What would you rather experience this December: a ‘black festive season’, with issues and uncertainty around energy, water and other critical infrastructure, or ‘Green-for-Go’ holidays – with running water, operational communications and all the lights on?
The answer is pretty obvious, says Stefan van de Giessen, general manager: cybersecurity at value-added distributor Networks Unlimited Africa, explaining: “South Africans have been on quite an emotional roller-coaster in the past couple of years. Around the country, people have been subjected to power and water cuts and shortages, with all the related effects.
For example, we have all come to realise that when the power goes out, it has potential consequential effects on optimal water supplies and communications infrastructure as well – for example, the landline telephone systems of business organisations go down during a power outage, which in turn can overload mobile networks, as individuals turn to their mobile phones. It is disheartening to think that we could have a ‘black’ holiday period if critical infrastructure issues continue to loom through the end of the year and beyond.
“On the other hand, we are known to be a resilient nation, and never more so than as represented in the recent Springbok win in the 2019 Rugby World Cup final. The South African team arguably went into the final somewhat as underdogs, but showed their opponents a truly united front and lived up to the slogan #StrongerTogether, which had been the battle cry throughout the World Cup tournament. From a business perspective – in addition to the collective joy of the nation – there are lessons that can be learned and applied.”
Van de Giessen explains that, as industrial and critical infrastructure companies globally embrace the importance of being connected to the Industrial Internet of Things (IIoT), cybersecurity experts caution that companies need to protect their industrial plants from being hacked. To this end, Networks Unlimited Africa has recently partnered with Indegy, a leader in industrial cybersecurity that protects industrial control system networks from cyberthreats, malicious insiders and human error.
“Indegy as a company was born from a unique combination of its founders’ talents and experience in both the engineering, IT and military arenas,” clarifies Van de Giessen, “making it a perfect example of the ethos of being ‘stronger together’. The company was founded with a mission to bring visibility and control to critical infrastructure and industrial control systems (ICS) networks, following on from a surge in the number of hacking attempts targeting critical ICS.
This, in turn, was a result of the fact that many industrial operations are running on old control systems and are very vulnerable to today’s cybercriminals, having been built before the cyber threat existed.
“These older industrial control systems were designed for operational reliability and safety, but they lack the visibility and control parameters that come with today’s newer technology. In the past decade or so, the rapid introduction of IT convergence across production and supply lines, and the way in which operational technology (OT) is automating the modern world, have together opened up new vulnerabilities for industrial infrastructure. Indegy undertakes to protect industrial control systems from external cyberthreats, malicious insiders and human error.”
To name but few, examples of these critical infrastructure vulnerabilities include the following incidents:
- In 2013, Iranian hackers breached the Bowman Avenue Dam in New York and gained control of the floodgates. While no significant damage was done, this attack was regarded as being a warning of future possibilities.
- In December 2015, hackers cut off the lights to 225,000 people in Ukraine, and a year later, the country’s capital, Kiev, experienced another attack, which this time cut the power in its entirety to hundreds of thousands of residents.
- In March 2019, an American renewable energy company was attacked by hackers and even though no significant damage was done, security experts said the attack was a wake-up call for the energy industry in that country.
- The Nuclear Power Corporation of India Limited recently confirmed a cyberattack on its nuclear power plant in Tamil Nadu, India, in September 2019.
- In South Africa, the City of Johannesburg’s network was breached twice: by hackers in October, demanding a ransom to be paid in Bitcoin, and three months before that by a virus, which encrypted the City’s database and meant that consumers were briefly unable to access the website or buy power units.
“There are many more examples,” says Van de Giessen, “and in fact a recent report by the Ponemon Institute – which specialises in cybersecurity and privacy issues – that was released earlier this year, showed that critical infrastructure had been significantly breached over a two-year period in the United Kingdom, the United States, Germany, Australia, Mexico and Japan. Over 700 security professionals answered the survey anonymously, and amongst other findings, the report showed that over half the attacks had resulted in downtime of critical systems.
“This is an astonishing – although not unsurprising – revelation. Here in South Africa, we believe it is imperative for state-owned entities to understand the importance of protecting themselves against both external threat possibilities, as well as internal human errors that result in downtime and worse.”
“When we are dealing with critical infrastructure, we need to remember that as well as the enormous costs of repair and replacement, loss of income and potential reputational and environmental damage, human lives can also be at risk.”
“It is therefore far better to protect our critical infrastructure and strengthen operational efficiencies by factoring in desirable habits around maintenance and repairs, according to the requisite schedules. In this way, by working together, we can plan a ‘green’ rather than ‘black’ end to the year and into the future,” he concludes.