A View Into the Future № 2 September 2017
Pirates of the 21st century
Digital technology has become an essential part our lives, and has solved many of our issues; however, technology has also created new threats. Cyber criminals can not only steal our money, but also cause more tangible damage, like an environmental disaster through a major industrial accident. But we can reduce the risks. The secret of success is in working with people, just as much as with machines.
In May 2017, one of the largest cyber attacks in the history of the internet was unleashed. Hundreds of thousands of computers in 150 countries were held hostage. The WannaCry virus, using the vulnerabilities of the Microsoft Windows operating system, encrypted victims’ files. For a ransom, the cyber criminals offered to return the data.
The virus paralysed companies and governmental organisations around the world. The damage from the attack was in excess of $1 billion in the first four days alone. After an investigation, it turned out that the attackers used data on vulnerabilities originally collected by the American intelligence services.
A strong weak link
Positive Technologies, a cyber security company, reported that in the first quarter of 2017 there were only five days without cyber attack complaints. According to their statistics, most attacks - 41% - target America. As the victim of 10% of all attacks, Russia takes an ‘honourable’ second place.
Most often, governmental organisations fall victim to hacking (20%). Social networks, search engines, online stores and other online services are the target of every ninth attack (11%). The statistics for financial services (9%) and industry (5%) are slightly better.
Cyber criminals adapt to their victims’ behaviours by carefully monitoring them and selecting the most vulnerable targets. Some experts see the current volatile geopolitical situation as a factor in the large number of attacks on the public sector. As for the private sector, the choice of victims reflects market conditions. As the manufacturing industry grows, it becomes more appealing to cybercriminals.
‘Attackers do not take days off or holidays,’ notes Olga Zinenko, an analyst at Positive Technologies. She predicts that the number of attacks will continue to grow. The risk is high, but often hackers use similar methods, so it is important to eliminate all known vulnerabilities quickly. ‘Most large corporations take information security measures seriously. They understand the consequences of negligence in protecting their network and prefer to learn from others’ mistakes, preventing threats in advance,’ says Tatyana Medova, executive director of Smart-Soft.
Smart technology and automation have significantly increased productivity, but have at the same time, rendered production systems vulnerable to cybercriminals. Electronic control systems and remote access, especially if used widely, create loopholes for hackers.
Who is in charge?
However, often companies leave a tiny window open in their digital fortresses with complex password and access code locks. It is bad enough to allow a malfunction in the production management system, which can lead to financial losses or physical damage to equipment, but worse still, this can cause an accident with devastating environmental consequences.
The Internet and portable storage devices are two the main points of entry. Everybody sees linking up to the global network as the main risk, but seemingly harmless USB drives should not be dismissed so easily.
In 2016, hackers targeted the RWE-owned Gundremmingen nuclear plant in Bavaria. As officially admitted by a representative of the plant, the hackers infected its computers with viruses. As it was serving one of the nuclear reactors, the system under attack was not connected to the Internet. After investigation, it was established that the nuclear plant wrongly believed that its computers were safe from viruses without direct access to the Internet, and the attack happened through the use of 18 USBs.
In today’s world, complete digital isolation is tricky. According to experts, IT risks are already greater than the expertise of the Information Security Department. Today every employee is simultaneously a potential threat and the first line of information protection defence of a company. Most large virus attacks, according to experts, involve a human factor.
‘Users often forget to update or disable an antivirus, or change its settings, preventing it from detecting attacks. Many see antivirus software as an annoyance, and cyber threats as made up by IT administrators,’ says Vyacheslav Medvedev, a leading analyst in the development department of Doctor Web. He adds that with security systems properly used, a Trojan could not encrypt data. Cybercriminals exploit such negligence. Typically, hackers attack through installed applications, which users often forget to update regularly. ‘Every application and service has its weaknesses. The fact that users do not know about them does not mean that intruders cannot use them,’ he adds.
WannaCry revealed another issue. Although most companies have encountered data encryption attacks, few know what to do to prevent these problems, says Vyacheslav Medvedev. Only a few companies have a specialised team that knows whom to notify in case of problems or provide backup equipment.
The British programmer Marcus Hutchins, who is credited with neutralising the WannaCry virus, was arrested in August in the USA, accused of spreading Kronos, a different malware programme.
