The cyber threats facing Industrial Control Systems (ICS) include nation-state attacks, hacktivists, criminals and even trusted insiders. The frequency and ferocity of attacks are growing and continue to pose a major challenge to those ICS practitioners and cybersecurity teams tasked with protecting our critical national infrastructure (CNI).
The impact of potential threats to these systems relates to physical processes and can result in downtime of systems causing power, electricity or water outages. Any downtime can affect a plant’s ability to operate, its productivity and availability. For this reason, organizations that support critical infrastructure need to ensure the safety of workers, environmental impact and other aspects of operations.
To do that, industrial control system operators need to stay up-to-date with both cybersecurity challenges and the methods available to monitor and mitigate threats.
Industrial control systems are critically important for facilitating essential services – such as transportation, manufacturing and delivering essential services to our homes and businesses. This includes electricity and oil and gas; all of which are supporting instruments of national security and economic activity. This has not gone unnoticed by nefarious individuals who could target these systems to threaten national security and create economic instability on a global scale.
Traditionally built in a pre-internet era, these legacy systems are unrecognizable today.
For example, while initially designed to be contained within a physical parameter, increased connectivity has seen these air-gapped industrial control systems connected to IT systems that can not only monitor, but also control, processes remotely. This increased connectivity and convergence delivers some great advantages including cost savings, health benefits for workers, and even interoperability, the flip side is these systems are now connected to the Web and that makes them more easily discoverable to anyone looking. This has led to new pathways and mechanisms to manipulate automated physical systems, including critical infrastructure. Often designed without security, which is now being added, this can leave them vulnerable to cyber risks.
The combination of both criticality and vulnerability expose CNI operations as targets for threat actors – whether they are geo-politically motivated, economically motivated, maliciously motivated or a combination of all of the above.
CNI Designed Attacks
In the last few years CNI systems have experienced an increase in nation-state threats and cyberattacks, accented by high profile cases like the 2015 and 2016 attacks on the Ukrainian power grid, DragonFly and Stuxnet.
However, it’s not just malicious individuals that cause outages. The reality is that many cyber threats can result from weak passwords or even open ports. Whether caused intentionally or as the result of unintentional mistakes, all can negatively impact productivity.
We are at a fulcrum point where many have realized that innovation in connectivity has outpaced the cybersecurity measures needed to protect critical operational systems form escalating threats. That must change.
Change in Attack Focus
Conventionally, massive cyberattacks have targeted consumer and enterprise data theft, with targets being banks, credit agencies and retailers. In these types of attacks, the data acquisition and financial gain were the objectives, but this is changing.
Today cyberattacks will increasingly target industrial networks, such as power and distribution systems, transportation systems, manufacturing facilities and other critical infrastructure. In these scenarios, the objective isn’t data theft alone, rather disruption is the end goal. To do this, black hat activists or state-sponsored hackers must engage in OT data reconnaissance to obtain sufficient engineering knowledge of an ICS target, then engage a tailored attack that manipulates or disrupts a physical system.
To ensure operational reliance in the face of targeted attacks on ICS and CNIs, operators should be investing in the latest innovation to combat ICS cyber risks. In addition to cybersecurity strategies that place an emphasis entirely on protection methods, such as firewalls, SNMP network management tools, SIEMs etc., the ICS community must accept that some attacks will penetrate their defenses and that they have the ability to rapidly identify and respond to cybersecurity incidents early in their intrusion/attack cycles.
New innovations in the area of ICS monitoring and detection can alert operators to both process anomalies and cyber incidents in real-time, thus triggering rapid response and ensuring operational resilience.
Cybersecurity awareness training is also essential for personnel so that they can minimise the risks of accidentally opening the door to cyberattacks. Also, it is important to recognise that employees can inadvertently be the weakest link in a cybersecurity program, therefore organisations should use real-time monitoring technologies that can identify anomalous activities, regardless of the cause.
By monitoring for unusual behavior CNIs can create an early-warning system that enables them to avert or minimise risks to safety and smooth operations. IT and security teams also need to improve their security posture by extending beyond protective cybersecurity measures. For example, selecting technologies that provide advanced forms of both ICS threat and anomaly detection, asset discovery and rich network visualisation. This will be extremely helpful in not only identifying threats but also being able to respond to them quickly before they cause damage.
Cybersecurity experts recommend industrial companies with operations at risk should look to proven technologies that leverage artificial intelligence and machine learning to continuously monitor industrial controls systems networks for anomalies that detect and mitigate possible attacks that could cause harm to the industrial control systems. These technologies meet the unique needs of securing industrial networks and processes, integrate with IT security infrastructure to give IT organizations visibility into their ICS and help reduce the cybersecurity skills gap.
Look to the Future
One of the challenges companies will continue to face in the future is the result of technological progress that has come with the Industry 4.0 / IoT trends of the last five years. The increased connectivity of non-consumer devices has filtered down to mission critical networks and industrial control systems like DCS, MES and SCADA. As these industrial applications grow more intelligent, so does their exposure to cyber-born threats; whether they are internal or external.
With technological advances, such as machine learning and Artificial Intelligence, it’s now possible to model and monitor large, complex industrial control networks and critical physical processes. Normal baselines can be established for network communication and process behavior so that deviations and anomalies are instantly detected and operators are alerted.
Real-time operational visibility provides immediate insights for faster troubleshooting and remediation of cybersecurity and process issues. That makes it easier for engineers and plant operators to identify affected devices and apply compensating controls before operational systems are impacted.
Attackers will continue to improve and advance their attack methods and strategies to evade detection and gain control over targets. Attempts on ICS targets will grow in number as well. This is a certainty. The dynamics of black hat and white hat cyberwarfare has always been fought using tools of innovation. However, today the battlefield has migrated from the desktop or server room to the plant floor, oil field and power grid. With economic instability and even threat to physical safety, failure is not an option.