Author: Sapien

Cybersecurity principles for industrial environments

Industrial Control Systems (ICS) have traditionally been isolated from a company’s Information Technology (IT) infrastructure.

This inherent isolation essentially created an ‘air gap’ between the ICS and IT environments. Such a basic defence posture is now no longer effective due to the increased integration of ICS devices into the IT network.

Organisations rolling out extensive digitisation programs that use IT network technologies to enhance productivity, reduce costs and increase safety are now at risk of cyber-attack.

This integration of technologies now makes securing industrial control networks a major priority for organisations and governments, as vulnerabilities within this new technology are rapidly being identified and exploited.

There are several high-level principles that should be implemented to develop multiple layers of security, critical to ensuring the protection of assets:


Ensure the design of the system and processes allow for suitable security measures to be implemented. As the intention with most system upgrades and installations generally involves maximising profits and increasing efficiency, security considerations can be hard to quantify, and are sometimes missed or left out of a design. Therefore, it is vital that cyber security is considered, from concept, to design, construction and implementation.


Industrial Control Systems must allow for constant security assessments and updating. Many legacy systems will become vulnerable to a cyber-attack within its service lifetime and need the ability to be updated with the latest security features when needed.

Best Practice

Effective security measures can be simply achieved by educating the workforce and enforcing best practices throughout the organisation. The systems and actions used by personnel and technology must be constantly adjusted and refined to ensure protective measures are maintained against emerging threats.

Cyber-Risk Assessment

For many organisations, risk assessment is an integral process to the security and growth of a company. However, companies often lack human and technological resources to perform adequate cyber-risk evaluations. Risks associated with an organisation’s assets, technology or information should continually be reviewed and assessed against the current threat climate. This allows security measures to be implemented that protect against the most recent aggressive cyber incidents.


By providing visibility of security information throughout an organisation the incident response teams can minimise any remediation time to an attack.

By communicating effectively, an organisation can minimise financial losses, physical damage and human safety impacts.

Limit Connectivity

Identify, secure and minimise all network connection to any industrial control systems and clearly understand the risks associated with systems requiring connectivity.

Sapien’s technology can be deployed at any stage of a facilities life cycle. It provides security monitoring in real time and delivers cyber defence based on thorough risk assessments of vulnerabilities and threats. Sapien develops its platform based on current threat intelligence empowering users with greater visibility in order to develop network resilience.

A look at the Triton attack

In December 2017, the world found out about a sophisticated attack on the control systems of an LNG plant, known as ‘TRITON’.

The attack caused the entire operation to shut down and is one of the many examples in recent years of malicious software designed specifically to target industrial equipment.

In the decade since the infamous Stuxnet malware destroyed many centrifuges of an Iranian uranium plant, numerous attacks against many critical infrastructure sectors have been discovered with the intent to cause damage and destruction.

This relatively new malware variant targeted the Triconex Safety Instrumented System, otherwise known as SIS controllers. These SIS controllers, made by Schneider Electric, operate on over 11,000 sites around the world, and are responsible for the automated emergency shutdown functions in the case of a situation which may threaten the safety and lives of plant personnel.

It is concerning that the Triton malware payload was deployed long after the attackers had gained in depth access to the plants network, with reports saying they had been sitting on the network for up to 9 months before the SIS controllers were reprogrammed. Given this attack was ultimately deemed to be unsuccessful due to a single coding error by the attackers, it does raise concerns about how much damage could be caused when an attack is successful.

Furthermore, Security Week reports that Triton malware is still active today and the group behind its creation have expanded their scope, now reaching far outside of the Middle East for their next target.

So how did the attack succeed and what can be done to stop it from happening again?

After the Triton attack was published, Schneider discovered a zero-day vulnerability in its Triconex SIS which enabled the cyber criminals to gain access to, and change, the programming of the SIS controllers. FireEye reports they found a Remote Access Trojan (RAT) in the Triton malware which they believe to be the first RAT ever known to have infected SIS equipment.

In addition, it appears that the remote access and remote control of the SIS devices was achieved because the physical key on the controllers was left in the ‘program’ state, thereby allowing the remote programming of the main controller and the subsequent re-programming of the SIS controllers that caused such damage.

In an Operational Technology (OT) network, the availability of systems, especially those relating to safety, is typically a top priority, taking precedence over protection of confidentiality and integrity. The problem for many industries operating large plants is the growing complexity of their networks and lack of network wide visibility across all of their systems.

Many understand a problem exists but simply don’t know where to start in creating risk management procedures, building network resilience and maintaining a secure network.

What is clear is that as attacks become more frequent, the likelihood of a catastrophic outcome increases also. Organisations need to take action now to ensure lives are not lost and they are not tomorrow’s headline.

