Industrial control system (ICS) security needs urgent revamp, warns a set of three reports from industrial cyber-security specialists Dragos.
A total of 438 industrial control system (ICS) vulnerabilities were identified by Drago in 2019, said its annual 'year in review' reports. More than 25 percent of advisories had no patch available at the time of disclosure, while 30 percent published incorrect data that prevented accurate patch management prioritisation.
Last year, three new threat groups specifically targeting ICS entities on a global basis joined the list of eight groups that were identified earlier. With escalating geopolitical tensions, the chances of regular offensive cyber-operations against ICS increase and put both critical infrastructure and human life at a higher risk than before, according to the reports.
The fact that 100 percent of organisations had routable network connections into their operational environments and 76 percent were unable to detect Red Team activity by Dragos aggravates the possibility of a crisis.
"The trend of threat proliferation continues as activity groups start targeting new verticals and geographies not observed in previous victimology," Selena Larson, an intel analyst at Dragos, told SC Media UK.
"Dragos observed a number of ransomware and commodity malware infections impacting ICS, some of which were able to disrupt operations by crossing the IT/OT boundary. We anticipate activity groups to continue leveraging known vulnerabilities in software and services soon after they are made public to obtain initial access. The IT/OT convergence is causing an expanded attack surface, and adversaries are adapting their methods to bridge that gap and disrupt OT operations."
Many industrial control systems are not nearly as isolated or defended as we would like, agreed Jason Larsen, industrial controls systems principal at IOActive.
"Once an attacker gains a foothold on a control network, they are still faced with the challenges of actually controlling the network. Ransomware and denial-of-service is one way that hackers not skilled in industrial networks can monetize the access," he said.
While ICS will generally invoke a safe shutdown during a crash, with no safety issues for the public, the problem remains that knowledge of industrial controls is becoming more common in the attacker community, noted Larsen.
“This has led to more aggressive attacks involving the attacker issuing commands to the factory equipment becoming feasible. It shows that even as the defenders of industrial control systems improve, the attackers are becoming more effective," Larsen concludes.
It is difficult to predict how these ICS attacks will evolve, admits professor Kevin Curran, senior IEEE member and professor of cyber-security at Ulster University.
"The clever ones in the future will exhibit behaviour we simply had not predicted. One thing we can say is that they will most likely continue to phone home as all these sophisticated malware systems tend to encrypt their calls out to secret servers where they upload their data," he said.
Of course, they also disguise the IP addresses of the master and command servers very well with sophisticated algorithms. "So by peeking into the code, it's not obvious where they send that data to."
This is something that was touched upon in conversation with Lavi Lazarovitz, security research group manager at CyberArk. "It’s time to dispel the myth that separating IT networks from operational technology automatically equals security," he told SC Media UK.
One of the key contributors to ICS vulnerabilities is the increasing need for these systems and their data to be accessible and integrate with numerous IT technologies as well as third-party vendor’s operating software and commercial-off-the-shelf products, Lazarovitz pointed out.
However, the biggest threat facing ICS in the coming years is the age of nation-state cyber-warfare, warned Richard Cassidy, senior director of security strategy at Exabeam.
“We’re already seeing emerging APT groups putting a renewed focus on ICS. So this should be an urgent priority for the industry," he told SC Media UK.
Pascal Geenens, security evangelist at Radware, agrees that the primary threat to ICS are nation state attacks, especially with respect to critical infrastructure.
"Typically, these are longer-running campaigns involving a fair amount of planning, research, and budget to prepare a surgical strike that causes a fair amount of damage to the competing nation," Geenens says.
While the chances of directly targeting an industrial process exists, the most pressing risk at the moment is IT-based ransomware (ransomware that initially hits employee’s laptops, for example) that bleeds into the OT space (like the factory floor) and causes operational disruption, noted Andrew Tsonchev, director of technology at Darktrace.
“This makes sense when you consider that every minute counts for modern manufacturing powerhouses, meaning threats causing even temporary outages pose a great risk," Tsonchev said.
So what should organisations be doing to best mitigate the risk to ICS?
“It is important for industrial and manufacturing organisations to take a one enterprise approach to security and risk management, whereas many organisations still operate in silo,” Mo Cashman, principal engineer at McAfee, told SC Media UK.
This leads to a situation where the CISO may be responsible for IT only, and not charged with securing OT environments. "Recent attacks demonstrate that threats to industrial control systems enter from multiple routes, so this needs to change," said Cashman.
Elisa Costante, senior director for industrial and OT technology innovation at ForeScout, advises that adding enhanced security such as automated network monitoring solutions can give organisations a thorough understanding of the ICS ecosystem and its technology.
"This makes it easier to identify attack vectors, locate blind spots and design effective security architectures such as segmented networks," said Costante.
Employee training in cyber-security is essential, particularly in the wake of ransomware entering the systems through phishing mails, said James McQuiggan, security awareness advocate at KnowBe4.
Azeem Aleem, vice president - cyber-security consulting at NTT Ltd, told SC Media UK that mitigation techniques shouldn’t just focus on the perimeter, which means deploying more and more new technologies. Instead, they need to follow an intelligence-driven security framework or phased approach.
"Requirement analysis means developing a responsibility assignment matrix (RACI model) around domains (including people) to develop a layer of accountability and consultation," Aleem said. Intelligence collection and storage and incident response are also vital cogs in the defensive machinery, he added.
"These processes are only small steps towards the development of a comprehensive proactive mitigation process for an ICS environment. Organisations need to avoid working in silos or creating a ‘not in my backyard’ mentality so that a holistic process can be developed."