The new year is only a couple of weeks old and there have already been several ICS related security incidents in the news. The media often sensationalizes these incidents. This is creating hype and growing worldwide awareness and concern over the threat of cyber attacks against industrial and critical physical infrastructures. I believe that 2017 will be the year ICS security becomes a mainstream media topic.
1. Growing Threat of ICS Malware Appearing in the Wild
A new malware targeting ICS technologies will emerge in the near future and will target proprietary engineering protocols to alter the way PLCs and other industrial controllers work. If it is released uncontrolled in the wild it could impact a wide array of industries and critical infrastructures since they all use equipment from the same small set of vendors. The knowledge and capabilities required to create this type of malware has existed for some time now. The only reason it hasn’t happened yet is due to concerns over the potential physical and political implications of creating such a devastating attack tool.
2. Cyber-Physical Warfare will be Waged
For the first time in US history, the words ‘Cyber-attack’, ‘Hack’, and ‘Cyber-War’ became front and center topics during an election. There are high-level U.S. officials classifying recent nation state hacking incidents as ‘acts of war’. The scope of the battlefield has expanded rapidly and will soon include real-world devices that will have a greater impact on the targets as opposed to the current method of simply releasing stolen data.
3. ICS Hacktivism will Become More Prominent
It’s apparent with the recent political turns in the US, UK, and elsewhere that there is an ideological shift happening in the world. These changes may leave some disenfranchised, and willing to commit acts of violence, cyber protest, or cyber terrorism. Hacktivist groups will target petrochemical plants, oil drilling and other industrial infrastructures to produce environmental disasters in order to call attention to their causes since traditional cyber-sabotage techniques are losing their shock appeal.
4. Cyber Extortion will Target Plants
Today, anyone can become a victim of cyber-extortion. With the erosion of industrial network air-gaps, cyber-attackers will target physical devices in an attempt to extort money from facilities operators. Ransomware will infect SCADA and ICS, maybe even PLCs. Instead of a popup that says “your files have been encrypted”, the message on the SCADA screen might say “your PLCs are configured to shut down in 24 hours unless…”.
5. Adversaries will Develop “Red Button” Capability
Because of the relative easiness to get a foothold inside ICS networks today, more and more adversaries, both political and criminal, will get their foot through the door. This access won’t be used to inflict immediate damage, instead it will be used as a “red button” that can be pressed as part of a larger scale attack, or as leverage in negotiations.
6. More Physical Infrastructure will show up when scanning the Internet
A sharp rise in ICS related devices connecting to the cloud and other networks will result in more CPU and network power being cataloged, then targeted by cybercriminals. As vendors release more products that are remotely manageable, cloud friendly, or have wireless capabilities, the increase in complexity and interconnectivity of ICS networks will expose them to more external threats.
One of the biggest concerns, if these industrial threat predictions come true, is the likelihood of widespread collateral damage. Since they target specific ICS technologies, most of which are used in a wide range of industries, an attack unleashed in the wild is likely to impact organizations that were not the intended target. For example, an exploit created to compromise a PLC in an oil refinery can also threaten elevators, turbines, or other industrial equipment and/or processes that use the same devices from the same manufacturer.