Jalal Bouhdada, founder and principal ICS security consultant, Applied Risk
Jalal Bouhdada, founder and principal ICS security consultant, Applied Risk

The security landscape is changing on a daily basis. Where hackers were once limited to targeting individual devices, with the advent of the internet, the practice of hacking en masse took off. 

In the data age and with the introduction of Industry 4.0, the targets available have increased almost exponentially. Today, with convergence between IT and operational technology (OT) in industrial environments, these forms of malicious attacks can reach an even wider range of targets – to devastating effect. As governments across the world increasingly stockpile vulnerabilities without practicing responsible disclosure, attacks exploiting these are liable to be stolen by lower-skilled hackers and used for financial gain – accurately demonstrated by the recent WannaCrypt attack. 

The attack combined two previously disparate attack profiles: the speed and daring of a criminal hacker and the capabilities of a nation state. Brad Smith, president and chief legal officer at Microsoft, stated that governments should “consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits[1]” prior to calling for a new “Digital Geneva Convention”. 

Indeed, WannaCrypt successfully disrupted a significant portion of the NHS within the UK. Smith further commented that “this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cyber-security threats in the world today – nation-state action and organised criminal action.” While the implications for IT infrastructure have already been made clear, the threat to industrial environments needs greater consideration. 

IT and OT convergence: increasing risk 

The convergence between IT and OT represents a new, heightened level of risk across the globe. The attack vector utilised by ransomware attacks is often dependent on the human factor. This is understandable, given 62 percent of breaches are currently attributed to human error. 

Once inside a network, the malware can often propagate freely through patched and unpatched machines alike. The primary attack vector for WannaCrypt is currently believed to be phishing emails[2], reinforcing the perception of employees as a favoured entry point into restricted systems. 

The recent high-profile ransomware attack cements IT infrastructure as the most effective entry point for lower-skilled hackers. As the interconnectivity between IT and OT increases, vulnerabilities now affect a wider range of industrial technologies. Attacks, which once would have been unable to affect industrial control systems (ICS) technology due to inherent differences in structure, for example, now have the opportunity to do so using IT as a bridge. 

In short, not only are the barriers against successful attacks being broken down, but hackers are now gaining access to stockpiled attacks which can, and demonstrably will, cause significant disruption to critical infrastructure. 

The weaponisation of ransomware attacks against infrastructure does not only affect the intended target, however. As noted with various affected hospitals in the UK, demand for services does not simply cease. The hack resulted in a “major incident”, representing “a serious threat to the health of the community [or] disruption to the NHS”[3], resulting in patient displacement and strained capacity. 

Our own research uncovered vulnerabilities within ICS field devices which could be successfully leveraged with ransomware. Should this form of attack be successfully applied to facilities such as power plants, potential consequences could include unplanned downtime, tripping of systems, and increased strain on non-infected counterparts. 

Skills and budget shortage – hampering industrial security efforts 

When new attack methods are combined with the increasing vulnerability of ICS technology, organisations must adjust their strategies to meet these threats head on. With lower-skilled hackers now able to access vulnerabilities that can bring critical infrastructure to a halt, the need for security around ICS technology has never been higher. Unfortunately, this increased risk profile has not been met with a greater number of security staff, or indeed the budget, to combat it. In fact, almost 50 percent[4] of businesses now report a “problematic shortage” of cyber-security skills. 

The risk posed by the inability to address these issues is exacerbated by a lack of education and training for general staff, vendors and contractors around the threats they will face. In many cases, security patches to mitigate risk are available – security specialists simply do not have the resources to implement them. As such, a shift in mentality is required, with greater levels of responsibility for cyber-security built in across the entire business landscape. All employees must now be responsible for ensuring comprehensive security to mitigate threats against systems. Security specialists cannot invest time in “firefighting” and need the opportunity to focus on proactive threat mitigation, ensuring patches are rapidly rolled out. 

In meeting the threat posed to industry by hackers with nation-state capabilities, a shift in business priorities is essential. Staff across businesses interacting with operational environments now require practical education along with rigorous cyber-security assessments to ensure continued uptime within critical functions. The increased risk factor posed by an increasing range of threats means business cannot continue as usual. With ransomware in particular, hackers have identified that critical infrastructure is easy to breach with little to no extra effort, with the potential for an even greater ROI. While investment in security systems is critical, the real turning point for the cyber-security industry will be when the perception of it changes from an expendable cost centre, to that of a key business enabler. 

Contributed by Jalal Bouhdada, founder and principal ICS security consultant, Applied Risk 

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.