Several years ago Stuxnet made the public aware of the reality of critical infrastructure cyber-attacks by a nation-state. It was also one of the earliest examples of an IoT attack where the PLCs that connected to the system were infected. In 2015 an attack of the Western Ukraine electrical grid left 230 000 people without power. Other SCADA attacks happened across Europe shortly after. The Mirai botnet executed a DDoS attack in the United States in October 2016. It impacted mainly the east coast DNS service, leaving several internet services inaccessible. In 2017 there were four major cyber-attacks. Bob Graham, CEO of BlackRidge Technology, kindly agreed to answer a few questions about these attacks and other ICS cybersecurity matters.
Carol Rudinschi: How do you view the relationship between IIoT and cybersecurity after the four major cyber-attacks in 2017?
Bob Graham: In 2016 IoT became the new playground for launching cyber-attacks and IIoT is rapidly heading in the same direction, given the Mirai and WannaCry malware and variants like Reaper that continue to do significant damage across the globe. The cyber environment is rapidly evolving with threats growing and diversifying, operational scale has increased far beyond the feasible scope for manual operations, and threat actor speed has increased. In fact, IIoT may have an even larger attack surface given similar device vulnerabilities as IoT coupled with the same IT systems vulnerabilities exploited in these attacks. CIOs and CISOs should be very concerned with their growing attack surfaces as IT and OT converge.
Carol Rudinschi: How would you rate the current level of cybersecurity awareness among the industry in general?
Bob Graham: Defending our critical infrastructure and control systems is top of mind with government agencies for (see recent US-CERT TA17-293A) who are now pushing the major industry players to engage on programs. New media companies like IIoT World are also helping to drive awareness of the problems. But there still is a fundamental lack of focus on making cyber security integral to new product designs and deployments on the part of major vendors and customers. This may in part be due to use of current security playbooks that we know don’t work, and the lack of understanding of how to use new cyber defense technologies that BlackRidge and others are introducing. We are working with the DHS, NIST and national labs like NREL to raise awareness on how new cyber defense technologies like BlackRidge can secure the legacy critical infrastructure and ICS and also the new IIoT from network-based cyber-attacks.
Carol Rudinschi: What are the most common misperceptions about ICS cybersecurity?
Bob Graham: Common misconceptions are that Industrial Control Systems are not interesting targets given they are obscure and hard to find and monetize on the dark web. What possible gain could an attacker have by compromising these systems? However, the cyber environment has evolved beyond the financial motivation of hackers to include complex geo political and nation state agendas.
The threat actors are now deliberately choosing the organizations they target, rather than generally pursuing targets of opportunity. The attacks are multi-stage starting with targeting low security and small networks such as IIoT and OT systems to gain access and then moving laterally to key IT and business systems. There needs to be an immediate shift and investment into protecting the legacy ICS and devices while we are pursuing options to replace these with more modern, secure IIoT devices.
Carol Rudinschi: What are the most exposed industries to cybersecurity attacks and why?
Bob Graham: Advanced persistent threats (APTs) are currently targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors. All industries are exposed, and it is merely a function of availability, opportunity, motivation and time. There is a large amount of legacy and vulnerable equipment in our critical infrastructure that can’t be easily patched or upgraded, or even monitored properly to know if systems have been compromised. FedEx incurred a material loss to the company when the global operations of its TNT unit were disrupted by the Petya attack, which could happen to other large distributors like Amazon with its fully computerized operations.
By connecting the ICS and OT to the Internet and to enterprise networks, our IT and business systems can now potentially be breached. We have seen malware that is released in the wild and then mutated to provide different attacks based on embedded systems and devices that have well known vulnerabilities. The attackers identify the end points by scanning and reconnaissance, and then launch network-based attacks to compromise systems and exfiltrate data or disrupt operations. The root cause of these network-based attacks is the critical security flaw in the TCP/IP protocol that allows network connected devices to be scanned and attacked.
Carol Rudinschi: What recommendations do you have for industrial organizations regarding cybersecurity?
Bob Graham: The overall awareness of an organization’s security controls and processes is fundamental to its ability to protect its business systems. Our top recommended initiatives from our CISO for protecting your organization can be found in this article Protecting Your Business from Cyber-Attacks. Other best practices include ensuring the ICS systems themselves are monitored and checked for any vendor backdoors, and to evaluate the ability for devices to be patched or upgraded or as vulnerabilities are discovered. Legacy devices that cannot be patched or easily upgraded can still be protected with a network segmentation solution from BlackRidge.
For new ICS and IIoT systems going forward, we recommend having unique and strong identities for all endpoints and controlling all network connections to these devices. The “air-gap” here is provided through the combination of network security and access controls provided by authenticating the identity and applying policies to control egress and ingress traffic to the devices.
Carol Rudinschi: Companies are trying to find best defenses against cyber threats in ICS. Is there an answer for this question?
Bob Graham: Attackers use advanced persistent threats or APTs with multiple tactics and techniques to compromise their victim’s networks. Existing security technologies that are in place are necessary, but they are not sufficient – they are not stopping these new APTs. ICS and SCADA systems have known vulnerabilities and new ones are constantly being discovered and it is often not feasible or even impossible to remediate ICS and SCADA systems. You cannot ever fully trust these systems, so you need to take a new approach and consider new network defense technologies.
By concealing network assets from discovery, BlackRidge renders the network invisible to unauthorized users and devices, reducing the attack surface and increasing the effort and costs required to launch a successful attack. By stopping port scanning and reconnaissance, the adversary is disrupted at the first step of the cyber kill chain, pre-compromise. This also shifts the economic burden from the defense to the offense by increasing adversary risk and cost.