Tel: 08610 99473

Complete the below and we’ll call you back!

Article

Preventing industrial cyber attacks with ISO 27001

Shopping for a standard

In a technologically advanced society where smart phones and computers are a commonplace and instant internet access is readily available in almost every household, consumers must be ultra vigilant when it comes to their online safety. Moreover, organisations must take the necessary steps to ensure the safety of operations. While private individuals are also vulnerable to cyber attacks, large organisations are often the main targets. 

What is a cyber attack?

By definition, a cyber attack is the use of malicious code to alter computer code or data. It is the deliberate exploitation of computer systems, technology-dependent enterprises and networks. Previously, the IT industry was the main target for cyber criminals but with the integration of technology in more businesses, all industries are at risk. 

Types of cyber threats

Cyber attacks are usually initiated for one of three reasons: financial gain, disruption of operations, or espionage. While cyber criminals are becoming more creative with their techniques, these are the 6 most common cyber threats:

  1. Malware: software designed to cause damage to a computer or server.
  2. Phishing: a method of trying to collect sensitive information using deceptive e-mails and websites.
  3. Trojans: a type of malware that is often disguised as legitimate software used by cyber-thieves and hackers to gain access to a user or organisation’s system.
  4. Ransomware: a type of malware that prevents users from accessing their system or personal files and demands payment from the user in order to regain access again.
  5. Attacks on IoT Device: IoT stands for Internet of things. IoT devices like industrial sensors are vulnerable to multiple types of cyber threats such as hackers taking over the device to make it part of a Distributed Denial of Service (DDoS) attack or unauthorized access to data being collected by the device.
  6. Data Breaches: the theft of information from a system without the system owner’s knowledge or consent.

How it impacts an organisation

A successful cyber attack can inflict serious damage on an organisation. The overall impact of such an attack can be financial, reputational and in some cases, legal. 

Financial

A company can suffer a significant financial loss as a result of the theft of financial information (banking details) or corporate data, a disruption to trading or the loss of contracts. Additionally, repairing the damage done by such a breach will incur further costs. According to Business Insider, the average cost of a data breach in South Africa was R36.5 million in 2018. It also goes on to say that more than 21,000 records were breached in the same year. 

Reputational

Trust is the foundation of a successful customer relationship but a cyber attack on an organisation can critically damage this relationship. Consequently, this can lead to a loss of sales, clients, and a reduction in profits. This reputational damage can often extend beyond the organisation to its suppliers, partners, and investors. 

Industrial Control Systems and Cyber attacks

An Industrial Control System (ICS) can be defined as “the integration of hardware and software with network connectivity in order to support critical infrastructure.” Simply, ICS describes different types of control systems and instrumentation such as the devices, systems and networks used to control and automate industrial processes. ICS is present in nearly all industrial sectors including the manufacturing, transportation, water treatment and energy industries. 

The types of Industrial Control Systems include, among others, Supervisory Control and Data Acquisition (SCADA) systems, and Distributed Control Systems (DCS). 

SCADA systems are not designed to provide full operational control, it’s focus is on providing control at a supervisory level. These systems can collect and transmit data and are integrated with a Human Machine Interface (HMI) that provides monitoring and control for numerous process inputs and outputs. 

Instead of workers travelling long distances to perform tasks or gather data, the purpose of the SCADA system is to provide long distance monitoring and control of field sites through a centralised control system. These systems are mainly used in industries involving pipeline monitoring and control, water treatment centres and distribution, and electrical power transmission and distribution. 

Distributed Control Systems (DCS) are used to control production systems that are found in one location. Furthermore, it is a system of sensors, controllers, and linked computers that are distributed throughout a plant. Each of these serves a unique purpose such as data collection, process control, and data storage and graphical display. These individual elements communicate with a centralised computer through the plant’s local area network – often referred to as a control network. 

All these systems are vulnerable to cyber attacks. 

As the amount of cyber attacks increase, more and more organisations are becoming aware of the threat and the steps they must take to protect themselves. Some of the biggest cyber crime targets are:

  • The healthcare industry
  • The manufacturing industry
  • The financial sector
  • Government agencies and
  • The education sector

How ISO 27001 can help

ISO 27001 is the international standard that outlines how an organisation can manage its information security. It can be implemented in any organisation regardless of its size or industry. 

The goal of ISO 27001 is to protect an organisation’s confidentiality, integrity, and information. This is achieved by performing a risk assessment to find any potential risks then outlining the steps needed to prevent such risks. The controls that are to be implemented are generally in the form of policies, procedures and technical implementation (e.g., software and equipment). ISO 27001 sets the organisational rules (i.e., writing documents) that are needed in order to prevent security breaches. 

By becoming ISO 27001 compliant, organisations will enjoy an advantage over its non-compliant competitors, lower costs and an overall smooth-running organisation. 

How Wwise can help

WWISE offers a range of expert services to help organisations develop and implement ISO-compliant management systems, including ISO 27001 ISMS. Our services are extensive and include integration of the ISO 27001 ISMS with the organisation’s existing ISO-compliant management systems, training, development of awareness programmes, guidance regarding every step of development and implementation, preparation for certification, internal and external audits, GAP analysis, and maintenance programmes to ensure ongoing compliance and improvement of the organisation’s ISMS.

If you would like to have your business ISO 27001 certified, send us an email admin@wwise.co.za or call us on 08610 99473. For more information on ISO 27001, visit our website.