Stopped steel mills, cut off power supplies to industry or communities, threats and extortion. There are many examples that industry is a vulnerable sector in terms of cyber threats and cyberattacks. SSG is now launching a cyber security course after SSG's cyber security industrial work group identified the great need that exists. The training helps companies in the industry to increase the awareness of employees and entrepreneurs.
SSG, in consultation with the working group, has developed the content for the new SSG Cyber Security training, with the ambition of meeting the needs that exist within the industry. The aim is to raise the general level of knowledge about cyber security risks, especially in OT environments. The training creates awareness of the devastating consequences that a cyber-attack can have. The content is based on the standard developed by the group and teaches how cyber-safe behavior can prevent an industrial facility from being affected.
– All member companies in the working group have training for administrative staff and information users. Today, there are several types of cyber security awareness programs in almost all companies. But process technicians, our colleagues who work with production, do not always have adapted training in the field. That's where the idea arose, why not do something together that is part of another standardization work that we are all already active in, says Patrick Andersson, one of the members of the working group and Head of Information Security and Privacy at Stora Enso.
The industrial IT environment has greater risks than traditional IT, which can for example involve administrative systems because large industrial investments live for a long time. There are systems in industrial workplaces that have existed for a very long time and the machines used have also existed for several years. Many have more or less always used the same systems and machines during their working hours.
– You might think "What could happen to the machine that has always existed". There are many examples of industrial systems that are connected to the Internet, for convenience. But cybercrime or cyberterrorism can exploit it. Here we see that there is a lag within the industry in general. Not in all industries, but generally within the manufacturing industry. There are several vulnerable sectors, one can look to the financial industry to take a fairly simple example. But then comes the manufacturing industry, the risks that are specific to the industry are usually due to old technology that is insufficiently secured for today's cyber threats, says Patrick.
The new course, SSG Cyber Security, has a validity period of one year and there is a reason for that. Patrick Andersson believes that awareness is a fresh commodity and that the course needs to be updated within such a period to be kept up-to-date. Within two or three years, the threats and priorities will change. One year is a good balance, half a year is a bit short, and two years is far too long to catch up with everything that is constantly changing in the field.
When we ask Patrick why you should cyber-secure your company, he tells us that companies that are exposed to threats and attacks suffer direct financial damage from lost production and supplies. In some cases, there may also be a question of fines if you have not secured your company sufficiently. It can also be devastating to the reputation if you are not aware and do not take care of your company properly, which in turn can damage sales. He also says that there are many examples of consequences such as stopping steel mills or cutting off power supply for industry or communities. A common risk is equipment that is connected to the Internet with a lack of security.
– Another quite common shortcoming is that systems that come from large suppliers are installed exactly as they came with standard login. There are changes that I am aware of, but if we look historically there are many industrial systems from different vendors where the default passwords and default user IDs for the administration of the systems are still active and have never been changed. The first thing a threat actor does if they gain access to a system like this is to test the default login. And bang, they're in, says Patrick.
Statistics show a significant increase in financial crime. There has always been fraud, but cyber-related financial crime is on the rise. Patrick Andersson points out that cyber security cannot be described as an object or a thing. There is no single product, service, or solution that is cybersecurity. However, it is a result of several different types of products, services, and processes that have different types of effects. It is also important not to see cyber security as the result of one person. It is a result of a variety of individuals, all of whom understand the importance of being aware.
– It is important to find passionate people in different areas of a company that positively affect cyber security. And make sure the zealots get their concerns or suggestions heard. They can influence within their areas, contribute to safer solutions, and ensure that these are implemented in, for example, various services. It also contributes to a higher ability to detect and avoid. It is at least as important to discover as to avoid, says Patrick.
Another risk for a company is the human factor. For example, it could be that you accidentally open a production network to an external network that is no longer protected, that firewalls are turned off, or other misconfigurations. Then it is especially important with awareness among the employees, to be aware of potential risks to avoid an incident. There can also be risks when working with external resources such as contractors.
– There are also risks with having external staff, either physically on-site or digitally. It may be during a service that a configuration change introduces a vulnerability, which a threat actor can then use. Or that you unknowingly introduce an IT component, perhaps you use a service laptop to do an update which in turn is already infected or has an active cyber security threat. When it connects to the industrial environment, it transfers there, says Patrick.
Patrick concludes that it is a matter of constantly raising the level, of either catching up and being aware of the threats that exist. But to stay one step ahead at best. To be motivated and active in the field. Everything that positively affects a company's cyber security is important. If there is time to be active in something that increases cyber security – then it is worth it.