The threat posed by state-sponsored threat actors on critical infrastructure has been a heated topic of discussion since 2010 and again this week the ACSC raised further concerns. While a lot of attention has been given to the malware and tactics used by advanced persistent threat groups, and rightfully so as it enables better defence strategy, it is the creation of a comprehensive defensive strategy that needs to be spoken about.
For many in the InfoSec community, June 2010 represented an opening of Pandora’s Box. The “Stuxnet” incident caused many to realize that critical infrastructure was just as vulnerable to a cyberattack as their grandmother’s laptop. The comparison may seem a little unfair in that to take advantage of flaws within an IoT/OT environment takes a substantial amount more knowledge and skill than a scam distributed by spam emails. However, that is exactly what state-sponsored groups have as well as being well-resourced in many cases.
Whether Stuxnet or Trisis many security firms have given a lot of time and resources to an analysis of the malware. The internet is full of great articles analysing attacks on IoT/OT environments as well as the political ramifications of these attacks. These articles have led to the impression that the attackers are too skilled and well-resourced as to be prevented in some cases, while in others attacks on power stations and other critical infrastructure organisations have a movie script lurking in-between the facts feel to them. This is not to say attacks on ICS/SCADA environments are not serious. Such attacks have serious potential implications for the health and safety of staff, however, there is a certain amount of myth attached to these attacks and those that perpetrate them.
Effective defensive strategies can be developed and since 2010 the strategies developed have evolved along with the malware and tactics used by some of the more infamous state-sponsored groups. In the past, the core of any defence was air-gapping ICS systems by physically separating. However, as time moved on both the Information Technology (IT) and Operational Technology (OT) spheres of organisations began to merge increasing the attack surface faced by companies looking to adopt technology to remain competitive.
IoT/OT infrastructure is particularly vulnerable right now due to many years of under investment in cyber security; aging and legacy IoT/OT infrastructure is particularly vulnerable to attacks and lack of visibility with zero or rudimentary ability to detect & respond to advanced cyber-attacks by most operators.
More than 60% of our OT clients have had general malware and ransomware on their OT networks and almost every one of them has significant vulnerable and unpatched OT infrastructure. This is generally due to the difficulties associated with patching always-ON OT environments that includes lack of OT vendor support for the OS version or patch. Even though I recommend that OT operators take a far more aggressive stance on patching practices.
Most OT engineers do not have any cyber security mindset or training whatsoever unlike their IT counterparts, so they lack the mindset to even identify that they are being attacked due to a cyber-attack. Furthermore it is a well known fact that risks from nation states, including espionage, pre-positioning for sabotage and coercion, is not as well understood by government or business and therefore not factored into any risk management practices that these agencies already have in place.
The Government established the Critical Infrastructure Centre in January 2017 and they listed 4 highest risk OT sectors as being telecommunications, electricity, water and ports. Across our clients we see both Oil and Gas as the other two OT environments actively targeted.
Most types of threat we see on OT networks include malware or ransomware including password stealers, keyloggers, C&C agent, and crypto miners. The threats posed by nation states are very real and very high although the risk of such an “act of war” type attack is remote the impact however is very high.
In IT when we have a cyber-attack people do not generally die, but with OT you can for example easily blow things up and flood homes that have life threatening consequences, and with a rectification cost that can exceed billions of dollars. Even a small non nation state threat such as malware or ransomware could easily impact OT environments with a significant impact to the consumer. Can you imagine flicking the power switch and no lights. Turn on the thermostat and no heat. Try drinking water and it’s not clean.
To further complicate matters modern operations will employ third party contractors who in turn might hire their own third parties to fill skills vacuums. If contractors and sub-contractors have escalated privileges the attack surface is further broadened. Simply applying an air-gapped policy is no longer the answer and is certainly not sustainable moving forward. Any strategy then will need to accommodate the entire IT/OT infrastructure as it currently stands and how it will evolve in the future.
At first glance, this can be viewed as an incredibly complex, if not impossible task, especially for those without the experience. This does mean that choosing a partner to develop and implement a strategy has proven to be a popular choice. In turn, the partner needs to be able to protect both the corporate and ICS/SCADA environment with special attention been applied to the IT/OT bridge including operator workstations. The last requirement of monitoring operator workstations is of vital importance to reduce the chance of human error, especially when contractors and sub-contractors form part of daily operations.
That is most certainly the big picture needing consideration but at a technical level, the security partner needs to fulfil several other requirements. Separate log monitoring outside of the SCADA infrastructure; accurate baselines representing normal environment behaviour need to be established; integrated network and endpoint threat forensics together with deceptions everywhere to reveal the entire sequence of an attack; supporting industry-wide protocols, and preventing the exploitation of vulnerabilities all form part of the wider strategy.
To remove the myths associated with ICS/SCADA attacks security partners have a lot on their plates. It is manageable for those with the knowledge and experience in defending critical infrastructure and other sectors employing ICS/SCADA environments. To pretend that either an organisation is not a target or that nothing can be done to prevent attacks is most certainly not an option given that robust security solutions are available.
As usual, do be mindful of the pitfalls represented by the recent craze of VC backed vendors selling IoT/OT magical appliance-based solutions that offer very little outside of asset and limited vulnerability discovery. You want vendors that can go beyond the basics and have the ability to detect & respond to advanced Enterprise as well as IoT/OT attacks before your assets are compromised.