SecurityWeek’s Cyber Insights 2023 is a series of in-depth feature articles that examine major pain points in cybersecurity risk and remediation. SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the major security issues of today – and how these issues might evolve. We believe this provides the single most extensive contemporary collection of cybersecurity problems and solutions for now, for 2023, and for the years that follow. (The full index of topics is available here) |
SecurityWeek Cyber Insights 2023 | ICS and Operational Technology – Recognition of the cyber threat to industrial control systems (ICS) and operational technology (OT) systems has grown over the last decade. Until recently, this has been largely a theoretical threat founded on the danger of what could happen rather than what is happening. This is changing, and the threat to ICS/OT is now real and ongoing. The bigger danger is that this is likely to increase in 2023 and onward.
There are several reasons, including geopolitical fallout and escalation of tensions from the Russia/Ukraine war, and a growing willingness of criminals to target the ICS of critical industries. At the same time, ICS/OT is facing an expanding attack surface caused by continuing business digitization, an explosion of IoT and IIoT devices, the coming together of IT and OT networks, and the use of potentially insecure open source software libraries to bind it all together.
Background to the ICS/OT Threatscape
The IT/OT overlap
One of the biggest threats to OT comes from its convergence with IT. When the networks were separate, OT could be isolated from the internet and kept relatively secure. This is no longer reality.
“As IT and OT systems continue to converge,” comments Simon Chassar, CRO at Claroty, “nation-state actors and cybercriminal groups such as Berserk Bear, Conti, Lazarus and Mythic Leopard, will shift their focus from IT to OT and cyber-physical systems; from stealing sensitive data to disrupting mission-critical operations.”
For all its benefits, IT/OT convergence without proper security means threat actors can take down operations by exploiting an IT access point or a cloud vector. “This yields maximum financial or political gain for the attacker,” continued Chassar, “because businesses have more incentive to pay a ransom when their means of production are at stake, which can have a long-term impact on revenue and the supply chain.”
Ramsey Hajj, Deloitte’s US and global cyber OT leader, expands on this theme. “Cyber attackers are increasingly weaponizing OT environments to attack hardware and software that control industrial processes and secure OT networks. Skilled workforce shortages and overlapping IT and OT environments can make cyber incident containment difficult.”
Supply chain attacks cannot be ignored, either on the IT side or directly against OT. “Supply chain attacks continue to evolve for both ICS hardware and software,” comments Pascal Ackerman, senior security consultant for operational technology at GuidePoint Security. “Think implants for controls and automation equipment, attack chains that involve suppliers and service providers to ICS owners as an initial foothold or pivot point, and compromises on controls and automation vendors’ file repositories with the purpose of adding implants in the provided software.”
Geopolitics and the Russia/Ukraine war
“One of the biggest concerns around the potential for large-scale attacks in the wake of the war in Ukraine is around ICS/OT,” says Christopher Budd, senior manager of threat research at Sophos. “While we haven’t yet seen attacks on a scale as feared, there have been documented attacks like this in Ukraine as part of the ongoing hostilities.”
He suspects this will focus both government and industry on strengthening the security of ICS/OT systems, even if it’s done quietly. This may already be evident in the new Cross-Sector Cybersecurity Performance Goals (CPGs) issued by CISA in late October 2022. Claroty describes them as, “a foundational set of IT and OT practices and recommendations that can help smaller, lesser-resourced organizations better prioritize cybersecurity efforts and reduce risk.”
Claroty highlights four OT recommendations in the CPGs. There should be a single leader responsible for OT asset cybersecurity; there should be specialized OT-focused cybersecurity training for OT engineers; there should be compensating controls such as network segmentation and access controls used as mitigations until software patches and firmware updates can be applied; and there should be unique credentials for assets, use of MFA, and the removal of default passwords.
We can expect that government agencies will, and private industry should, work on conforming to CISA’s CPGs during and from 2023.
Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, expects further assistance from CISA in 2023. “2023 will usher in the fruits of new CISA programs further building mechanisms for enhanced trust and verification – CyberSentry and RedEye for example – which will broaden the aperture for understanding OT and ICS incidents.”
One less-obvious effect of global geopolitical tensions will be a deterioration in international law enforcement cooperation. “Besides the growth of hacktivist activity ‘working’ to internal and external political agendas,” suggests Kaspersky, “we might also see more ransomware attacks on critical infrastructure due to the fact that it will become harder to prosecute such attacks.”
Chassar is more direct. “There is going to be an increase in the number of threats from nation-state actors, as well as groups that are associated with nation-states in 2023,” he says. “Their activity targeting the critical infrastructure industry, from manufacturing to water and energy, will continue to grow, fueled by ongoing global geopolitical conflicts such as the Russia/Ukraine war, as well as the current economic climate.”
The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while cybercriminals have had their restraints reduced.