Sapien offers a sophisticated solution to address the complexity found within commercial, industrial and government owned assets. Read more on how our system of systems’ design offers our clients unprecedented visibility across your enterprise network and a complete solution in identifying threats, preparing for new attacks, and shielding your systems from advanced cyber criminals.

The strategic value of Australian Universities to cyber criminals and nation state actors

The cybersecurity practices of Australian universities are in the spotlight after the recent significant breach of Australian National University’s (ANU) IT systems.

The FBI has published that up to 26 Australian universities were targeted in a sustained hacking campaign between 2013-2017, believed to have been funded by the Iranian government.

Such attacks are proof of the value placed by cyber criminals and other nation states on intellectual property, business data, social data, and private information held by Australian universities. Key examples include the personal information and financial records of students and the valuable intellectual property being generated every day. The value of this information will continue to increase as today’s students become tomorrow’s leaders, politicians or employees of government, business and security bodies.

Underpinning the university’s role as a supplier of education is a complex network of systems, critical in the operation of facilities and continued provision of services for their student cohort (on-campus and online).

In addition to the growth of the attack surface for universities is the growing complexity of their networks, now often stretching across multiple campuses, both nationally and internationally.

With this increasing complexity comes a reduced capacity to achieve and maintain network wide visibility, detect a network compromise and respond in a timely manner. To make matters worse, institutions are often operating with limited human and technological resources attributed to cyber defence.

Universities must also contend with a multitude of vulnerabilities inherent with the provision of teaching and research services to their students and staff. Students and staff bring their own laptops and mobile devices onto campus and remote network access is a necessity for individuals from across the globe.

Each device, every connection, is a vulnerability that can be exploited to gain access to critical systems and information elsewhere on the network.

The risk for a university is unlike a public company, which has the resources to ensure the latest patches and anti-malware are installed on devices accessing their network. Universities operate on different rules and simply don’t have the authority to control applications or devices that connect to its networks from student and staff devices.

For the university sector both nationally and internationally, it is clear the exposure to cyber risk needs to be carefully managed to protect the safety and productivity of university operations, whilst also facilitating confidence in future projects and efforts to expand a university’s digital commitment.

If you want to learn about the Sapien solution to provide both enterprise wide network visibility and advanced threat detection that is already helping an Australian university to protect its network read more here.

Threats to our critical assets are real: just how vulnerable are we and what should we be doing?

In 2016, a water treatment plant in the US was the victim of a sophisticated and methodical attack, where cyber criminals remotely took control over the treatment process and threatened to poison households.

In 2017, the Triton malware attack caused a complete shutdown of an LNG plant in the Middle East. In Australia, recent reports have highlighted just how vulnerable systems that provide water to homes in Queensland are. The Australian Energy Market Operator (AEMO) is now delivering additional cyber security controls to protect the nation’s electricity infrastructure.

Ernst & Young has listed cyber-attacks as the single largest threat to the world’s power and electricity companies and Siemens has reinforced this statement by saying that 30% of all cyber-attacks globally now specifically target Operational Technology (OT) systems.

These serious threats to critical infrastructure garner a lot of attention, but just how vulnerable is our day-to-day lifestyle? Are we even at risk of physical harm?

What many people do not realise is that the majority of the control systems operating critical infrastructure, not only here in Australia but also globally, were designed and installed in a time when the word ‘security’ meant locking a door or padlocking a gate. This ‘physical security’ prevented unauthorised access to operating systems and safety controls. Now, with the advent of greater communications technology, these systems are being connected to the ever growing ‘internet of things’. These changes help deliver increased productivity and safety to an industrial environment. However, security must adapt in tandem to address implications associated with being an online and remotely accessible system.

Australia’s geographic remoteness is no longer an advantage in terms of security, as the interconnection of devices means that our critical assets are only 32 milliseconds from any computer, anywhere on the planet.

In addition to the vulnerability of these anachronistic critical systems is the fact that the attack surface for these assets is growing rapidly. The list of attackers is diverse, with cyber attacks no longer just the hobby of ‘script kiddies’. Now, industrial cyber attacks are a business for criminal syndicates and a new frontier of espionage and disruption for nation states to utilise.

The attack methods themselves are also becoming more advanced as new malware is being designed specifically to target the OT systems responsible for the water to our taps, the gas to our hotplates and the electricity to our lights. Criminal and nation state threats have greater understanding of industrial network protocols, redundancy systems and operational procedures than ever before, nullifying the protection we once called ‘security by obscurity’.

This problem will not go away and it can no longer be ignored by organisations and government departments who operate our critical assets.

Perhaps the best course of action is a proactive one, best summed up by former Australian Prime Minister Malcolm Turnbull, who at the recent launch of the Australian Cyber Security Centre said;

“We must not and will not wait for a catastrophic cyber incident before we act to prevent future attacks.”

Sapien Cyber is here to help. Read more about our sophisticated solution developed here in Australia.