Industrial control system (ICS) security is certainly not a new concept, but over the past 18 months, its status has risen to the top of organizations’ priority lists. This is, in large part, due to the high-profile ICS attacks that have dominated news headlines of late.
Perhaps one of the most infamous incidents in recent years was the Colonial Pipeline ransomware attack in May 2021. Although the group behind the attack specifically targeted the company’s information technology (IT) systems, Colonial’s operational technology (OT) systems were affected in the process because of their reliance on IT infrastructure. The cyberattack served as an eye-opening example of the significant security risks associated with IT/OT convergence.
While ICSs can be negatively affected by ransomware and other cyberattacks targeting IT environments, they also can be the target of malware. For example, this past April, the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) issued a joint advisory warning of a full malicious ICS framework incorporating all facets of ransomware. Known as PIPEDREAM, this malicious ICS framework demonstrates how cybercriminals are escalating in their abilities to target ICSs.
Regardless of whether ICSs are targeted from the beginning or impacted after an IT breach, cybercriminals’ motives are the same — typically financially or geopolitically driven. This means any company — regardless of industry or size — can be a target if they have something that will advance cybercriminals’ goals. Today, small ICS environments are just as valuable for an attacker as large ICSs, and every company needs to remain vigilant.
Why ICSs are an appealing target
Cybercriminals want to reap the maximum reward for doing the minimum amount of work — and most ICSs present an opportunity for easy access into OT environments because the systems were built years ago, when cybersecurity was an afterthought. This is an attacker’s ideal target — old technology that lacks basic security protections, such as encryption and authentication protocols. Once a bad actor breaches an OT network, it might be possible to then move laterally within an organization to wreak havoc across the business. And, conversely, if a cybercriminal can breach an IT system, they can easily enter into OT networks if they are not properly designed and implemented.
Complicating matters, many industrial Internet of Things (IIoT) devices are now connected to the cloud, which has dramatically expanded organizations’ attack surfaces. This means organizations are battling unsecured ICSs, a rise in network entry points and a significant increase in ICS attacks.
Defending against a growing threat
Despite the increasing risks associated with IT/OT convergence and the rise of ICS attacks, there are steps organizations can take to strengthen their cybersecurity posture and overall cyber resilience.
- Take advantage of existing ICS security frameworks: There are a variety of recognized regulatory standards that companies should follow to design secure, safe and reliable ICS environments. There are general frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), NIST 800-82 (Guide to Industrial Control Systems Security) and ISA 99.02.01/IEC 62443: Security for Industrial Automation and Control Systems. And, then there are industry-specific frameworks, such as the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC SIP), the Transportation Security Administration (TSA) Pipeline Security Guidelines and the Cybersecurity & Infrastructure Security Agency (CISA) Critical Infrastructure Sectors guidance.
- Strengthen password policies: Password polices should require a minimum length of 12 characters as well as the use of alphabetic, numeric and special characters.
- Utilize multi-factor authentication (MFA): MFA should be used for all externally facing authentication portals and internal sensitive services. This technology serves as a second layer of defense, so accounts remain protected even if a password is guessed.
- Prioritize application security: Properly configure applications that can execute containerized code and prioritize application whitelisting.
- Ensure continuous network monitoring: Perform baselining to establish “normal” environment behavior to enable abnormal behavior detection down the line. Additionally, routinely monitor and review: 1) endpoint AV/EDR logs and traffic logs to identify potential malicious activity, 2) domain controllers for increased, burst activity, 3) protocol communications for suspicious network activity, and 4) communications between PLCs and internal/external destinations to identify unusual patterns.
- Properly segment zones to keep OT and IT separated: This will ensure the damage inflicted during an attack will stay compartmentalized within the “zone” that was breached.
- Incorporate threat intelligence: Threat intelligence will help you stay informed on the latest attack methods targeting ICSs and how best to defend against them.
- Stay committed to security basics: This includes keeping ICS firmware up to date, utilizing security-focused ICS protocols and ensuring patch management procedures.
- Develop and practice an incident response (IR) plan: Develop a proper IR plan and make sure all affected personnel and systems are routinely trained and assessed on it.
- Provide ongoing employee awareness training: Employees, from the executive team to entry level staff, should be continuously trained to recognize all types of malicious attacks and to respond with best practices, if they are targeted.
The stakes are rising when it comes to ICS attacks and the associated consequences. Beyond the business implications of these attacks (e.g., financial loss, downtime, damaged reputation, etc.), there could be serious consequences, such as physical harm to humans. In fact, Gartner predicts that “by 2025, cyber attackers will have weaponized operational technology (OT) environments to successfully harm or kill humans.”
Now is the time to lock down ICS systems with an iron-clad cybersecurity strategy, so cybercriminals can inflict harm on humans, or businesses, for that matter. Following the above best practices will start organizations down the path to cyber resilience, keeping ICSs and employees safe regardless of the threats the organization encounters along the way.