In the decade since the Stuxnet worm was discovered, multiple attacks that have been launched against operational technology (OT) networks including Shamoon, Havex, Wannycry, and Lockergoga. Looking back, a disturbing trend has emerged. Industrial attacks are being recycled.
Consider LockerGoga, which crippled Norsk Hydro, one of the largest aluminum manufacturers in the world, in March of 2019. Like Stuxnet, this incident was a watershed moment in OT security because it not only impacted OT operations by taking aluminum production offline, but it also impacted IT security. For the first time, an attack moved laterally between once air-gapped IT and OT networks.
More concerning however is how industrial malware is being recycled. LockerGoga made global headlines in March, but it was neither the first nor the last time the malware was used to attack industrial organizations. In fact, LockerGoga first surfaced in January 2019 when it compromised Altran Technologies, a global industrial engineering consulting company located in France. The company shut down its IT network and all applications to protect the infection from spreading to the networks of its industrial clients.
LockerGoga then hit Norsk, and shortly thereafter impacted chemical companies Hexion and Momentive among others. This is perhaps the most well publicized incident of a recycled attack, but it is certainly not the only example. Wannacry, Petya and Shamoon were all attacks which made multiple appearances either in their original form or as a variant of the original.
The writing is on the wall, OT security threats are following the familiar path taken by IT attacks which recycle existing malware code. In fact, security firm RiskSense recently released a report that found the top enterprise ransomware families used the same 15 vulnerabilities to target companies.
Since OT is facing the same security challenges as IT, the same best practices apply with an ICS twist. Here are the top four.
1. VISIBILITY – Remediating a new vulnerability is impossible without knowing the model numbers, patch levels or firmware versions of the devices in the network. Deploying a continuously updated inventory management system will pinpoint devices that are at risk.
2. PRIORITIZATION – Due to non-stop production requirements, scheduling downtime to apply necessary patches and updates in OT environments is much more challenging than in IT networks. Having the ability to actively query individual devices at a very granular level including serial number, patch level, firmware version, etc. takes the guesswork (and potential errors) out of remediation processes. With this knowledge, updates can be performed in much shorter windows and will ensure all affected devices are covered.
3. OT SPECIFIC THREAT INTEL – Despite the advancing level of convergence between IT and OT, there are still distinct differences between the signatures for each environment. Live update options now exist for OT malware signatures and should be considered. The sooner vulnerabilities are addressed, the smaller the window of compromise.
4. REMOTE SECURITY – Many large organizations with distributed environments may be unwilling or unable to deploy OT security at all their remote locations. Similarly, small and medium sized industrial companies may not have the resources or inclination to protect their operations because they consider themselves a “small target”. New cloud-based Industrial Cyber Security as a Service (ICSaaS) alternatives have emerged that can secure these remote locations without deploying on-premises hardware or personnel.
Recycled cyber attacks may be a fairly new development in ICS security, but they have been a staple in IT environments for years. While many of the same measures used for protecting against them in IT apply in OT networks, there are differences. Using ICS specific tools for visibility, prioritization, threat intelligence and remote security will ensure OT environments are resilient to attacks regardless of whether they originate on the industrial network or migrate laterally from the IT side of the house.