Specifically…
IoT/IIoT
“There are now more known vulnerabilities impacting IoT devices than IT devices,” says Bud Broomhead, CEO at Viakoo, “and IoT devices are often the easiest for cybercriminals to access.” IoT and IIoT is a massive and expanding part of the ICS/OT attack surface, providing an entry point, and enabling lateral movement.
“Breached IoT devices are having devastating impacts,” he continued, “such as ransomware, data loss, changing the chemical balance in a municipal water supply, replacing real camera footage with deepfakes, or disrupting transportation systems.”
The scale (sometimes up to 20x more than IT devices) and the physical location (widely distributed rather than focused within data centers), together with the growing use of vulnerable open source software libraries, make vulnerability remediation difficult.
Broomhead believes the shift to open source software presents the most immediate threat. “The dangers open source vulnerabilities present is that they require multiple vendors to provide patches, they are often found in OT and IoT devices that are hard to remediate, and they can be exploited many years after they were discovered.”
Wendy Frank, Deloitte’s US cyber IoT leader, believes part of the threat comes from a lack of adequate security governance covering the implementation of IoT, IIoT, OT and ICS devices. As their number grows, so the expanded attack surface creates more security, data, and privacy risks.
“Leading organizations,” she says, “will focus in the year ahead on connected-device cyber practices by establishing or updating related policies and procedures, updating inventories of their IoT-connected devices, monitoring and patching devices, honing both device procurement and disposal practices with security in mind, correlating IoT and IT networks, and monitoring connected devices more closely to further secure those endpoints, manage vulnerabilities, and respond to incidents.”
Ransomware and other malware
“Ransomware remains the most likely threat to cause disruption in industrial infrastructure environments in 2023,” states Thomas Winston, director of intelligence content at Dragos. “Based on our visibility of ransomware events, manufacturing organizations remain the most frequent target with 70% of observed ransomware events, year-to-date [ie, 2022], continuing to target primarily manufacturing.”
Ackerman sees ransomware beginning to target OT specifically. He expects to see: “Ransomware targeting the industrial environment – in contrast to ransomware on the IT side accidentally compromising the OT space – with attacks on virtualization stacks (VMware), data repositories (Historian), controls equipment like PLCs, and controls project repositories (file shares).”
Partly, this will be exacerbated by native code execution on PLCs, with the attacker adding arbitrary code to the PLC’s OS, and paving the way for ransomware and rootkits running on the PLC.
Winston is particularly concerned for those organizations without adequate segmentation between IT and OT, but notes that “Ransomware rarely uses novel methods – making the application of key elements of a defensible ICS/OT architecture particularly effective.”
He recommends the five critical controls outlined by SANS in October 2022: implementation of an ICS-specific incident response plan; development of a defensible architecture [perhaps in conjunction with an attack surface management plan]; ICS network visibility and monitoring; secure remote access; and a risk-based vulnerability management program.
Beyond ransomware, Winston is concerned about the evolution of Pipedream (also known as Incontroller). “Pipedream is an existential threat to the ICS community. This toolset is likely being actively developed and financed,” he said.
“It is already capable of disruption across industries, including CrashOverride-style disruption, pipeline disruption, and servo manipulation. We’ve confirmed that Pipedream, with little development effort, can target devices speaking the ubiquitous CODESYSv3 and OPC UA protocols. It can manipulate servos in the 1S-Series of Omron Servo drives.” While it cannot target Omron Safety Controllers, he believes this is undoubtedly the next step in its development.
Hijacking remote access sessions
Ian Pratt, global head of security for personal systems at HP Inc, sees an increase in session hijacking in 2023. “Increased use of features like Windows Defender Credential Guard are forcing attackers to pivot – either capturing users’ passwords to enable lateral movement, or hi-jacking the remote session itself to access sensitive data and systems. The latter is particularly powerful.”
By targeting users with elevated rights, the attacks are more potent, harder to detect, and more difficult to remove. “The user is typically unaware that anything has happened. It takes just milliseconds to inject key sequences and issue commands that create a backdoor for persistent access. And it works even if privileged access management (PAM) systems are being used to employ MFA, such as smart cards.”
Session hijacking does not involve exploiting a fixable vulnerability – it is about abusing the legitimate functionality of remote session protocols, such as RDP, ICA and SSH. “If such an attack connects to OT and ICS running factories and industrial plants, there could also be a physical impact on operational availability and safety – potentially cutting off access to energy or water for entire areas.”
APTs targeting CNI through OT
“Attacks targeting critical national infrastructure tend to be the work of APT groups working on behalf of nation states with specific goals,” comments Joseph Carson, chief security scientist and advisory CISO at Delinea. Those goals are governed by the current state of geopolitics, and the global tension caused by the Russia/Ukraine conflict means the stakes are high.
“These high-level adversaries are hard to defend against as they have the time and resources required to repeatedly test security measures and find gaps, whereas more opportunist criminals in search of profits will select soft targets,” he continued.
