Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Leading Threat to Industrial Security is Not What You Think

As attackers become more sophisticated, so do their attacks. This in turn exposes threat vectors that once were thought to be well protected, or at least not interesting enough to attack. Nowhere is this truer than in industrial control systems (ICS) environments.

As attackers become more sophisticated, so do their attacks. This in turn exposes threat vectors that once were thought to be well protected, or at least not interesting enough to attack. Nowhere is this truer than in industrial control systems (ICS) environments.

The growing practice of connecting ICS to enterprise networks and the internet, driven by technologies such as IoT, edge computing and analytics platforms, has put ICS on the radar of cybercriminals.

ICS attacks can cause severe problems, ranging from supply chain disruption to physical damage to components and subsystems. What’s more, ICS traffic often contains proprietary data or information that has intrinsic value to business processes or workflows. 

Securing ICS is more challenging than protecting traditional IT environments since ICS is insecure by design. ICS was originally conceived to be siloed from other IT systems, shared IT infrastructure and the outside world. These closed systems were considered immune from external threats, simply because they were “air gapped”.

Advances in IoT technologies and other IT centric systems made it logical to connect ICS to IT to garner numerous benefits. However, very few considered the implications of that connectivity, which cybercriminals are able to exploit. Especially the native insecurities of ICS, such as limited policies, a lack of access control provisions, weak password enforcement and infrequent patching. Perhaps the biggest threat to ICS is the fact that utility companies are such large targets – they are well known, cover large geographic areas, and their critical locations are all very public.

Simply put, ICS operators need additional methods of obscuring their critical infrastructure from cyber security threats and tactics while allowing teams to more anonymously conduct incident detection and response. One way to obscure ICS vulnerabilities is to procure sensitive equipment (including cloud infrastructure) through surrogate means.  Hiding the billing trail is a proven method of making it more difficult for threat actors to determine access points.  In addition, all cyber practitioners in the ICS space must have access to realistic training sandboxes where they learn how to disrupt potential vectors while also seeing the interactions of potential threats in a benign environment.  Consider the following attack vectors that can impact ICS. 

Brute force attacks against weak passwords are something IT pros have been dealing with for years and have developed countermeasures against. However, most ICS systems lack policies around passwords, meaning that attacks may go unnoticed or unrecorded. Here, ICS operators need to learn what constitutes a brute force attack, identify the signs of such an attack, and implement controls to prevent damage. Processes that require knowledge, action, and response. Those processes must be taught.

Another attack vector is false data injection, whose primary goal is to disrupt ICS processes. In the IT world, DDoS (Distributed Denial of Service) attacks are focused on disruption. However, with ICS false data injection may take on a different characteristic, one that not only disrupts processing, but potentially damages physical equipment, or cascades to other devices. ICS operators must learn how to monitor for those types of attacks, create policies that can stem them, and remediate vulnerabilities they exploit. 

Advertisement. Scroll to continue reading.

Dealing with data injection attacks also requires knowledge of how data is shaped and moves across the ICS environment, something that may be difficult for ICS operators to conceptualize. That means training must take on a new element, one that consists of simulations that can demonstrate the characteristics of those attacks, and show the consequences. 

Other attack vectors ICS is susceptible to include buffer overflows, command injection, PLC programming modifications, and many more. Dealing with those attacks requires knowledge of both ICS and IT, meaning that ICS operators must achieve the same level of cyber competency  as their IT counterparts, while also applying their knowledge of the intricacies of ICS.

Simply put, organizations must put in place plans and policies to adequately train those that manage ICS, build realistic scenarios, and also provide a layer of anonymity for those responding to those threats. 

Just as in IT, the most effective way to train ICS personnel on is using the native environment and tools they work with everyday. Since production environments are off limits for training exercises, software-based sandbox environments provide effective alternatives. 

Today’s threats to ICS are much more common than stuxnet was some 10 years ago, and the attackers have evolved to seek financial gains from attacks, making ICS a growing attack vector. That’s why players in the ICS space must employ better means of both critical infrastructure obfuscation and staff training to bolster their defenses.

Lear More at SecurityWeek’s ICS Cyber Security Conference

Written By

Gordon Lawson is CEO of Conceal, a company that uses Zero Trust isolation technology to defend against sophisticated cyber threats, malware and ransomware at the edge. Previously, he served as president at RangeForce Inc. Gordon has nearly two decades of experience in the security sector with a focus on SaaS optimization and global enterprise business development from global companies including Reversing Labs, Cofense (formerly PhishMe) and Pictometry. As a naval officer, Gordon conducted operational deployments to the Arabian Gulf and Horn of Africa, as well as assignments with the Defense Intelligence Agency, US Marine Corps, and Special Operations Command. He is a graduate of the US Naval Academy and holds an MBA from George Washington University.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.