Cyber attacks on industrial plants

Cyber attacks on industrial plants

Blue Ocean Strategy
23 Ottobre 2020
Gli attacchi cyber agli impianti industriali
27 Ottobre 2020

The application context of the NIS Directive

Cybercrime attacks not only computers and, but also industrial plants and infrastructures. The NIS Directive ¹  qualifies, in art. 5 paragraph 2, operators of essential services:

a) an entity provides a service that is essential for the maintenance of fundamental social and / or economic activities;

b) the provision of this service depends on the network and information systems;

c) an accident involving an operator of essential services would have a material adverse effect on the provision of that service.

For the purposes of determining the significance of the aforementioned negative effects, in art. 6 paragraph 1 the competent NIS authorities consider the following intersectoral factors:

a) the number of users who depend on the service provided by the interested party;

b) the dependence of other sectors referred to in Annex II on the service provided by that subject;

c) the impact that accidents could have, in terms of extent and duration, on economic and social activities or on public safety;

d) the market share of said entity;

e) the geographical spread relating to the area that could be affected by an accident;

f) the importance of the subject for maintaining a sufficient level of service, taking into account the availability of alternative tools for the provision of this service.

What are industrial control systems

Industrial Control Systems (ICS) are devices, systems, networks and controls used to automate the industrial processes present in almost every sector: oil and gas, power plants and power grids, highways, ports, airports, railway stations, that is precisely the critical infrastructures listed by the NIS Directive. The ICS communicate with the SCADA systems that provide data for the supervisory and control activities in process management.

However, SCADA systems, despite being IT systems in all respects, suffer from intrinsic vulnerabilities due to the fact that these have been designed with an eye for simplicity, reliability and accessibility, but not with an approach of security by design.

SCADA systems were born in the 1950s as isolated systems and not connected to IP networks, therefore immune from cyber threats. When, in more recent times, these were connected to IP networks and the

internet, together with the undeniable advantages in terms of monitoring and control, the connected risks for their security appeared and, often given the operational contexts, also for the human one (safety).

It is therefore from the 2000s, with the convergence of IT with OT (Operational Technology), that an interminable series of attacks on the latter began. He started with SQL Slammer in 2003, passing through BlackEnergy in Ukraine in 2015, to get close to us in 2017 with the Maschio Gaspardo S.p.A. case, to Luxottica S.p.A. and Carraro S.p.A. in these days.

The vulnerabilities of an industrial control system

As anticipated, ICS networks were born as isolated systems, then connected to the internet.

  • SCADA systems are often installed on PCs accessible by anyone working in the production departments.
  • The life cycle of industrial plants is significantly longer than that of any PC present in the company and often SCADA systems are installed on hardware that follows the times of these plants, perhaps equipped with Windows XP (no longer supported by Microsoft from April 2014) or with Windows Server 2003 (support ended July 2015).
  • Since ICS systems are often considered as afferent to the productive world, updates of operating systems and related security patches are often neglected.
  • ICS networks, unlike other corporate networks, are often not protected by firewalls.
  • Antivirus and antimalware are missing, perhaps because they are not compatible with the installed applications.
  • Often the network is open to the outside to allow third parties to carry out maintenance work or update the production software.
  • The responsibility for the design and management of ICS often does not lie with the manager of the company information systems, typically more sensitive to cybersecurity, but with the production manager or even completely delegated to the supplier of the operating machines or plants.

The NIS Directive places the emphasis on these vulnerabilities, leading ICS systems to be considered on a par with any other IT system with regards to security aspects.

How much does an attack on an industrial control system cost?

Enrico Netti, in his article “Cybercrime, costs and defenses of a company under attack” in the Sole24 of 29 January 2018, estimates the damage to be faced by an average manufacturing company with 120 million in revenues, victim of a malware attack that completely blocks all activity.

First of all, it involves eliminating the attacker and then restoring the platforms and systems of the 4.0 plant, from the sensors of the machinery to the numerical control machines², to the administration with customer and supplier accounting and ending with the research and development department. Here the theft of data becomes very dangerous because it could be oriented towards the theft of patents and projects. With the entry into force of the GDPR ³ , companies that do not report data leaks are sanctioned with a fine that can reach 4% of turnover or 20 million. It is therefore mandatory to take out insurance policies to manage the risk associated with cybersecurity.

The company finds itself having to warn its customers and suppliers of the blocking of the activity and having to manage the crisis at a cost of thousands of euros per day.

Customers and suppliers can open the legal front of non-compliance disputes by making claims for damages that can range from a few tens of thousands of euros to more than hundreds of thousands.

Among entrepreneurs, sensitivity towards cyber security is often very low and far too far exceeds the threshold of mere concern to invest in contrast.

It is basically a small technological step, but a great cultural step.


¹ The Directive on the security of network and information systems of the Union (NISUE Directive 2016/1148) aims to achieve a high common level in the area of network and information system security across the EU. Italy has transposed the NIS Directive into national law with Legislative Decree no. 65 of 18 May 2018 which entered into force on 26 June 2018. The Italian decree does not extend the scope of application, unlike other Member States, to sectors other than those envisaged by the Directive.

² CNC (Computer Numerical Control) machines represent the evolution of CN machines, because they allow direct numerical control from an external computer.

³ The General Data Protection Regulation, officially Regulation (EU) no. 2016/679, is a European Union regulation on the processing of personal data and privacy, adopted on 27 April 2016, published in the Official Journal of the European Union on 4 May 2016 and entered into force on 24 May of the same year and operational starting from 25 May 2018. With this regulation, the European Commission aims to strengthen the protection of personal data of citizens of the European Union and residents of the European Union, both inside and outside the borders of the European Union (EU).

Condividi su:

Lascia un commento

Il tuo indirizzo email non sarà pubblicato.