The past decade has seen a dramatic increase in cyberattacks focused beyond traditional desktops and servers. The security industry refers to this sector as operational technology (OT), Internet of Things (IoT), or Industrial Internet of Things (IIoT), and it includes systems such as heating, ventilation and air conditioning (HVAC), embedded devices, and systems typically controlled by programmable logic controllers (PLCs) including pumps, turbines, pressure regulating valves, and tanks. These devices are typically outside the traditional scope of a normal information technology (IT) department.
In 2010, the world was put on notice on the power of cyber over industrial systems as Stuxnet attacked Iranian nuclear enrichment facilities. The past 10 years have shown a dramatic increase in cyber-attack tools developed specifically for ICS not just from single actors, but from nation state offensive cyber groups from countries like the US, Israel, China, Russia, Iran and North Korea. These groups are classified by security specialists as advanced persistent threat (APT) groups. After Stuxnet the security industry found Havex, a piece of ICS malware attributed to a Russian APT group in 2014 used to scan industrial networks. Since 2014 ICS malware has been seen at an increasing rate around the world, with notable attacks in Ukraine on December 23, 2015 when malware named BlackEnergy successfully compromised SCADA systems remotely switching substations off, disabling IT infrastructure, and disabling the call-center for customer support during the outage. Ukraine suffered another power grid attack on December 17, 2016 when malware named Industroyer was used to cut off power to the capital city of Kiev for an hour. In November of 2017 the TRISIS malware was discovered in a Saudi Arabian petrochemical plant disabling safety instrumented systems and security controls.
The National Vulnerability Database (NVD), which is a repository of security-related information maintained by the National Institute of Standards and Technology (NIST), has a separate category for Industrial Control System (ICS) attacks. These types of attacks have exploded in the last year. Between the first quarter of 2019 and Q1 2020, the water and wastewater industry has seen an increase of 122 percent of common vulnerabilities and exposures (CVEs). Critical manufacturing is up 87.3 percent in CVEs, and energy is up 58.92 percent.3 While cyberattacks on OT systems are still flying below the radar of more common IT hacks, the momentum in this space is quickly building.
It is a perfect storm, as many OT system owners want to take advantage of new technologies for automation and monitoring that require internet connectivity, without recognizing the cyber risk that comes with that connection.
Why It Can Happen to Users & Their Assets
An adversarial group decides to target a user’s facilities. The attacker and their reasons could be anything from a disgruntled employee, an international criminal organization, or a nation-state sponsored APT. Financial motivation is for criminal organizations who are using ransomware to hold systems hostage and extract a ransom to return it to operation. Recent years have brought several high-profile examples of ransomware on OT systems, including the EKANS ransomware that specifically targets industrial control systems (ICS). This was recently used against Honda and the global clean energy provider Enel, resulting in disruption to production.4 Critical infrastructure systems such as public utilities are targets for a nation or state looking to disrupt the stability of an adversary.
Regardless of the specific threat, any adversary will look for an opportunity to exploit user systems. Most commonly, this means stealing credentials or cracking a weak password (78 percent according to a Verizon 2020 Security Report).5 However, in the case of IoT and OT, there are many vulnerable endpoints available that can be found easily using public tools such as Shodan and Censys.io. These search engines crawl the entire internet approximately once per month and update their databases with information about exposed devices. A current search of Shodan (the search engine for internet connected devices) for a specific industrial protocol shows that there are approximately 5,000 industrial control devices exposed to anyone with an internet connection.
Once the adversary has accessed the system through stolen credentials or by simply connecting into it through an unsecured device that someone left on the internet, they will look to pivot through an engineering workstation, historian or similar system that is on both the IT network, and also on an OT network. Once on an OT network, an experienced adversary will be able to manipulate vulnerable devices, such as PLCs, to accomplish their goals. Stuxnet demonstrated how malware can cause catastrophic physical damage to equipment without triggering any alarms. The TRISIS malware in Saudi Arabia showed how an adversary can disable safety controls and endanger personnel. Adversaries can use these tactics to hold users ransom, damage their systems, or potentially harm employees working on the systems.
Cyber threats are impacting OT at an alarming rate and the security industry is responding. Comprehensive best practices are being established and communicated for specific industries, and cybersecurity companies are developing OT security tools and services to combat the rising threats.
A comprehensive risk management process has four components: framing, assessing, responding and monitoring. These activities should be interdependent processes that occur simultaneously and continuously. Framing is the process of building a model or framework which can be used to assess risk and make risk management decisions. Assessing is the process identifying the threats to, vulnerabilities in, and consequences of and attack for the entity under risk management. Responding is the process of accepting, avoiding, mitigating, and transferring risk. Risk monitoring is the process of implementing and assessing controls and compliance, as well as identifying changes.
The practical steps that an ICS security team can take in developing a risk management framework can be summarized in the following steps. For framing the security team should consult with a broad spectrum of the leadership to identify the assumptions and risk tolerance of the enterprise. For company that do not have inhouse OT security expertise, we recommend conducting a walk through with experts. Once the initial framework for risk assessment is complete, best practices for implementing an ICS Security Risk Management Framework are to perform the following four distinct steps. First, define the OT systems and conduct and inventory of the OT assets. This inventory should include basic information for each asset including manufacturer, operating system and applications installed, and latest patch date, as well and defining all interfaces to other systems. Second, a security plan should be developed. This plan documents the security controls that are selected. NIST SP 800-18 Rev 1, Guide for Developing Security Plans for Federal Information Systems is a good reference for developing a security plan. The third step is to perform a risk assessment. This detail of the risk assessment should be commensurate with the risk framework. More risk adverse organizations will conduct multiple risk assessment covering the entire enterprise. Others may perform a detailed risk assessment for the highest impact systems and less detailed assessments for other systems. Risk assessments are often conducted multiple times during a system’s life cycle, and organizations with multiple locations may alternate among sites. The final step in establishing a risk management framework is to implement the security controls based upon the security plan and an analysis of the risk assessment. Review the resources noted below to understand which policies will need to be implemented, but one example is a robust patch management policy.
The world of cybersecurity is a cat and mouse game between security firms and attackers, with the attackers constantly evolving and creating new tools to find loopholes in existing security systems, and the cybersecurity companies plugging those holes through patches. If a system cannot receive regular patches, it is extremely vulnerable, as it lacks the ability to adapt to the evolving threat landscape. Robust cybersecurity is not static.
After implementing an ICS cyber risk framework, many organizations conduct cooperative vulnerability assessments and red team assessments. This testing is like the final exam for the entire process outlined above, validating and ensuring that the risk framework processes are working correctly and have not missed anything. Usually this testing is performed by an outside firm so it can independently validate the security posture without creator or maintainer bias.
- NIST 800-82 – https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
- NIST SP 800-18 – https://csrc.nist.gov/publications/detail/sp/800-18/rev-1/final
- No More Ransomware – https://www.nomoreransom.org/en/index.html
- ATT&CK for Industrial Control Systems – https://collaborate.mitre.org/attackics/index.php/Main_Page
- Cybersecurity and Infrastructure Security Agency (CISA) – https://www.cisa.gov/publications-library/Cybersecurity
- Risk Assessment and Penetration Testing Services – www.vigilantsys.com