When a cyber attack allegedly compromised nuclear centrifuges in Natanz more than a decade ago, cyber threats against industrial control systems (ICS) were still an underground phenomenon. Far from the hacking script kiddies, this attack was sophisticated and involved the resources and intelligence of one or more nation-state actors.
However, over the past decade, cyberattacks against ICS have rapidly increased in scope and diversity. Notably, recent research shows that malicious activity targeted a third of industrial control systems (ICS) in the first half of 2021. This increase raises the following questions: What does this mean for companies and society and why is this happening?
What does this mean for companies and society?
The effects of this trend are alarming. At stake are potential financial losses and stolen data, as well as disruption to society and threats to human security. In fact, the rupture of the Colonial Pipeline was only a glimpse of the significant economic and social disruption that these attacks can cause. The breach was particularly worrying as the operating technology (OT) did not even appear to be the target of the attack. The company chose to manually shut down its OT environment because it could not determine if OT was compromised after an IT infection.
Why is this happening?
Several factors explain why we are seeing an increase in these threats. For one thing, these attacks are no longer the sole domain of nation states with geopolitical motives. Cyber criminals are now launching these attacks with the intent of making a profit, as they did for the first time EKANS ransomware attack.
Primarily, ICS attacks are increasing due to the convergence of OT and IT, exposing industrial environments with decades-old technologies to the Internet. This is evidenced by the fact that Internet-based threats were the most prevalent among compromised ICS devices in 2021, far exceeding the number of attacks on removable media and email.
The “air gap” between OT and IT is increasingly a thing of the past. However, trying to preserve them discourages companies from adopting connected technologies such as IIoT and remote access functions, which significantly increase the efficiency and security of industrial processes. However, while IT-OT convergence increases the surface area of the threat, it also enables organizations to maintain a competitive advantage or simply stay in the game.
Even if there is no explicit convergence, the interdependence between OT and IT systems is sufficient to motivate a company to manually shut down OT in the event of an IT compromise. OT systems are often critical to safety, unless the company can prove that OT is not affected, there are good reasons for the shutdown to reduce further risks.
While an organization can demonstrate that its OT is not affected, unseen points of IT-OT convergence are quite common. For example, in an anonymized study, Darktrace discovered over 6,500 suspected cases of using the ICS protocol in 1,000 corporate environments. Even if the organization can demonstrate that the OT was not affected, unknown points of IT-OT convergence threaten the IT attack to spill over to the OT.
Will it go on like this?
More and more cyber attacks will either slip into OT from IT or go straight into the carotid artery and target OT directly. Recent research found that ICS vulnerabilities increased 41% in the six months leading up to August. Of these, 61% were remotely exploitable and 66% required no user interaction for exploitation. In addition, almost three quarters of the vulnerabilities (74%) did not require special permissions.
While worrying, trying to map and patch these vulnerabilities is ultimately a tedious process. Many advisories for ICS devices do not provide practical recommendations for mitigation, and more than a fifth of reported Common Vulnerabilities and Exposures (CVEs) do not contain a patch, making most vulnerability management workflows a process of diminishing returns.
Furthermore, the research cited above only includes known vulnerabilities, not unknown vulnerabilities. Yet, a third of the ICS Defects are designated as zero days when disclosed. An effective cyber defense in industrial environments cannot simply keep track of what is known, but has to deal with attacks that the unknown-unknown how they appear in an organization’s cyber ecosystem.
How should organizations react?
Industrial security (OT) is inextricably linked with enterprise security (IT). An isolated approach to protecting OT in an isolated function is obsolete today. A robust approach to industrial security must therefore defend “IT in OT” and the rest of the corporate network to email and cloud systems. And this protection has to be seamless. Since attacks can spread quickly, an OT security tool does not have time to process alerts from an IT security tool.
Fortunately, self-learning artificial intelligence (AI) understands the entire cyber ecosystem, from laptops and servers in the corporate network to HMIs and PLCs in industrial environments. This transparency enables the AI to stop attacks in IT before they can spread to the OT. For example, a utility company in North America thwarted one Signatureless ransomware with a dual threat Attack with self-learning AI that prevents operational processes from being shut down.
In another case, the self-learning AI discovered newly installed PLCs on an automated assembly line, slowly looked for IT convergence, and tried to access file servers. These OT devices were infected with malicious code during their build process. By detecting this abnormal behavior, the self-learning AI prevented the threat from spilling over to IT and helped the company avoid the shutdown.
We need to bridge the gap between IT and OT security by using technology to address both and improve communication and collaboration between teams. But we also need to keep pace with the rising tide of threats – a race that no one can win alone. Fortunately, self-learning AI technology can act on our behalf and expand our capabilities by keeping the lights on and the wheels running in our complex world.