From espionage to sabotage

During the Industrial Cyber Security event on October 8 in Den Bosch speaks Modderkolk On the impact of geopolitical tensions on our digital security. Are we as an industry truly well protected if we are "compliant," or is it just a false sense of security?

How real is the threat of sabotage or espionage in industrial networks?

Since the invasion of Ukraine in 2022, we've seen Russian groups exhibit escalating behavior. The focus is shifting from espionage in IT systems to targeted attacks on industrial networks (OT). You only do that if you want to destroy something. The digitalization of our society yields many benefits, but at the same time, it makes us vulnerable. In my presentation, I discuss the fallacies companies make when dealing with modern technology. And the dangers that lie within them.

Can you give an example of a dangerous fallacy?

“Many companies think they are not an interesting target. They do not realize that most hacks It can happen accidentally, for example, because login credentials have been stolen or a door is left open somewhere in the network. Hackers are opportunists. They go for the easiest route. Where can I get in, and which organization or company will this lead to? So you're not a target by default, but you can become a victim.

Why is it so difficult for companies to defend themselves?

The playing field is uneven. A hacker only needs one small vulnerability in the software or hardware to gain access. As a company, you must constantly keep your affairs in order.

Hackers are targeting the supply chain. Take chip machine manufacturer ASML. This company collaborates with thousands of suppliers. If a small startup doesn't have its security in order, an attacker can still gain access to ASML through that back door.

But it's not just the 'small guys' who are making mistakes. In 2021, industrial group VDL Groep, one of ASML's largest suppliers, was shut down for a month by ransomware. Taking down an entire network is only possible if your primary security processes aren't in place. So even a large, serious company like VDL has made mistakes somewhere.

What numbers are we talking about?

The Netherlands averages three major ransomware cases per week, which equates to 150 incidents per year. In reality, there are probably more. The problem is that people at the top of an organization, the board of directors, find it difficult to prioritize good security. Security professionals ask for budget and investment, but receive too little. Only after an incident does everyone wake up and the money taps suddenly open. But by then, the blow has already been dealt, and sensitive data is gone.

Are managers naive?  

Executives sometimes think too easily ("It won't be that bad") or their focus is misplaced. A notorious example is corporate acquisitions. The parent company wants to be operational as quickly as possible because that generates revenue. Existing IT networks are then connected without knowing whether they are compatible and secure. With all the consequences that entails.

In your book 'It's war but no one sees it' From 2019, you warned about digital threats. What has changed since then?

Russia is braver than six years ago and believes it's at war with the West. Hacktivists are actively involved in this shadow war. Russian intelligence agencies are deliberately seeking out places to sabotage, both physically and digitally. They're recruiting criminals and frustrated individuals through social media to get homemade bomb packages onto airplanes. The intention is to cause chaos, and the Russians don't care whether that happens physically or digitally. They have a wide range of options and will choose the easiest route.

Recently, Russian hackers attempted to open a lock at a major port in a NATO country. This failed, but it does demonstrate their intentions. In Norway, Russian hackers took over a lock.

China focuses primarily on industrial espionage. Their digital intrusions are becoming increasingly sophisticated and difficult to trace. NXP, a manufacturer of NFC chips, was hacked for years by Chinese actors seeking technological expertise. This only recently became public knowledge.

How do cybercriminals get in?

“The first step is often much simpler than people think. Login details are scattered all over the internet. If you click on the dark web If you search for 'NXP employee' you can probably already get login data.”

What measures can the industry take to protect itself?

First, critically examine how your company's digital ecosystem is structured and where the vulnerabilities lie. The General Data Protection Regulation (GDPR) requires organizations to implement data minimization, but in practice, you see the opposite. Companies collect as much customer data as possible and then carelessly pass it on to third parties. At some point, nobody has the overview anymore.

My advice: stop it. Discard unnecessary data and improve basic hygiene. Implement multi-factor authentication as standard and only allow administrators to install software. At a deeper level, I advise critically examining what you're digitizing. Sometimes analog is preferable. Critical flood defenses, for example, are completely disconnected from the internet because people know that any online connection is potentially hackable. On average, a large company has around 800 web servers. That's 800 potential entry points for hackers. It's impossible to close all those 100%, but you can try to close as many doors as possible or at least limit the risk of damage through proper monitoring and network organization.

What is your main message to companies?

Security isn't a compliance exercise. It's a continuous process of analyzing risks and taking measures. Ask yourself: what can I absolutely not afford to fail? Companies that honestly consider this have their security best in order.

Register for the lecture and event