The bleak Orwellian future of dominance by factories and industrial landscapes has not exactly become reality – at least not in the western hemisphere. However, across the globe manufacturing remains the lifeblood of both first world and developing nations. At the same time what some are calling ‘Industrie 4.0’ or the Smart Factory has become a reality. Leading experts have predicted that the global manufacturing sector will see an increase and acceleration in the connectivity and digital transformation initiatives that have taken root in the industrial sector over the past few years. As an increased reliance on digital systems continues to transform how goods are manufactured, the issue of security surrounding industrial control systems (ICS) will increasingly be highlighted. Cyber security firm, Indegy released a blog report entitled ‘Industrial Cyber Security Predictions for 2018’ in December 2017 – and that report has highlighted some of the issues ICS security professionals must face in a fast-changing industrial landscape.
ICS security under threat
The report covers a wide swathe of threats that face ICS control systems. Threats such as ICS ransomware, a Red Button Cyber Weapon and Industrial Internet of Things (IIoT) risks take center stage in the threat matrix facing this fast-growing industrial sector. These threats will force ICS security professionals to adopt new approaches and embrace innovation in the next 12 months and beyond in order to protect increasingly complex and vulnerable systems.
Ransomware outbreaks such as WannaCry, NotPetya, and most recently, Bad Rabbit, caused widespread disruptions among organizations in all industries, including manufacturing and transportation services. According to the report there is no reason to believe that ransomware will not continue to evolve in 2018. In fact, these attacks were not aimed specifically at industrial control systems network targets – but with the increasing importance and complexity of the networks, this can be expected to change.
Legacy Windows vulnerability – A clear weakness
The threat to industrial control systems is especially clear due to the fact that these environments often use legacy Windows systems that have well known weaknesses in security and may not have been patched regularly. For IT professionals the lesson needs to be learned that these system vulnerabilities need to be addressed by applying regular patches. Even though ransomware has not targeted controllers in the past – it’s only a matter of time. In 2017 researchers at the Georgia Institute of Technology designed a cross-vendor ransomware worm known as LogicLocker which would be capable of targeting PLC’s.
Aside from locking users out of systems, this ransomware was potentially even more dangerous. It contains a ‘logic bomb’ that begins to dangerously operate machinery and threatening permanent damage and human harm if the ransom is not paid in time. Now that this proof of concept is out there, ICS security can expect to see real world attacks in the near future.
Dana Tamir, Vice President of Market Strategy for Indegy explains, “The introduction of IIoT architectures has exposed most PLCs to cyber threats they have never faced before. In the past, industrial control system environments were isolated from the internet by an “air gap”. Although PLCs have always lacked security controls, including encryption and access controls, these risks were contained since only those with direct access to the network could potentially cause problems. Now that IIoT technologies can connect these unprotected environments to the corporate network or the cloud, PLCs are being exposed to external threats.”
The Threat of War
The development of a so called ‘Red Button’ cyber weapon is one that has been recognized by international security experts. It is well known that both the United Sates and North Korea are engaged in an ever-escalating war of words that shows every sign of further escalation, the initiation of real hostilities and even more worrying, a nuclear exchange. North Korea has been building a cyber army in tandem with increasing its nuclear capabilities. This is a country that is entirely capable (and possesses sufficient motivation) to unleash devastating attacks against its enemy’s critical infrastructure. Russia has also invested significantly in cyber warfare capabilities. Its attacks on Ukraine’s infrastructure, including power generation capacity in 2015 were especially worrying. Many experts believe that these actions were a dry run for even more devastating action.
These are only two instances where nations have flexed their muscles in so called ‘Red Button’ attacks which are capable of shutting down power grids and other critical infrastructure such as water supplies by accessing industrial control systems.
The latest report by Indegy repeats the company’s long-standing concerns about these capabilities. According to Tamir, “Most cyber attacks on industrial networks begin with a thorough reconnaissance phase designed to gather as much intelligence as possible on human, network and protocol information, as well as information about the manufacturing process, industrial applications, and potential vulnerabilities.
“This typically begins with identifying an initial target that will facilitate the intrusion into the organization. This can be accomplished using well known techniques such as social engineering, email phishing, etc. It is not uncommon to find unpatched workstations running legacy operating systems such as Windows XP in these operational environments. As a result, attackers can inject malicious code into these systems with relative ease to remotely access and compromise them.
“The attackers simply need a single point of entrance to get started. Once inside the network, attackers can gain an understanding of the control process or look for system features that can be exploited to obtain access to critical assets, such as engineering workstations and controllers. Information gathering sometimes last for months, as attackers roam the network undetected.
“This foothold gives adversaries the access and capability required to shut down power grids, water supplies, etc. with the push of a button.”
Indegy has emphasized that the current trend of improving productivity and reducing the cost of operational maintenance by increasing system connectivity makes these sorts of threats even more pressing for those concerns using industrial control systems – rather than solving the problem.
Vendors have bent over backwards to support ICS security measures aimed at improving performance of industrial concerns, however, at the same time Indegy believes that insufficient attention has been paid to the threat caused by hackers. In fact, industrial control systems environments lack visibility and security measures, which means that detecting and mitigating threats in real time can be extremely challenging.
Industrial control systems cybersecurity skills gap
The lack of qualified cybersecurity professionals continues to grow. Companies are committed to building their capacity in this regard. However, defining what the requirements are in terms of a ICS security strategy – and sourcing professionals to implement that strategy remains a challenge. The vexing question of who should be responsible for security remains – should it be the IT security operations team who may grasp cybersecurity best practices – but may not be intimately familiar with operational technologies (OT)? Or should it be the operational team that knows the industrial control systems environment intimately, but lacks the knowledge of cybersecurity best practices? The answer seems to lie in leveraging the unique skills of both teams – and in this task skilled leadership is a core requirement.
Integrated ICS security and IT SOC solutions will be important
ICS security solutions that integrate with IT SOC solutions are going to be of pivotal strategic importance in 2018.
Tamir suggests that, “Since it is difficult and sometimes impossible to upgrade or replace existing controllers or control systems with newer, more secure equipment, network activity monitoring and threat detection solutions should be used. These capabilities should be able to detect and inspect all communication between various devices, and specifically identify attempts to make changes to them such as reprogramming, reconfiguring or firmware downloads, which directly impact the physical processes they manage. It is also important to identify who is initiating the activity, which devices are being accessed and the exact impact on the device. For example, if code on a controller is changed, knowing exactly what changed is critical from both a security and operations standpoint.
“These activities are not easy to detect since they are either executed over the network using proprietary vendor protocols, or via direct connections to the device (using a serial cable or USB). Nevertheless, monitoring engineering activities and changes is critical to ensuring the safety and reliability of manufacturing processes.”