2017 – the “silence before the storm” when it comes to ICS breaches
Cyberespionage is now the most common type of attack seen in manufacturing, the public sector and now education, warns the Verizon 2017 Data Breach Investigations Report, which was published a week ago. Much of this is due to the high proliferation of propriety research, prototypes, and confidential personal data, which are hot-ticket items for cybercriminals. Nearly 2,000 breaches were analyzed in this year’s report and more than 300 were espionage-related. This year’s report provides tailored insights for key business sectors, revealing specific challenges faced by different verticals. It seems that companies in the manufacturing industry are the most common targets for email-based malware, but what about ICS security?
We asked three experts in cybersecurity to comment on the manufacturing industry and ICS security covered in the report.
Here are their answers:
“The Verizon report provides an informative breakdown of breaches by numerous industries and by incident type. It illustrates in year-over-year graphs that currently used mainstream cybersecurity approaches are merely keeping defenders on par – if at all – with attackers in the perpetual cyber arms race. Our industry will need to adopt real game-changers if we want to get ahead of attackers. Interestingly, (industrial) IoT is only mentioned very peripherally in the contest of the Mirai botnet DDoS attacks.
I consider 2017 the “silence before the storm” when it comes to IIoT breaches (incl. ICS) – with the rapid explosion of IIoT adoption in many (critical) industries, I would expect a good part of the reported breaches in coming years around IIoT. Right now many IIoT ICSs are not protected well, and organizational policies are not technically implemented for interconnected IIoT landscapes, resulting in significant risks. The tools are available, but budgets are usually still focused elsewhere “, said Dr. Ulrich Lang, CEO and Co-Founder, ObjectSecurity, a security policy automation company.
“The Verizon report is as interesting for the unexamined risks as it is for the examined ones. If you look at the cyber assets on which the report gathered security data (page 10), there is not a single industrial control system (ICS) category listed. Why is this important? Because ICS are the systems that have direct responsibility for running volatile chemical and oil refining processes, producing electricity and clean water, and delivering many other products and services upon which we rely in our daily lives. They are also the systems that prevent industrial accidents, which can have severe environmental, safety, or financial consequences for a company. So, if we are examining risk in critical infrastructure industries, such as manufacturing and utilities, then why are we missing data on the systems that matter most?
Yes, cyber espionage and ransomware are bad; they can cause serious financial loss, and we must defend against these kinds of attacks. The problem is that corporate budgets and resources are finite, which means we need to look at risk comprehensively if we are to make good allocation decisions. Unfortunately, reports that only focus on information technology (IT) systems and don’t include ICS perpetuate an environment of risk that outsider and insider threats will eventually exploit. Since we are talking about critical infrastructure, how much longer can we continue down this path? Not much longer is the only answer. Cyber attacks are the weapons of choice for nation-states, hackers, and criminal gangs. We cannot let them launch a WMD where consequence is so high.” Eddie Habibi, CEO of PAS
“I’m not surprised to see manufacturing leading the pack of targeted industries, primarily with the use of ransomware, according to the findings of the 10th edition of the 2017 Breach Data Investigations Report. The criminal mind has discovered another source of income over the years with ransomware, but unfortunately, the security industry hasn’t done enough to prevent it. Especially when the numbers point to the overwhelming majority of attackers coming from the outside, security pundits must take a different approach from the traditional use of firewalls and intrusion detection solutions.
As opposed to financial industries and others where the protection focus is on data, manufacturing and other industrial facilities must protect their physical assets that if attacked, can lead to massive business disruption, loss of human lives and environmental damage. The only pragmatic way to prevent cyber attacks originating from external networks from entering industrial control networks is by the use of unidirectional gateway technology that provides physical protection. Control networks in manufacturing and similar industries require remote attack prevention, not just detection,” said Lior Frenkel, CEO and Co-Founder, Waterfall Security.