There is an increasing number of attempted digital attacks in the industrial environment. In February 2020, IBM X-Force reported that between 2018 and 2010, the number of attempts by threat actors to focus on Industrial Control Systems (ICS) and Operations Technology (OT) increased by 2000 percent. This peak overshadowed the total number of attacks on the industrial environment over the last three years combined.
The above mentioned increase in the number of attacks is at least partly due to the gradual convergence of EO with Information Technology (IT). In the past, IT and EO were separate worlds. IT staff mainly helped maintain PCs, servers and other technical equipment that came into contact with or processed business-related information in any way. On the other hand, DH’s staff mainly managed the controllers and segmented the industrial network. There has been some cooperation, but this has been limited to certain objectives, such as the submission of work orders and invoicing.
These worlds came together when many organizations started to change digitally. During this transformation process, organizations have become convinced that they can optimize the performance of their human resource management assets by connecting them to the Internet and IT systems. This convergence has introduced many network and computing devices into industrial environments previously inaccessible via the Internet, increasing the vulnerability of computing systems in EO environments.
The malicious actors didn’t waste time adapting their attacks. In fact, TRITON (also known as TRISIS), WannaCry and other malware have made headlines for a successful attack on the industrial environment of organizations. Each of these groups of attackers has designed his or her malicious activities according to his or her motives. Some infiltrators engage in clandestine espionage and use the knowledge they have gained about their targets to travel to a rival country or organisation. Others have acted more strongly and tried to destroy the industrial systems of their victims in the hope of undermining the economy, national security and/or public safety of the country where the target organisation lived.
In the face of these threats, the IBM X-Force is sobering and reports that more than 200 new ICS-related VECs will be released in 2019. As a result of this discovery, researchers predict that the number of attacks on EO and ICS targets will continue to increase in 2020 and beyond.
Organisations with an industrial environment are not blind to these threats. However, some people feel that they cannot do anything about these dangers because of the cost of purchasing a workplace safety solution. MarketsandMarkets noted that organizations in particular need security measures that cover the entire industrial environment. This requirement means that EO security solutions are expensive and that organizations prefer multiple threat solutions that do not require high upfront costs, such as licensing or maintenance.
But if you think industrial cybersecurity is expensive, try an accident. Unintentional or malicious cyber incidents can lead to catastrophic disruptions, such as the explosion of the Buncefield oil storage facility, the collapse of the Taum Sauk dam and the explosion of the Texas refinery.
The question is what’s at stake. Organizations with industrial activities typically operate Cyber Physical Systems (CPS), which are responsible for ensuring uninterrupted operation in industrial environments such as critical infrastructure. When deactivated or tampered with, the CPS can cause a malfunction of the equipment that endangers public safety, destroys property and/or causes a natural disaster. For example, Gartner predicts that the financial impact of the attacks on the CPS will continue to grow, reaching a total value of $50 billion in damages, fines and reputational damage by 2023. (These costs do not even take into account the value of human life).
However, this is an important ongoing event. In fact, Gartner also estimates that responsibility for CPS attacks will eventually increase to 75% of CEOs by 2024. This personal responsibility of leaders reflects the fact that many companies are not aware of their organization’s PCS and its weaknesses. This may be due to the growth of the parallel IT infrastructure, with external staff installing automation and modernisation of hardware and software in the workplace.
But even if they know which PCS organization is responsible for the management, management and the board of directors may not have a good strategy to secure these assets. The reality is that CEOs and the Board of Directors are not aware that the typical CPC risk assessment reports they share do not adequately reflect the reality of operational, public health, safety and environmental risks.
These evaluation reports have been developed from a consensus perspective. Under this approach, inspectors and operators of installations and technical actors exchange information, but with a limited common understanding of the nature and complexity of cyber-physical systems. This approach leads to an unbalanced focus on prioritisation of network and system-related IT risks, which are generally better understood than the more significant SCP risks in an OR, which require a more thorough assessment of their physics and technology. While a coordinated approach to risk assessment is somewhat better than isolated cyber risk assessments by IT, operational and engineering departments in their respective fields, it does not provide a convergent view on PCS risk.
The attenuation of their industrial assets
Organizations need a way to strengthen their industrial assets to avoid the costs associated with industrial cybersecurity incidents, both in terms of operating costs and personal accountability to CEOs and board members. Organisations should use frameworks such as ISA/IEC62443, NERC CIP and MITRE to enhance the security of their training tools and select industry-specific cybersecurity solutions that contribute to a robust cyberattack prevention programme. To better understand the industry base, harmonize IT/OT and use the right tools to get the job done with manual help, read the Tripwire Industrial Cyber Security e-book: Field guide.
About the author : Saif Sharif has been a member of the engineering, information technology and cyber security communities for over twenty (20) years. He enthusiastically applies his accumulated experience in the field of industrial cyber security. He wants to help customers better understand and improve their safety. Mr. Sharif is Chief Consultant and Managing Director of ORIGNIX Inc, a Calgary based company. ORIGNIX offers customization in the field of cyber security to ensure security in the design and operation of industrial processes.
Editor’s note : The opinions expressed in this guest post are those of the author alone and do not necessarily reflect the views of Tripwire, Inc.