Beyond being scary, inconvenient and expensive, ransomware attacks that have hit New Zealand to date – from Lion to Fisher & Paykel Appliances to the Reserve Bank to the Waikato DHB have all had one thing in common.
The hackers have targeted an organisation’s IT systems, Dr Simon Lovatt said. That is, the computers that control the likes of ordering and management systems.
But Lovatt said it is only a matter of time before hackers infiltrate infrastructure and manufacturing systems with potentially dire consequences.
The startup Lovatt chairs, First Watch, has designed a cyber security system to protect vital infrastructure like electricity lines and waste water systems, plus major manufacturing facilities, from cyber attacks.
He said it could save those running critical infrastructure from paying millions in ransom to hackers – as Colonial Pipeline in the US just experienced in a May cyber-attack that led to a regional emergency declaration for 17 states and Washington, D.C. to keep fuel supply lines open – or people suffering days or weeks of disruption to the likes of power or wastewater as industrial control systems are reset and restored.
The industrial control systems used to run the likes of dams and gas lines often look like they’re from the set of a 1950s movie, but they work – and they’ve had the tremendous cyber-security benefit that they were developed in pre-internet times. They’re standalone, and offline. Or, they were.
In the age of cloud computing, infrastructure control systems are increasingly being connected to other systems like accounting and ERP, and through those, to the internet.
“It all makes great sense from an efficiency perspective,” Lovatt said. “But at the same time, it’s making things more vulnerable.” Many have already digitised and connected control systems to the internet. Within a couple of years, it will be common.
Already, control systems for hydroelectric power plants in the US and Norway have been compromised, along with those of multinational beef producer JBS until it paid a US$11m ransom.
First Watch was born out of research at Waikato University, and has been spun out of the varsity’s commercialisation arm, WaikatoLink (of which Lovatt is a director), with support from KiwiNet, which helps to commercialise research and development from universities and Crown Research Institutes.
WaikatoLink has a minority stake in First Watch, and most shares are held by the startup’s commercial partner, the Hamilton-based CTEK Combined Technologies – the largest locally owned installer of industrial control systems.
First Watch’s launch comes as companies are increasingly faced with paying millions of dollars in ransom to cyber attackers.
Pilots have recently been completed with a local wastewater utility and a major manufacturing industry player, and Lovatt said First Watch is now discussions with various NZ water and energy companies, as well as other manufacturing companies.
Potential clients in Australia, the US and Southeast Asia are also in talks, Lovatt said, and the Government Communications Security Bureau (GCSB0 has been monitoring developments and is in discussions with First Watch over its technology, too.
He does concede that First Watch is not the first to this party, however.
“There are quite a number of competitors,” the chairman said.
“They have two major strategies: protecting the periphery of a company and stopping the bad guys from getting in, or monitoring traffic to detect suspicious activity inside the network.
“But sufficiently persistent attackers will always get in eventually so protecting the periphery is no good, and monitoring network activity throws up lots of time-consuming false positives.”
First Watch’s system loads a generic piece of security hardware with its custom software.
“Our approach locks down the core of a control system, thereby making it essentially impossible for the system to do anything other than what it was originally intended to do.
“It also makes it more difficult for a legitimate user to make a change to the system. But our pilot customers think that that’s a worthwhile trade-off.”
He elaborates. “First Watch was designed to work at the core of an industrial control system creating a zero-trust environment, scanning for any data that should not be on the system and refusing to respond to it.
“It stops the system doing anything different than its day-to-day operations unless any new directions are fully and properly authenticated.”
The system was also designed to take a complete inventory of all assets on a network and identify any that have not been updated or pose a risk.
“That’s important because staff might connect to the system from a laptop at home and
unknowingly introduce a virus,” Lovatt said.
Colonial Pipeline attack shows threat is real
Brett Callow, a threat analyst with Emsisoft, an NZ-based company that helps victims decrypt systems hit by ransomware, agrees that the threat to critical infrastructure is ominous and growing.
“As the Colonial Pipeline incident demonstrated, ransomware represents a very real risk to operational technology and industrial control systems,” he tells the Herald.
“Even if ICS is not specifically targeted in a particular attack, it may nonetheless be impacted. Organisations, especially critical infrastructure providers, should ensure that best practices have rigidly adhered and that OT [operational technology] and IT are segmented.
“Organisations should also plan for the worst and ensure ICS can continue to be operated in the event of IT being compromised and unavailable,” Callow said.
The tech skills squeeze is an ongoing problem for all NZ tech companies, First Watch’s Lovatt said.
To help top up the funnel and get more people interested in the industry, Waikato University is staging the NZ Cyber Security challenge this weekend, with support from the NZ Police cybercrime unit and private security companies Endace, Insomnia and Security Lit.
Around 150 contestants will try to solve a series of puzzles – no deep cybersecurity knowledge required – with the winner taking away a $1000 prize.
Registration (now closed) was open to all-comers, from secondary school and varsity students to anyone interested in trying their hand as a cybersleuth.
By Chris Keall
Business writer, NZ Herald