Educate and protect
In 2014, hackers attacked a steel mill in Germany. The attackers sent out virus-infected spam emails to employees, allegedly fr om contractors. When the virus infected a computer, the hackers took control of the facility’s production network, intercepted control over the blast furnace management system, and disabled one of the furnaces. The exact losses were not disclosed, but according to the official report they were significant.
This kind of attack is known as phishing. It works like this: an email with an attachment fr om a familiar recipient, like a supplier or a client, arrives in an employee’s official inbox. Even opening such an email is enough for the virus to infect that computer. Using malware, attackers then gain access to classified information fr om contracts and projects, work estimates, building drawings, and electrical and information network plans.
‘There have been instances when attackers changed technological parameters without malicious intent, simply out of curiosity’, said a representative of Kaspersky Lab. In the last three months alone, the company recorded over 500 companies in 50 countries that were attacked by infected spam emails, 80% of which were industrial companies.
There are two ways to fight phishing. The first is to strengthen the defence that can block suspicious emails. ‘A simple anti-spam programme reduces the probability of falling victim to crypto-hackers by more than 90%,’ explains Vyacheslav Medvedev.
But no security system is without flaws. Therefore, the second thing that any company should invest in is employee training. Members of staff need to be able to recognise suspicious emails or respond promptly in case of attacks. ‘Today, there are training systems that simulate dangerous environments, such as WannaProtect or Phishman. These systems test staff by sending them pseudo-phishing emails, followed by issuing educational materials to those who fail the test,’ explains Yakov Grodzensky, head of information security at System Software. ‘This kind of training helps to keep employees on their toes and protect them from criminals, viruses and other harmful elements.’
Widely spread secrets
Another reason experts strongly recommend that companies teach employees the basics of cyber-literacy, is that more often than not confidential information is not stolen by hackers, but rather shared by employees. The largest channels for data leakages are social networks. Forbes executive editor Michael Noer once remarked, ‘What the CIA could not achieve in 60 years, Zuckerberg managed in seven. He learned what people think, read, listen to, whom they know, wh ere they live, for whom they vote, wh ere they travel, and what they worship.’
Today’s social networks are made of terabytes of information in the public domain, willingly updated by users themselves. ‘Employees may not even realise how their seemingly harmless posts and comments can reveal confidential information. For example, by simply sharing a picture of a new prototype, a member of staff can give third parties access to it. Even if the picture is deleted, somebody could have saved the file beforehand. It’s possible to find any information ever uploaded online, if you look hard enough’, according to the founder of the corporate social network Loqui Business, Dmitry Benz.
Corporations and governments are always looking for ways to reduce cyber risks. They restrict access to social networks, or, on the contrary, launch their own corporate social networks with similar functionality to their online counterparts, with access to group discussions, news feeds, instant messaging, comments and assessments.
The corporate version of Facebook known as Workplace offers the same tools as its free version, but the staff corporate accounts are not linked to their personal accounts. Loqui Business allows users to find employees through a smart filter, post offers about goods and services and store working contacts with their location.
‘As a result, the corporate social network is a kind of safe environment for informal corporate life. It acts as a guarantee that employee communication will not result in reputational and financial losses for the company,’ sums up Benz.
Perhaps this is one of the most effective ways to combat the main loophole for cybercriminals – human error. Although it is hard to continuously build barriers to entry, while at the same time creating a safe environment for users, it is important to explain why such measures are necessary. After all, few employees would want to be a culprit in the disclosure of confidential information leading to major losses for their employer, or, worse, to an accident damaging the area wh ere they live. Along with the improvement of software protection systems, employee cyber training is becoming an effective weapon against criminals.
IM talked to Mikhail Yulkin, Director General of the Centre for Environmental Investments.
Industry is moving further away from its original paradigm. The trend now is towards a circular economy – a system that drives the restoration and regeneration of resources through high-tech facilities, the sharing of end products and the reduction of waste.
IM has spoken to a group of sector experts about Russia’s capacity for the development of a circular economy, how relevant this would be and the potential benefits.
Arctic exploration, the development of Siberian deposits and the expansion of industry in the Ural region – this all sounds very modern...