Your Year in Industrial Security News 2018

This year, we helped you stay on top of attacks and events impacting power plants, factories, critical infrastructure and more.

Archer News took you around the world to see new research into industrial systems security — and how it can affect you.

Here are highlights from 2018.

Watch here:

Your Water

First, a warning about water — one of our most basic needs.

A researcher in Singapore says many
water companies are not ready to protect themselves, or people’s drinking
water, from attacks online.

Riccardo Taormina of
the Singapore University of Technology and Design said in September
that water utilities often don’t have the right training or
staff to keep their industrial systems safe.

“I think they should focus on how to
prevent the attacks,” he told Archer News. I also believe that managers in
the water sector should consider implementing security guidelines even if
compliance is not mandatory, but merely voluntary.”

The American Water Works Association
told Archer News it is indeed a challenge for the more than 50,000 water
systems in the U.S., most run by cities or other small governments, that
often can’t afford super skilled security staff.

The group has created special cyber security guidance just for water utilities. 

Your Water Under Attack

Attacks did happen on water
companies this year, as we reported in February.

Not cyber intruders changing chemical levels in water like in 2016, but in some cases, cryptomining on
industrial computers.

Radiflow says an employee at an
unnamed facility downloaded a file he thought was safe, but it was not, and
it took over water plant computers.

More Holes

You also learned about a 30%
increase in security holes reported for industrial
systems
this year over last.

Like the critical vulnerabilities
found in the Schneider software InduSoft Web Studio and InTouch Machine
Edition, as we reported in May

Schneider put out a warning and a security update.

Speedy Attack

You saw the hunger for hacking into
critical infrastructure in August.

Security company Cybereason set up a decoy substation online under the name of a well-known utility.

Researchers say in just two days,
attackers took it over and put it up for sale on the dark web.

Within ten days, the new owner
launched attack operations.

Luckily, it was just a test.

Target: Safety System 

It was no test, however, at a plant
in the Middle East.

Researchers revealed details about the multi-named
Triton/Trisis/Tri-X/Hatman malware

at a security conference in Miami in January.

The malware targeted Triconix safety
controllers, designed to warn you if something goes wrong, like too much
pressure or temperatures too high, to prevent shutdown, damage
or explosion. 

The malware could fake a
safety problem to shut down the plant or cover up a real safety problem.

“The real danger would be if it like
shut off the safety system, but nobody knew the safety system was shut off,”
researcher K. Reid Wightman told Archer News in Miami.

Plants need to separate the safety
controllers and keep them on their own network, researchers advise.

You can also physically lock them up
to keep bad guys out.

And monitor the controllers to see what kind of information is going in and going out.

Planes, Trains & Automobiles

This year, we showed you security
gaps in planes, trains and automobiles, including a way to hack a flying
plane’s Wi-Fi and satellite communications — from the ground.

Operators of a tram in Austria
left its controls exposed online, so bad guys could mess with the speed and cable
tension.

The car hacks continued this
year, this time with BMWs.

Researchers showed how cyber crooks
can take over parts of the car while you’re driving, and BMW promised to
provide a fix.

Ships, too

Archer News took you to the Black
Sea in Sochi, Russia, to see how yacht owners are making it too easy for attackers to get into their industrial
and communications systems.

The digital pirates can freeze the
ship with ransomware and/or spy on celebrities through yacht microphones
and cameras.

“Best paparazzi system,” Stephan
Gerling said to Archer News in an interview a few hundred yards from the Black
Sea. “Maybe the celebrities should think more about that.”

They can also take over ships of all sizes and steer them off course, other researchers
said.

Experts recommend ship operators
keep their operations systems separate from their other computer systems, encrypt their communications, and change the passwords that
come on their devices.

Not just ships, but the ports
themselves are targets, too.

The Port of San Diego was hit by ransomware, as well as the Port of Barcelona.

Squeezing in through Security Cracks

The attackers can come in through
robots in your plant or factory, as you saw in March.

Or by drone, warned a security expert in August.

Or perhaps through your own workers.

Researchers in Sweden in October
explained how easy it is to break out of “operator jails” — the digital bars put around employee
workstations and computer kiosks to keep users from going astray.

“The easiest and most common
ways to break out I’ve found until now is just pressing the shift key
5 times,” security researcher Frank Lycops said to Archer News in
Stockholm. “From there on you can do whatever you want.”

He and security consultant Dieter
Sarrazyn urge you to test your own employee workstations and kiosks to see if
your people can get out of jail and do damage.

“Good people need to know about it as well because they have a false sense of security. They think they are secure but actually they’re not,” Sarrazyn added.

Joining the Fight

The good news? 

More people are joining the fight to
defend industrial systems, like one of the world’s popular breweries
in the Czech Republic, protecting your pilsner.

“We have to think about it,” said Ondrej Sykora of Plzensky Prazdroj (Pilsner Urquell) to Archer News in Madrid. “We have to maybe think a little bit more effective about it.”

Researchers are working to identify more industrial system security gaps so they can be fixed.

That means critical systems should
become safer as organizations work to close those gaps.

And there is more info — and
outreach — to help you learn more about protecting industrial control systems,
like the ICS Village.

It Takes a Village?

The ICS Village is a model plant
that travels to conferences and events to show you how cyber invaders get into industrial
control systems
 — and
you can even try it yourself.

“Because so many things depend on
it,” ICS Village’s Bryson Bort told Archer News in Anaheim in
August. “Loss of electricity does equate to loss of life. And we’ve seen
that happen before.”

ICS Village even went to
Washington, D.C. to connect with lawmakers about industrial cybersecurity.

“Since we’re talking about
critical infrastructure, right? That’s the kind of thing that’s going to impact
your life,” Bort said. “We’re just trying to promote and spread that as
far as we can, so that everybody’s safer.”

Thank you for spending part of your
year with Archer News.

Here’s more great industrial security stories in 2019!