Industrial control systems are essential to the smooth operation of various national critical infrastructure. While once segmented from the web, these systems are now becoming increasingly more networked and remotely accessible as organizations transform to meet the digital age. This development potentially exposes industrial control systems to digital threats. One of the most serious threats confronting industrial control systems today is the Internet of Things (IoT). Organizations and users are becoming more and more dependent on Internet-connected devices, so much so that there’s not enough time to secure them. Such hype has enabled the creation of threats like VPNFilter, a type of botnet which targets routers, network access storage (NAS) devices and other IoT products. In May 2018, researchers observed that VPNFilter had infected half a million IoT products in what Ukrainian officials believed were Russia’s preparations for a digital attack. Less than two months later, Ukrainian law enforcement thwarted an attempted VPNFiler attack by Russian agents against a chlorine station. The IoT threat facing industrial control systems is expected to get worse. In late 2016, Gartner estimated that there would be 8.4 billion connected things worldwide in 2017. The global research company said there could be approximately 20.5 billion web-enabled devices by 2020. An increase of this magnitude would give attackers plenty of new opportunities to leverage vulnerable IoT devices against industrial control systems. Concern over flawed IoT devices is justified. Attackers can misuse those assets to target industrial environments, disrupt critical infrastructure and jeopardize public safety. Those threats notwithstanding, many professionals don’t feel that the digital threats confronting industrial control systems are significant. Others are overconfident in their abilities to spot a threat. For instance, Tripwire found in its 2016 Breach Detection Study that 60 percent of energy professionals were unsure how long it would take automated tools to discover configuration changes in their organizations’ endpoints or for vulnerability scanning systems to generate an alert. Even so, 70 percent of participants affirmed it should take only minutes for those same solutions to detect an alteration. Industrial professionals would be wise to not underestimate threats against industrial control systems. That’s because the costs of disruption can be significant to the business. In response to a 2016 ransomware attack, Michigan’s Board of Water & Light ended up paying approximately $2 million dollars for digital security experts and a law firm to assist it in its recovery and prevent similar attacks from occurring in the future. A year later, Forbes reported that the 2017 NotPetya malware outbreak cost Copenhagen-based shipping giant A.P. Moller-Maersk upwards of $300 million. This malware attack ended up having approximately the same price tag for FedEx. Even worse than these incidents, a 2012 malware attack cost Saudi Aramco – the world’s biggest oil company – approximately $1 billion, as the company needed to replace 35,000 computers damaged by the attack. It also hired at least six firms and dozens of experts to help with the recovery, reported Reuters. Tim Erlin, VP of Product Management & Strategy at Tripwire, feel these incidents demonstrate the importance of organizations protecting their industrial environments against disruption now rather than later:
If your business has an industrial control system footprint now is the time to evaluate how you’re securing that environment. Industrial companies have accepted the reality that digital threats can have tangible consequences. This perception is perhaps heightened by recent attacks that were specifically designed to affect physical operations and have proven capable of doing so. It is vital that organizations properly secure their critical infrastructure by investing in robust cybersecurity strategies that involve proper foundations of critical security controls and layers of defense. Failure to do so will result in a major breach that will cause catastrophic failure, which is a significant concern among security professionals as a critical disaster could result in significant loss of life.
To begin hardening their environments against disruption, industrial organizations need to appreciate the ongoing convergence between information technology (IT) and operational technology (OT). They need to specifically look to harden their OT assets against IT threats as they continue to incorporate information technology into their environments. Tripwire Senior Systems Engineer Nick Shaw recommended that organizations specifically focus on training their workforce about these evolving threats:
Training and education focused on industrial cybersecurity need to improve within these organizations. An emphasis on digital security in the OT environment especially needs to take place. Everyone has a role to play in a robust cybersecurity strategy, and they need to be armed with the knowledge to control what they can control as part of that strategy.
From there, organizations might want to consider investing in an ICS security solution that can help them discover and profile all of their network assets, monitor the status of their network and systems as well as harden their plant systems against digital threats, thereby diminishing the likelihood of disruption. For more information on how to protect your organization’s industrial systems, download your copy of Tripwire’s whitepaper Industrial Cybersecurity – Essential to Assure Availability, Safety and Resilience today.