Although OT and IT networks are converging, there remains a fundamental design difference between the two. “OT systems have often been designed with a lifespan of decades in mind, and are a poor fit with the fast-moving world of modern IT networks. Gaining centralized visibility and management of such a complex environment can be extremely challenging,” he added.
This results in gaps between the two networks that APT actors can find, infiltrating the IT network and moving across to the OT network. “These issues elevate the potential threat of a nation state actor infiltrating the system and causing serious disruption,” he continued.
According to Kaspersky’s experts, there will likely be a shift in APT activity against industrial organizations in new industries and locations. “Real economy sectors such as agriculture, logistics and transport, the alternative energy sector, and the energy sector as a whole, high-tech, pharmaceuticals and medical equipment producers are likely to see more attacks next year,” they say. “Moreover, traditional targets such as the military industrial complex and the government sector will also remain a focus.”
Kaspersky also warns that there will likely be an increased level of cooperation between criminals and APTs. “Other risks to watch out for are the heightened criminal activity with a goal to harvest user credentials as well as more volunteer ideological and politically motivated insiders working with criminal groups, usually extortionists and APTs,” it says. “These insiders may be active in production facilities as well as technology developers, product vendors and service providers.”
Human costs
Attacks on the OT of critical industries have real world implications, which may worsen in 2023. “Whether it’s contaminated water supplies or minimal access to fuel, we’ve seen the costs these cyberattacks have firsthand,” comments Edward Liebig, global director of cyber-ecosystem at Hexagon Asset Lifecycle Intelligence. “While hackers’ activities will likely still be money-driven, we can expect to see human cost become more of a play in the following year.”
He is concerned that IT and OT security convergence is still not effective. “Attacks that have been close calls in the past (such as the poisoning of the water supply from a Florida plant in 2021) will eventually have human costs.”
Catastrophic attack on the energy grid
Liebig is also concerned about attacks on the energy grid. “As Ukraine stands its ground in its conflict with Russia, we’re likely to not only see more attacks on Ukrainian energy infrastructure, but the US’s infrastructure as well,” he warns. “At the beginning of 2022, Homeland Security warned that domestic extremists had been developing plans to attack the US electric power infrastructure for years.”
As a result, he continued, “The combination of aforementioned factors makes the US’s power grid more vulnerable to cyberattacks than it has been in a long time.”
The way forward
Sam Curry, CSO at Cybereason, believes there needs to be a fundamental change of approach from the ICS/OT system providers. “Many of the security basics are simply not present, such as leveraging roots of trust and trusted execution environment, strong cryptographic options, hardening, secure update and shipping with strong identity options and no default access, to name a few,” he says. “Most devices don’t ship with hardening options or advice, have poor documentation and no understanding of ultimate use cases.”
This results in customers setting up devices, but rarely coming back to manage the ongoing device lifecycle, let alone maintaining security aggressively as they should. “There are missed business opportunities for security services and secure management services as a service that are being left behind. Done correctly, there’s not only lower risk for business, but there’s money to be made and real value to provide.”
He adds, “2023 needs to be the year to reset ICS and OT standards for security.”
Ronnie Fabela, CTO and co-founder at SynSaber, also sees scope for improvement in standards. “From the practitioner side of ICS cybersecurity, 2023 will continue to see an overwhelming message of guidance, regulation, media, and FUD about topics such as ransomware, threat actors, and nation-states,” he says.
“My prediction for 2023 is that while this will continue, the industry’s response will be loud and focused: ‘Enough guidance and FUD. Help us execute.’” His position is that industrial operators and asset owners know their systems better than anyone. Now they are on board with cyber, empowering the operating community is the only true way to move the needle.
“A shift from ‘We know better’ to ‘You know better’ will be tough for a cybersecurity industry that is used to being the hero,” he adds. “The faster all of us can change this mindset; the more successful 2023 will be for defending critical infrastructure.” There will consequently be continued movement from guidance to regulation.
But Jablanski offers a word of warning, more to do with party politics than geopolitics: “New direction and bolstered industry involvement will produce greater situational awareness, trust, and resolve across the critical infrastructure security community. As a warning, policymakers should avoid a partisan future for reducing cybersecurity risks to critical infrastructure.”
SecurityWeek’s Cyber Insights 2023 is a series of in-depth feature articles that examine major pain points in cybersecurity risk and remediation. SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the major security issues of today – and how these issues might evolve. We believe this provides the single most extensive contemporary collection of cybersecurity problems and solutions for now, for 2023, and for the years that follow. (The full index of topics is available here) |
Related: Omron PLC Vulnerability Exploited by Sophisticated ICS Malware
Related: ICS Vendors Respond to Log4j Vulnerabilities
Related: U.S. Warns ICS/SCADA Malware Can Damage Critical Infrastructure
Related: Energy Provider in Ukraine Targeted With Industroyer2 ICS Malware