When a cyber-attack reportedly compromised nuclear centrifuges at Natanz over a decade ago, cyber-threats against industrial control systems (ICS) were still an underground phenomenon. A far cry from the hacking script kiddies do, this attack was highly sophisticated and involved the resources and intelligence of a nation-state actor(s).
Over the past decade, however, cyber-attacks against ICS have rapidly increased in volume and variety. Strikingly, recent research reveals that malicious activity targeted one-third of industrial control systems (ICS) in the first half of 2021. This rise poses the following questions: What does this mean for businesses and society, and why is this happening?
What Does This Mean for Businesses and Society?
The impact of this trend is alarming. The stakes include potential financial losses and stolen data and disruptions to society and threats to human safety. Indeed, the Colonial Pipeline breach was only a glimpse into the significant economic and social disruption these attacks have the power to cause. The breach was especially concerning because the operational technology (OT) was seemingly not even the target of the attack. The organization chose to shut down its OT environment manually as it could not determine if OT was compromised after IT was infected.
Why Is This Happening?
Multiple factors account for why we see an increase in these threats. For one, these attacks are no longer the sole domain of nation-states with geopolitical motives. Cyber-criminals now also launch these attacks seeking profit, as first observed with the EKANS ransomware attack.
First and foremost, ICS attacks are on the rise due to the convergence of OT and IT, which exposes industrial environments with decades-old technologies to the internet. This is evidenced by the fact that internet-based threats were the most prevalent among the compromised ICS devices in 2021, far outnumbering removable media and email attacks.
The ‘air gap’ between OT and IT is increasingly a thing of the past. However, attempting to preserve it holds organizations back from adopting connected technologies like IIoT and remote access capabilities that substantially increase industrial process efficiency and safety. Thus, though IT-OT convergence increases the surface of the threat, it also enables organizations to maintain a competitive advantage or just stay in the game.
Even when there is no explicit convergence, interdependence between OT and IT systems is enough to motivate an organization to manually shut down OT in the instance of an IT compromise. OT systems are often safety-critical, and unless the business can prove that OT is not affected, there is a solid rationale for shutting down to mitigate further risk.
"... ICS attacks are on the rise due to the convergence of OT and IT, which exposes industrial environments with decades-old technologies to the internet"
Moreover, even if an organization can prove that its OT is not affected, unseen points of IT-OT convergence are quite common. For example, in an anonymized study, Darktrace detected over 6,500 suspected instances of ICS protocol use across 1,000 enterprise environments. Thus, even if the organization can prove that OT was not affected, unknown points of IT-OT convergence threaten to allow the IT attack to ‘spill over’ into OT.
Will This Continue?
More and more cyber-attacks will either slip into OT from IT or go straight for the jugular and directly target OT. Recent research found that ICS vulnerabilities have increased 41% in the six months leading up until August. Of these, 61% were remotely exploitable, and 66% did not require any user interaction for exploitation. Moreover, almost three-quarters of vulnerabilities (74%) did not require specific privileges.
Though this is concerning, attempting to map and patch these vulnerabilities is ultimately a vexed process. Many advisories for ICS devices have no practical mitigation advice, and over one-fifth of reported common vulnerabilities and exposures (CVEs) do not include a patch, making most vulnerability management workflows a process of diminishing returns.
Further, the research cited above only includes known vulnerabilities, not unknown vulnerabilities. Yet, one-third of ICS flaws are designated as zero-days when disclosed. Therefore, effective cyber defense of industrial environments cannot simply keep track of the knowns but needs to deal with attacks that exploit the unknown-unknowns as they emerge in an organization’s cyber-ecosystem.
How Should Organizations Respond?
Industrial security (OT) is becoming inextricably linked with enterprise security (IT). Taking a siloed approach to protecting OT in an isolated capacity is now obsolete. A robust approach to industrial security thus needs to defend the ‘IT in OT’ and the rest of the enterprise network, stretching all the way to email and cloud systems. And this protection needs to be seamless. With the ability for attacks to spread rapidly, there is no time for an OT security tool to digest alerts from an IT security tool.
Fortunately, self-learning artificial intelligence (AI) technology understands the entire cyber-ecosystem, from laptops and servers on the corporate network to HMIs and PLCs in industrial environments. This visibility enables the AI to stop attacks in IT before they can spread to OT. For example, an energy supplier in North America thwarted a signatureless, double-threat ransomware attack with self-learning AI, preventing operational processes from shutting down.
In another instance, self-learning AI detected newly installed PLCs on an automated assembly line, slowly probing for IT convergence and trying to access file servers. These OT devices were infected with malicious code during their build process. Because self-learning AI detected this abnormal behavior, it prevented the threat from spilling over to IT and helped the organization avoid shut down.
We need to bridge the gap between IT and OT security by deploying technologies to tackle both and by increasing communication and collaboration between teams. But, we also need to keep up with the rising tide of threats — a race no human can win alone. Fortunately, self-learning AI technology can act on our behalf and augment our capabilities, keeping the lights on and the wheels turning in our complex world.