It has been an incredibly busy three months in the world of Industrial Control Systems/Critical Infrastructure cybersecurity. A drop in the bucket for what we've become used to in the world of IT security - but incredibly noisy for this space – and an alarming precursor for what will come.
Yes, we chose “will” come specifically because we don’t believe there is room for doubt any longer.
Before the chattering class erupts with a chorus of “FUD! FUD MONGERS!”
We agree, pure FUD is not helpful and can unnecessarily scare citizens, policymakers, and executives alike – and we all know that sound decisions are not often made from a position of fear. We also agree, the cybersecurity community has a long history of shoveling heaps of FUD. However, the recent chorus of FUD counter-spin in the industrial control system cybersecurity space can be just as damaging.
As an industry, we should be a calm force in the storm. But telling everyone to ignore the dark clouds on the horizon, basically to ignore the storm, is simply irresponsible, unproductive and will not help galvanize support for action. And what we need now is action to better protect these networks.
After last week’s news that threat actors were (again) targeting US Energy companies the chattering class was quite vocal and publicly derided journalists for “hyping” the story. Yes, the intrusions were confined to the business networks, not the control system networks. Yes, the use of Wolf Creek Nuclear in headlines may have somewhat over-hyped the story. No, the lights weren't turned out, like Ukraine, because of these cyber-attacks. But that does not diminish the fact that we are witnessing a rapidly evolving threat situation.
Yes, there are dark storm clouds and it is already raining in some places.
Counter-spin like this is not helpful.
“It’s not trivial to move from the business networks to the industrial networks, and our grid has a lot of safeguards...”
Need we remind that the VPN credentials used in the 2015 Ukraine Grid Attack were pinched FROM THE BUSINESS NETWORK?
It is, in fact, sometimes very easy to move from the business network to the control network. Yes, there are safeguards in place between IT/OT networks – from firewalls to one-way diode technologies – that can make lateral network movement from the business network to the control network difficult. There are also safety systems providing an additional layer of protection and raise the bar for attackers trying to cause harm to people or industrial assets.
But many of the counter-spin statements, maybe inadvertently, seriously underplayed the risk to energy systems specifically, and the very large set of industrial networks that run our world.
What has happened in the past three months that should give cause for alarm?
In the past 3 months, we’ve arguably seen more (at least from a disclosure perspective) threat activity against critical infrastructure/industrial control networks than we’ve seen in the past few years. Signaling a trend – the attackers are coming, they’re coming from multiple angles and with multiple motives.
We’ve been warning about the changing threat landscape in critical infrastructure/ICS for some time now – and we believe that the following warning from a previous blog post we penned is accurate and should be heeded based on what we’ve seen in the past few months:
“Nation-states do not fear reprisal and are likely to use ICS attacks as a component of geo-political conflict. Alarmingly, offensive cyber tools are becoming commonplace, lowering the bar for rogue nations, jihadists and hacktivists to get into the ICS attack game. And, cyber-criminals are figuring out that ICS networks are critical and therefore valuable, meaning it is only a matter of time until we see major ransomware trends in ICS. “
Why be alarmed if we haven't seen major disruption?
We shouldn’t overstate the problem with hyperbole – no, the probing against business networks disclosed in July haven’t caused disruption, and no – they haven’t jeopardized safety at nuclear power plants. In order to be responsible information security professionals, however, we must endcap those statements with the word “Yet.” Because while the segmentation between business networks and ICS networks in nuclear power plants might be fairly sophisticated, in most industrial networks, including many Utilities that are part of the US Grid, they are not.
Just as we cannot overstate the impact of the activity over the past few months causing fear, uncertainty and doubt, we cannot understate them either.
Our constituents SHOULD be VERY concerned with the fact that an adversary which already conducted probing activity against energy in 2014 and perpetrated two disruptive attacks against Ukraine in 2015 and 2016 is back at it again.
Our constituents SHOULD be VERY concerned that these adversaries seemingly already had one nuclear energy company’s network mapped, that they were using stolen credentials in an effort to further map the network/gain access to a large number of Windows machines (This is lateral movement, folks).
Our constituents SHOULD NOT believe that their business and ICS networks are so well segmented that a determined adversary cannot make the jump – c’mon man, what are you talking about? Just look at the ransomware spillover and it is clear as day how poorly segmented these networks actually are.
As we say, airgaps and unicorns have one thing in common – they do not exist. A motivated adversary with the right skills and tools will ALWAYS find a way into a network.
And we should definitely NOT besmirch the motives of others in the security space who are seeking to sound an alarm – which if not heeded could result in disastrous outcomes.
The lack of nightmarish outcomes from the past few months of threat activity in critical infrastructure/ICS does not and must not diminish the need for a world-wide wake-up call. We believe that the challenge in cyber security over the next decade is to stop the threats to industrial control systems networks that is not only growing, but is manifesting itself today.
The article was written by Galina Antova, the co-founder and chief business development officer at Claroty. Prior to co-founding the company, she was the global head of industrial security services at Siemens, overseeing the development of its portfolio of services that protect industrial customers against cyberattacks. Read the original version of the article here.