000 people in darkness and intentionally preventing engineers from bringing the network back up to normal.
The US Department for Homeland Security recently blamed international hackers for an exceedingly well-planned assault which took six-months of intense activity to prepare.
Although the attack targeted Ukraine’s energy network, similar assaults could compromise power stations, water and wastewater treatment plants, manufacturing facilities, emergency care services and mass transit systems in advanced countries such as the UK, with an indirect but extremely severe knock-on effect for companies, commuters and the public.
Mitigating the effects is something that alert businesses might want to prepare for.
An investigation into what happened in Ukraine – which 30 years ago in April suffered the Chernobyl Nuclear Power Plant disaster which released 100 times more radioactive pollution into the environment than the two nuclear warheads dropped on Japan in 1945 – is now part of a dedicated campaign.
There is evidence that hackers sent emails to power utility company, Prykarpattyaoblenergo, offices with Microsoft Word documents attached which when opened installed malware. Although firewalls separated affected computers from control systems, malware allowed internal attacks on passwords and logins giving access to supervisory control and data acquisition systems known as Scada.
After months of effort, this facilitated remote desktop access to cut power at 17 sub-stations. The attackers were careful to ensure that power supplies could not be restored automatically; engineers had to visit each sub-site manually.
In the UK, it is estimated this could take one to two hours under a similar attack.
It may come as a shock to know that UK power company systems are under constant cyber-attack and it is entirely possible that their defences could be breached, according to the University of Cambridge’s Centre for Risk Studies, which adds that, “… there’s a lot of people working very hard to stop it.”
Nevertheless, hackers are constantly searching for security weaknesses in control systems.
The positive news is that it took the Ukraine system hackers half a year of arduous work to create short-term havoc. Even so, countering the threat creates high bills for power companies that consumers have to pay.
A year ago, the Chancellor, George Osborne, predicted that attacks on the UK’s electricity network could cause ‘loss of life’ and an extra £1.9 billion is being committed over five years to bolster GCHQ’s cyber capabilities.
This has led to a search for other ways in which industrial control systems (ICS) that control plants and machinery can be overridden.
According to the community of security researchers known as Scada Strangelove, who are working to find exposed ICS systems online, more than 80,000 different kinds of ICS systems are now connected directly to the Internet. Many used with Windows or Apple are vulnerable and need to be taken offline.
A lot of work has gone into hardware-makers updating their controlling software, often uploading new editions to devices without customers even knowing.
Another organisation onto the case is Crest, which is researching the security operational components of the UK’s infrastructure. Its aim is to find out whether ethical hackers need new skills to beef up their digital defences.
Crest is frustrated by the attitude of many companies intrinsic to the nation’s key infrastructure that feel they are not exposed.
The main focus is on poorly protected operational IT systems that are connected to important operational technology (OT). This includes remote machinery in the field and distant installations.
There are many downloadable ‘tools’ that can be used to interrupt corporate IT.
When Google was hacked in Australia in 2013, it wasn’t its search engine or advertising platform that was targeted but its building!
It is estimated that many thousands of buildings are now connected to the Internet, including churches, hospitals and important industrial and research facilities.
A large proportion are not password protected; default passwords are easy for online intruders to breach.
Although smart buildings offer many environmental and business advantages – energy savings of 20% to 25% can be made – access to heating, cooling and lighting control systems, and even security doors, poses potential H&S threats.
The impact can be even greater of essential systems, such as extraction and air quality equipment, are included. Interfering with power supplies can be even more destructive.
In one case, millions of customers’ credit card information was stolen by a break made into the heating and ventilation system.
Another possibility is ransom-ware attacks, where computers are encrypted by hackers and only decrypted on the payment of hefty financial sums. Building management systems can provide the perfect entry point.
Companies large and small, with thousands or a handful of workers, are equally vulnerable. System and H&S managers have equal interests in working out the consequences, keeping smart systems well away from corporate networks, and being aware of the many forms of modern threats.
One recent example is both humorous and serious in illustrating just how disruptive and damaging digital invasion might be.
An ethical hacker discovered that he could interfere with the clock timing the games played at Alabama’s Bryant Denny football stadium. It meant that he had the power from his couch at home to lengthen or shorten game lengths.
Imagine if you had money riding on the results.
Published by Croner-i on 12 May 2016