Have you ever been a victim of social engineering? When you were controlled by some external force but didn’t realize until it was too late?
This blog post contains a few tips on how not to become a puppet of cybercriminals by falling victim to social engineering. It also describes what you can do to protect yourself…
Social engineering
Has a third person ever taken control of your actions and decisions? If so, you’re in good company! Immense damage can be caused in this way, whether by opening interesting-sounding emails or disclosing information over the phone. After the damage was done, you no doubt regretted following that intriguing headline or providing that nice person at the other end of the line with extra facts. Were you really sure at the time that you were doing just the right thing? Maybe you should have inquired once more after all about the reason or asked to see their ID…
We’d like to show you how best to react to such emails or phone calls in the future here, so that you never end up becoming a hacker’s puppet.
The German Federal Office for Information Security (BSI) recently published a recommendation on “Industrial Control Systems (ICS) Security” entitled Top 10 Threats and Countermeasures 2016 (in German).
Number 1
In the context of its analyses the BSI compiled a list of the “current threats with the highest criticality” faced by ICS at the present time. One of these threats – and number 1 in the ranking for 2016 – is “social engineering and phishing”.
As a supplier of industrial security solutions, Yokogawa also keeps a close watch on the BSI’s recommendations. They are particularly relevant for the automation landscape, which presents enormous challenges in terms of IT security.
Controlled by a puppeteer
Yet before we discuss in detail how this relates to automation, we should establish once and for all exactly what is meant by social engineering and phishing. We will then be better placed to grasp the consequences of these growing threats. If we take a look on the Internet, the following is just one of the many definitions we find:
“Social engineering is a way that cybercriminals use human-to-human interaction in order get the user to divulge sensitive information. Since social engineering is based on human nature and emotional reactions, there are many ways that attackers can try to trick you – online and offline.” (Source: Norton, in German)
One such method is phishing:
Phishing is “the oldest trick in the cyber-book, but still one of the most successful.” (Source: Norton, in German)
Phishing can be defined as an attempt to obtain sensitive personal information such as passwords or credit card details, typically by means of email spoofing or fake websites.
As you read this post, you are probably thinking to yourself that you would never ever fall for a trick like that. Yet can you really be that certain?
We at Yokogawa firmly believe it’s the kind of thing that could happen to anyone. No matter how secure your firewall and no matter how sophisticated your security concept are. They won’t help you one little bit if the weakest link in the chain is still the human being. Your employee or your colleague – who operates the machine.
Creating awareness
However, it’s precisely because such thoughts tend to be dismissed with a weary shake of the head. And because people are more concerned initially with “tangible security” (such as USB padlocks or firewalls), that Yokogawa sees social engineering as a crucial pillar of automation security (in German).
The great importance and urgency which Yokogawa attaches to automation security are reflected, not only in the security assessment and action plan. We offer also security seminars, part of which is explicitly devoted to this subject. Seminar participants are provided with useful tips to help raise their awareness of security issues. And hopefully also their ability to anticipate the tricks of cybercriminals before it’s too late. Are these seminars of interest to you? If so, click here (in German).
Is human error avoidable?
We at Yokogawa consider this issue too fundamental to ignore. In the end, it’s human beings and their intuition which determine whether or not a system is secure. Targeted training at regular intervals helps “refresh” people’s awareness. And prevents them from becoming a puppet of cybercriminals in critical situations.
It is important and necessary to draw attention to the methods and tactics associated with social engineering, and specifically phishing. However, it is equally essential to ensure that any threats to your plant can be brought under control completely and utterly. You can learn in my next blog post what Yokogawa thinks about threats due to the “infiltration of malware via removable media and external hardware” (BSI) – and what we are doing to combat them.
See you then…