Organizations Must Understand What’s Driving the Escalated Targeting of Industrial Networks
We have ample evidence that nation-state adversaries are targeting Energy and other critical infrastructure sectors. Those networks are essential to operations and therefore valuable to attackers, and we can expect to see more attacks as a form of economic warfare to advance geopolitical agendas. Nation-state adversaries have already crossed the red line of what in more traditional domains would constitute warfare. Yet, thus far, western governments have not responded appropriately, which is further emboldening the Russian nation state hackers.
Consider the first incidents that provided elements of proof of a nation-state waging war on critical infrastructure: the attacks on the Ukraine power grid in December 2015 and December 2016. A nation-state, now widely acknowledged to be Russia, launched an attack targeting industrial control systems (ICS) components within the network of electric utilities. This was clearly a show of power and many believe a test bed for similar further operations in the west – not so much on the technical capabilities, but rather on the response from the west. In any other domain of warfare this would be considered crossing a red line. However, the world did not react accordingly.
The second wave came with WannaCry and subsequently, and more importantly, NotPetya. A significant escalation in this type of warfare, NotPetya was devised to spread quickly and indiscriminately. It sent a clear message that foreign companies doing business in Ukraine should not be there. This time the world responded, but the response was delayed. Almost nine months later, The White House issued a statement condemning the Russian military for the “most destructive and costly cyber-attack in history”, but still took no clear action.
The U.S. Department of Homeland Security and the FBI then issued a number of joint advisories that Russian nation-state actors had a presence in many critical infrastructure networks. The U.S. Cyber Command also released a document describing a new approach to dealing with cyberspace threats including “defending forward and continuously engaging our adversaries.” In the document they acknowledge that the U.S. chooses to operate under constraints, “including our traditionally high threshold for response to adversary activity.” As such, it’s hard to know the ultimate impact of “defending forward” but it is clear that with the stakes raised and undeniable proof, the U.S. is scaling to this new normal.
In order for organizations to understand how to defend against these attacks, it’s important to understand what’s driving the escalated targeting of ICS networks. First, these systems run the world’s infrastructure and are responsible for our well-being, so they present significant opportunity to cause disruption and harm – both physically and economically. About 45% of Fortune 2000 companies rely on ICS networks to do their business – be it water, mining, electricity, pharmaceuticals, food and beverage, etc. While the remaining 55% rely on industrial controls systems for basic needs like transportation, HVAC systems, lights and elevators. ICS networks are ubiquitous.
Second, industrial networks have extremely long lifecycles; many have been operational for 35 years or more. As these aging networks began to be connected to IT systems for automation and inputs, they lacked security controls. Unable to keep up with security updates, for a variety of reasons I’ll discuss in a future article, they became exposed. Furthermore, the IT security teams of these organizations have zero visibility into these networks and no telemetry. The potential for significant damage and the exposure and lack of visibility into ICS networks, make these networks attractive targets for attackers.
What we can expect
We may not be yet at a stage where adversaries openly cause physical damage, such as shutting down portions of the power grid or contaminating water supplies. However, we are at a stage where they regularly operate below the threshold of armed conflict, using their powerful warcraft for economic and political advantage while maintaining plausible deniability.
Thinking like these adversaries, as defenders are trained to do, and knowing that these aggressors don’t want their actions to be considered an open act of war, we can expect scenarios that erode public trust. For example, disrupting production of the top pharmaceutical companies to create shortages. Or tampering with the quality of products by food and beverage companies. There are many ways they can disrupt our economic well-being without taking blatant actions.
Our blank slate opportunity
So what are we to do? The good news is that awareness of these types of attacks is rising. The government is taking a more aggressive stance against cyberwarfare. The media is shining a spotlight on attacks on industrial networks and critical infrastructure. And increasingly, Fortune 500 companies have the support of their board of directors and budgets to strengthen the security of their ICS networks.
The other piece of good news is that, as defenders, we are starting with a blank slate. Operational Technology (OT) networks have no modern security controls, so we have an opportunity to build a security program from scratch. One that will allow us to quickly close the 25+ year gap between IT security and OT security by focusing on what we can do next week and next month to reduce risk the most.
I’ll continue this discussion at RSAC 2020 as well as in my next SecurityWeek column, where I’ll explain how to bridge the IT-OT gap, common pitfalls from the field, and tips to avoid them.
Related: Learn More at SecurityWeek’s ICS Cyber Security Conference