This year was one of the most intense in terms of cybersecurity attacks affecting industrial control systems. For the first time since Stuxnet, a malicious toolset called CrashOverride/Industroyer targeted physical systems. However, the most significant threat to ICS security in 2017 was ransomware attacks. The WannaCry and Petya attacks appear to have changed forever the attitude of industrial enterprises to the problem of protecting essential production systems.
A recent report from Cybersecurity Ventures predicts ransomware damages will cost the world $5 billion in 2017, up from $325 million in 2015 – 1 15X increase in just two years. Cybersecurity Ventures predicts there will be a ransomware attack on businesses every 14 seconds by the end of 2019. This does NOT include attacks on individuals, which occurs even more frequently. According to the same source, global damage costs in connection with ransomware attacks are predicted to reach $11.5 billion annually by 2019.
Cybersecurity Ventures also predicts that cybercrime will cost the world in excess of $6 trillion annually by 2021, up from $3 trillion in 2015. More details about ransomware damage cost predictions for the 5 year period (2017 – 2021) will be revealed in a report that Cybersecurity Ventures intends to publish in 2018.
What does 2018 hold for ICS cybersecurity?
Here are seven seismic trends Eddie Habibi sees happening in the world of ICS cybersecurity:
- Disclosing a Critical Infrastructure Cyber Attack Will Be Mandatory: The lack of a mandate to disclose attacks on corporations continues to hinder accurate intelligence gathering, targeted defensive strategies against an evolving threat landscape, and appropriate offensive responses to attacking nations or groups. Following the European Union’s lead, we predict that Congress will begin to hold hearings that include mandating disclosures of cyber attacks within certain critical infrastructure industries.
- Nation-State Cyber Alliances Will Become the New Norm: Increased attacks on critical infrastructure will drive countries to begin discussing cybersecurity alliances. Establishing these alliances will provide mutual defense for all countries involved and it will allow for the sharing of intelligence in the face of attributed nation-state attacks, not to mention agreements to not attack each other. We predict a cyber-physical nonproliferation treaty will begin gaining traction. Treaties will likely forgo any promise of governmental investigation when non-critical infrastructure companies or individuals are the target of cyberattacks.
- Cybersecurity and Process Safety Will No Longer Operate in Silos: Consequences of a cyber-physical attack on an oil and gas facility include loss of control, interruption to production, release of hazardous materials, outbreak of fires and potentially explosions. The process industries have long depended on technologies, such as Emergency Shutdown and Safe Operating Limit systems, to mitigate and minimize the consequences of a catastrophic incident. As these systems take on the dual role of cyber defense, we predict that companies will require tight integration between OT cybersecurity applications and their operational risk and safety management strategies.
- Companies Will Demand Supply Chain Security: Supply chain risk has long been a serious business continuity concern for critical infrastructure. Attackers have seen success leveraging vulnerable suppliers with techniques such as watering hole attacks. NERC CIP is partially addressing this risk in its latest round of regulations, but we predict that companies will begin to place greater demands on their suppliers for security certifications and audit reporting. Cyber supply chain certification requirements will have similarities to process improvement programs, such as Six Sigma, demanding suppliers implement and abide by cybersecurity best practices.
- ICS Will Jump into the Cyber Insurance Game: With nearly 80% of the industrial facility operational technology (OT) cyber assets invisible to security personnel, insurance companies have long faced challenges understanding true risk within a facility and will continue to struggle with writing policies specific to these environments. Industrial companies that can gain visibility into all their cyber assets, as well as monitor and mitigate risk, will have better options for insuring the heart of their operations. Expect to see more comprehensive ICS cybersecurity policies offered.
- The “Kaspersky Effect” Will Spread: The U.S. federal government has already banned use of Kaspersky anti-virus software on government systems. Other countries have shown similar nationalistic tendencies such as China and its recently passed, far-reaching cybersecurity law that requires access to vendor source code. We predict that the U.S. Executive Branch will show similar tendencies and direct government agencies to exercise procurement preference for vendors with development and manufacturing in the U.S. or allied countries. Software companies will form a loose coalition to lobby for global standards for protection of intellectual property considering the burgeoning cybersecurity risks.
- Watch the OT Security Market Thin Out: The number of new entrants into the OT market increased markedly in 2016 and 2017. We predict that startups will struggle to gain significant market adoption from industrial companies concerned with business continuity and safety. Expect network anomaly detection companies with significant market share in enterprise IT to enter the OT market through acquisitions and alliances, ushering in a new phase of consolidation.
- ICS Malware Moves Beyond Windows Exploits to ICS-Specific Malware. Up to now, most malware that has infected ICS have used Windows vulnerabilities or protocols to infect and spread. For example, in 2017, WannaCry, Industroyer and Dragonfly 2 all used the Windows protocol, SMB, as a key infection and proliferation mechanism.
- Malware attacks using OT device software, for example PLC software, will start to occur adding to the sea of Windows-dependent attacks.
The cuffs will come off of Internet connectivity for ICS systems as IT technology is increasingly integrated with ICS systems to achieve operational efficiencies. Progressive companies will implement new technologies and procedures necessary to not only bridge IT and OT, but also to defend their ICS from this source of cyber threats.
- Artificial intelligence becomes more mainstream for ICS systems to provide next-generation security to fight cyber threats. Organizations grappling with ICS cybersecurity staffing and skills shortages are turning to AI solutions to achieve security and productivity goals. AI-powered monitoring tools are now able to discover breaches automatically and provide information on remediation.
- The shortage of ICS cybersecurity skills will open the door for vendors to provide full security services. These services will move beyond risk assessments to become more full service.
- Security-by-Design will start to Improve ICS Security. Major companies will increase their demands that security be included in new automation equipment purchases. For example, requiring that RTUs have encrypted software. Cybersecurity certification will also rapidly grow and major automation vendors will have their products tested for the ISA Secure certification.
- Nation-States Will Conduct More ICS Probing – The lack of response to 2014 threat activity probing U.S. critical infrastructure and European targets, and the 2015 and 2016 Ukraine attacks, empowered repeat activity from multiple nation-states in 2017. Expect more of the same in 2018.
- Ransomware Will Spillover (Again); Expect Disruption – Although WannaCry and Petya/NotPetya did not specifically target industrial networks, the fact that both campaigns reached critical infrastructure leads us to believe that more spillover will occur along with major disruption and financial loss, and threat actors will craft ransomware targeting ICS networks for economic warfare and extortion gains.
- ICS Insecurity Will Manifest Itself – Organizations are nowhere near as ready to combat critical infrastructure threats and will realize many (unfortunate) truths: they don’t have a clear understanding of what assets they own; proper ICS cybersecurity hygiene is much harder to achieve than in IT networks; air-gapping is a fallacy; and organizations don’t possess the necessary personnel skills, their teams aren’t talking to one another and they aren’t currently monitoring their networks the way they should.
What are your predictions for ICS Security in 2018? If you’re specialized in industrial cybersecurity, send your thoughts at firstname.lastname@example.org and we will share them with our audience as a way to increase awareness about industrial cybersecurity.