The need for enhanced security in the industrial sector is becoming clearer than ever, with attacks against critical infrastructure undeniably on the rise. From Stuxnet, the world's first industrial infection, to the more recent BlackEnergy breach in Ukraine, attacks on high-value targets are no longer limited to state-sponsored threat actors. Within modern industries, we are witnessing an increasing demand for remote access services, interconnected devices and real-time data – a demand realised with the advent of the Industrial Internet of Things (IIoT). This technology, however, is often unsecure – exposing a chink in the armour of functions that were once secured effectively.
The reason behind this demand is a simple one – as industrial organisations adopt IIoT technology, they see a notable increase in quality, speed to market, cost-effectiveness and therefore profitability. Employees are able to work more effectively, benefiting from the insights provided by big data and better able to make informed decisions on how to optimise processes within their own environment.
The benefits created by IIoT instigates a race to the top, with those organisations not utilising this technology, effectively priced out of their market and undercut by competitors. The issue is that many decision-makers within industry perceive security as an optional cost centre, rather than a business enabler, ensuring the smooth running of operations. While the interconnectivity of these devices is enabling them to operate more intelligently, from a security perspective, these same devices are now dumber than ever and wide open to critical infrastructure vulnerabilities.
IIoT technology – increasing threats; increasing vulnerability
With growing utilisation of networked technology in industrial environments, attacks are becoming more common as the financial rewards become increasingly apparent. Previously, the only threat actors with the resources to breach critical infrastructure or large-scale targets were those with state backing. Stuxnet, for example, was reportedly a collaboration between the USA and Israel. As demonstrated in a recent attack on a power plant in Germany, however, state sponsorship is no longer the requisite it once was.
In this instance, malware was propagated exclusively through IT systems, halted only by a reliance on airgapping, the practice of ensuring networked devices are unable to connect to critical systems. The W32.Ramnit and Conficker malware files utilised were believed to have been distributed through infected USB sticks – a low cost means of propagation, and one traditionally utilised by hackers with lower budgets.
The convergence of IT and operational technology (OT) is a major concern for industry, as threats traditionally faced solely by IT can now directly target OT systems, which have previously relied on airgapping to ensure separation. Cyber-crime-as-a-Service (CaaS) through the dark web, for example, is one of the more serious issues set to face industrial facilities in 2017. Due to the increased availability of DIY hacking kits, less skilled attackers can now target larger organisations for a greater level of profit. In short, through the combined advent of CaaS and a weakened security framework within industrial environments, the skill and resource barrier to targeting large-scale organisations has been greatly weakened.
Combating threats to critical infrastructure through increased resilience
The risks of unsecured systems within industry is clear. In its current form, the threat is solely to the organisation attacked, ranging from system downtime to potential explosions through process manipulation. When these same attacks are applied to critical infrastructure, however, the results can be far more severe, ranging from widespread blackouts to threats against the containment of water sources. To address this growing threat, a holistic security approach must be taken to address all areas of risk, looking not only to the entire supply chain process, but ensuring employee training properly reflects an increasingly networked infrastructure. Education will be a key aspect in ensuring security best practice is maintained and must become an essential day-to-day function for staff at all levels.
As the number of connected, but unsecure devices rise, the threat-landscape continually widens and cannot be faced by businesses without support. An example of this can be seen in Germany, whereby ISO 27000 recently passed into law. This requires a minimum standard of security within critical infrastructure, with fines of €100,000 (£86,0000) facing organisations which are not compliant. Security frameworks must be implemented, with a variety of organisations offering structure and advice across industry for those wishing to utilise it. What will be key to ensuring this is adopted is an industry-wide push, highlighting the benefits of security and the risks of non-compliance.
A greater number of security issues are surfacing each day, attributed to both an increased number of vulnerable points within a network and the number of threat actors looking to take advantage of them. As the threat to critical infrastructure increases, it is important to drive a shift in perception of security from a cost to be absorbed, to a true business enabler. While productivity gains from the IIoT may be evident in the short-term, the practice of utilising unsecured devices is unsustainable in the long-term. In years to come, organisations that have maximised the opportunities presented by new manufacturing technology will be those that have gained competitive advantage through adhering to security frameworks, placing best practices at the core of device implementation.
Contributed by Jalal Bouhdada, founder and principal ICS security consultant, Applied Risk