2019 is coming to an end, and with it so is the decade when America started taking cybersecurity seriously. In the past decade, we have seen the rise of cloud-based infrastructure, government legislation like FedRAMP, and – most importantly – a dramatic increase in the number of cyber threats facing both commercial and governmental organizations.
Before 2010 when the Stuxnet attack crippled one-fifth of nuclear enrichment centrifuges in Iran, comprehensive cybersecurity programs for industrial systems and operational technology (OT) were practically non-existent. Since then, the IT/OT convergence has brought about a slew of malware attacks specifically targeting Industrial Control Systems (ICS) and programmable logic controllers (PLCs), from BlackEnergy in 2014 to Industroyer in 2016.
A Chance for Improvement
According to major players in the malware detection industry, over 40% of ICS systems across utilities and manufacturing were targeted or outright attacked during the first quarter of 2018. On the one hand, this is a scary moment in history: for the first time, terrorists can wage war on another country’s critical infrastructure. On the other hand, industry professionals are waking up to the need for robust security in the face of increased risk.
In the best-case scenario, America and other developed countries will emerge from the 2020s with stronger infrastructure and a renewed focus on cybersecurity. Along the way, they will have to take a critical look at the greatest risks for ICS systems today.
In this article, we’ll give you a head start: here’s our list of the top 5 threats that ICS professionals need to worry about during the new year.
Top 5 Risks to ICS in 2020
It’s commonly believed that OT security risks stem from developing technology. However, this is not entirely true: some ICS risks stem from systemic flaws in an organization’s structure, supply chain and talent pool. In this list, we’ll give equal priority to all of them.
1. False Promises
Automation has long been the dream of cybersecurity, and in his talk at the ICS Cybersecurity Conference last month, Mark Carrigan pointed out that unscrupulous vendors have been promising a level of automation they just can’t deliver. Organizations who are looking for off-the-shelf solutions to OT security must beware: targeted attacks are masterminded by humans, and it takes human intelligence to identify and beat them.
More generally – as Steven Booth of FireEye maintains – bad vendors can be a liability to security, even when their products work as advertised: “we have seen a number of situations in the past few years where software components in automatic updates were corrupted or poisoned with malicious code,” said Booth.
This is a trend which security practitioners in every field need to be aware of. Next year, the Department of Defense (DoD) will require vendors to pass a certification program before working with government partners. Until then, organizations must stay vigilant in vetting their supply chain.
2. The Industrial Internet of Things (IIoT)
IIoT has been a mixed basket for organizations: on the one hand, it extends the functionality of networks and helps to generate data that drives operational efficiencies – consequently many operations managers love IIoT devices.
However, these devices can also create points of entry for attackers, especially because IIoT vendors are rushing their products to market, utilizing components from less-than-reputable sources, and skipping basic security controls along the way. Many products lack two-factor authentication (2FA) and secure update mechanisms— or in some cases, they don’t allow customers to change default accounts and passwords from default settings.
The National Institute of Standards and Technology (NIST) is currently working to develop mandatory standards for IIoT, in response to lax security in Distributed Energy Resources (DERs) which threaten the power grid. In the meantime, organizations should adopt a zero-trust policy towards IIoT, segmenting SCADA and ICS networks with perimeters to reduce the lateral mobility of attackers.
3. Insider Threats
In response to ICS risks, some organizations have rejected the IT/OT convergence altogether, isolating their OT from any contact with networks. While this so-called “air gap” method of defense kept OT on the periphery of cybersecurity for years, it is no defense against the biggest threat to ICS security of all: people.
Only 3% of attacks on critical infrastructure begin and end with technical exploits and vulnerabilities. Ninety-seven percent rely on social engineering techniques which trick an organization’s personnel into divulging passwords and access information. Insiders can also compromise a system through careless Internet activity and negligence of security protocol.
Going forward, organizations should invest more resources in training their personnel. Knowing cyber hygiene techniques, developing security situational awareness, and understanding the tactics of hackers can often prevent a major security breach.
4. Hackers Are Improving
According to Thomas Pope from Dragos, modern hackers have begun to converge on a common set of threats, techniques and procedures (TTPs). On the one hand, this is good news for security professionals, since it means attacks will be easier to detect. On the other hand, an over-reliance on commodity IT solutions and open design protocols put organizations at significant risk.
According to CyberX, 82% of industrial sites depended on remote management protocols like RDP and SSH in 2017. Not only are hackers familiar with these access protocols and their vulnerabilities, but they are even familiar with proprietary ICS systems.
Every year, attackers become stronger thanks to the resources available to them: increased digital literacy, the widespread availability of pentesting toolkits and darknet markets where SCADA/ICS protocols and exploits are sold cheap. Organizations should acknowledge this fact by designing industrial infrastructure with greater attention to segmentation and detection of indicators of compromise.
5. Talent Gap
When it comes to talent, the entire security industry is in a rough spot. According to some estimates, there will be 3.5 million unfilled security positions by 2021, thanks to the rise of cybercrime and a lack of educated professionals.
The situation is even worse for OT security: according to Robert M. Lee of Dragos, there are fewer than 1,000 ICS professionals in the entire world. In the coming decade, industrial organizations would do well to make sure their personnel have the education they need for success and promote the cybersecurity career path to inbound university students.
The Need for Expertise
With years of expertise trusted by the U.S. security community – including DoD, DHS and the U.S. Cyber Command – our people are equipped to find and eliminate modern OT threats with methodology including:
- Vulnerability assessments and penetration tests
- Red-team and blue-team services
- Industrial Control System (ICS) assessments
- Network engineering and security architecture design
Automated solutions just aren’t good enough: in 2020, partner with an organization that can see both the big picture and granular details of OT security today.
The 2020’s are an opportunity for renewed focus on cybersecurity. Securicon’s risk management solutions are based on industry standards for safety and professionalism. With years of experience in cybersecurity, we are here to help you manage the risks for Industrial Control Systems. Contact us for more information.