The following post was written by the Executive Chairman of Awen Collective, Daniel Lewis.
On Thursday 31st March 2022, a large manufacturer of wind turbines, The Nordex Group, discovered a cyber security incident on their infrastructure. Conti, the hacking group, has since claimed responsibility for the incident, which indicates that this was a ransomware based attack. Conti, who are a ransomware-as-a-service organisation, recently announced that they are in full support of Russia’s invasion of Ukraine (source: BleepingComputer & RenewablesNow).
On this occasion, due to The Nordex Group’s quick discovery and mitigation, shutting down their IT systems, and disabling remote access to the turbines it seems that the attack was limited to their internal system and was prevented from spreading further (see Nordex announcement on 2nd April 2022). A further announcement by Nordex (on 12th April) stated that they were continuing to investigate the incident, although suggested that the incident was contained within their internal IT network.
Nordex, a worldwide organisation headquartered in Germany, is not the only wind turbine company to have been targeted recently. Vestas, an international business headquartered in Denmark, received a cyber attack in November 2021 (Vestas published 4 press releases about it: the original, 1st update, 2nd update, 3rd update), and involved the use of LockBit malware and the stealing and leaking of commercially confidential data.
If the incident was truly contained within the IT network at Nordex, and did not affect the Operational Technology (OT) network, then this either shows pure luck, or it shows the strength in being prepared and having a good segregation of networks. We like to believe that it was well segregated OT architecture. Segregation is a key concept within industrial environments. By definition; segregating devices on a network based only on essential data flow will help to keep non-essential data (including malware, for example) from entering or exiting the network unnecessarily. This is why models such as the Purdue Model were created, to ensure that cyber risk is considered within a network structure, and mitigated via layers of segregation. The first step in segregating and maintaining segregation is to ensure that there is a full and up-to-date asset inventory, and a full knowledge of cyber risk. We will, no doubt, explore segregation again in a future blog post but it is safe to say that Awen is able to assist in the discovery of asset and cyber risk.
Operational Technology (OT) such as Industrial Automation Control Systems (IACS) are superior to Information Technologies (IT) within industrial environments due to the fact that they’ve been tailored for lean, efficient, continuous and long-lasting operations often in hazardous engineering environments. IT and OT have different value and functionality. As such OT devices do not have the same security features as IT devices, and so the approach to cyber security within OT is required to be different to that of IT.
At Awen Collective we understand the fine details of OT cyber security, and the needs of industrial organisations. Our Dot software product is made to perform asset and cyber vulnerability discovery within OT environments, and is flexible for a variety of needs, including one-time risk assessments and ongoing asset/vulnerability monitoring. Our Profile software enables industrial organisations to improve their cyber security through assessing themselves against cyber security indicators of good practice, including those laid out in standards and frameworks such as the Cyber Assessment Framework (CAF) of the UK National Cyber Security Centre (NCSC). If Dot or Profile sound interesting to you, or you would simply like to discuss industrial cyber security with no-obligation then please do not hesitate to contact us today.