Connect with us

Hi, what are you looking for?



The Year to Come in ICS / Critical Infrastructure Security

In my previous column, I outlined a series of high-level, prescriptive steps for organizations to follow to better the security posture of their Industrial Control Systems (ICS) networks. Hopefully, you found that helpful to moving the needle forward and are putting some of those steps in place.

In my previous column, I outlined a series of high-level, prescriptive steps for organizations to follow to better the security posture of their Industrial Control Systems (ICS) networks. Hopefully, you found that helpful to moving the needle forward and are putting some of those steps in place. I promised in that column that we’d address a series of technical recommendations as the next in our series. We have to hold those thoughts for the January edition. Rest assured, that piece will come along into the New Year (I’m giving you something to look forward to!) 

Here, I wanted to address some of my thoughts about what the New Year will hold for Industrial Control Systems/Critical Infrastructure cybersecurity. It is “Security Prediction Season” after all and I’d be remiss not to offer my thoughts. Below I’ve outlined a few things I think that will definitely manifest – some are bad, some offer more promise for placing us on a path to combatting an adversarial scourge which is growing in this absolutely critical area. 

Nation-States will Conduct More Probing of Critical Infrastructure: 

I think that Pandora is out of her box as it relates to nation-state threat activity against critical infrastructure. Nations around the globe have recognized that there is no longer a “bright red-line” preventing them from including cyber action against critical infrastructure as a replacement, precursor to, or component of conflict. The lack of any response to 2014 threat activity probing U.S critical infrastructure and targets in Europe, and the ’15 and ’16 disruptive attacks conducted against the Ukraine, empowered repeat activity on the part of multiple nation states in 2017 and will do so into the future. 

Let’s review:

 July ’17 disclosure of (believed to be) Russian probing of the IT networks of U.S. Energy and Nuclear facilities

 September ’17 release of Symantec’s Dragonfly 2.0 report detailing access on the part of adversaries (again believed to be Russian – not yet completely linked to July disclosure) to the ICS networks of targets in U.S. Energy

 October ’17 release of a FireEye report detailing (believed to be) North Korean spear-phishing attempts at U.S. Energy firms  

Advertisement. Scroll to continue reading.

 October ’17 TLP White release from ICS-CERT detailing attacks against Energy, Nuclear, Transportation and Critical Manufacturing sectors 

The good news from 2017 was that nothing happened in terms of disruption (at least as of the time of this writing – we are after all still on track for the “2017 anniversary” attacks that may come in Ukraine) – I am not as hopeful for the same outcome in 2018. Do I think there is a likelihood of Russia disrupting U.S. or European energy in 2018? No – but rogue states such as North Korea do not play the same geopolitical chess game that the Russians do. They are motivated, are exponentially increasing their capabilities, and their barrier to action is far lower. I’m also very concerned of regional conflict – such as that heating up between Saudi Arabia and Iran leading to some form of action. 

Ransomware will Again Spill Over- it MAY be Targeted and Disruption will Rear its Head Again: 

The most significant cyber events in 2017 related to ICS networks came in the form of collateral damage. We warned in April of ’17 that ransomware was coming for the shop-floor. In May and June, we saw those warnings turn into reality. Fortunately, neither of these ransomware campaigns were specifically targeted at ICS networks. Unfortunately, that didn’t matter.  The fact that both of these campaigns were able to reach ICS networks proves a point we’ve been making for quite some time – IT and ICS networks are not widely segregated and air-gapped as many believe – and bridging from IT to ICS is, in many cases but not all, a relatively pedestrian exercise. 

Major firms around the globeFedEx, Mondalez, Maersk, Reckitt Benckiser, Merck, Honda – saw disruption from these campaigns. The financial fallout is currently tallied at just under $900 million in losses. 

I anticipate two things in this area: 

1. We will see another spill-over along with major disruption and financial loss 

2. We will see threat actors – likely nation states but possibly criminals – craft ransomware campaigns specifically targeted ICS networks in an effort to conduct economic warfare/extort the world’s leading brands out of millions 

Boards Will Demand Insights and Finally Empower Action 

On the back of the reported losses from NotPetya, we have already seen what looks to be the beginning of a major sea-change with respect to the level of concern Boards of Directors are placing on securing ICS networks.

We know of multiple cases in which Boards have immediately empowered CISOs to take action and have given them the direction “You have whatever you need to solve problems in this area.”

More mature companies (with respect to ICS security strategies) are jumping directly to action – others are getting their ducks in a row with a stark increase in the number of ICS security assessments. Security assessments for ICS systems are on a stark incline and I fully anticipate these trends to continue into the New Year at a feverish pace and anticipate this pace to grow with or without any further attacks. Seeing the previous item above, we anticipate more losses in the future – but on the positive end, anticipate real and rapid change is coming to ICS security. 

The Ugly Truth Behind Readiness Will be Revealed 

Given increased focus on ICS security readiness, I anticipate an audible collective gasp as organizations come to the stark realization that they are nowhere near as
ready to combat threats to their ICS networks as they once believed. There will be a collective realization that  they don’t have a clear understanding of what assets they even own, that hygiene is harder to upkeep in ICS than in IT, that air-gapping is a unicorn and it doesn’t exist, that they don’t have the skills needed within their personnel, that their teams aren’t talking to one another and that they aren’t currently monitoring these networks the way they should – and thus not only cannot respond accordingly, but don’t even know when they need to respond. On the positive, looking at the item above, when they come to this realization – it looks like something will actually be done about it. 

Am I a soothsayer? No – but I have been in this space long enough to confidently make these statements about the year ahead. I’m keeping my fingers crossed that the bad will not manifest the way I predict – and that the good will manifest faster than we are even seeing. 

There is no more important mission in cybersecurity – in my mind – than securing the Industrial Control Systems networks that power our world and our lives. I leave you with hopes for a happy and healthy holiday season – and for the empowerment you need to fight the good fight into 2018.  

Written By

Galina Antova is the Co-founder and Chief Business Development Officer at Claroty. Prior to that, she was the Global Head of Industrial Security Services at Siemens, overseeing development of its services that protect industrial customers against cyber-attacks. She was also responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services for industrial control systems operators. Previously, Ms. Antova was with IBM Canada, with roles in the Provisioning and Cloud Solutions business. She holds a BS in Computer Science from York University in Toronto, and an MBA from the International Institute of Management and Development (IMD) in Lausanne, Switzerland.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.


Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...


Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...