As Industrial Systems Surge, Overconfidence Raising New Risks

Businesses have had little respite from opportunistic attacks against their critical systems.

For instance, Symantec logged a six-fold increase in the number attacks on customers' Internet of Things (IoT) systems last year. Elsewhere, 41 percent of industrial control system (ICS) computers were attacked in the first half of 2018, up from 37 percent a year earlier.

The uptick in attacks has put added urgency on the need for companies to take measures to secure their cyber-physical and industrial control systems and fend off the widespread, opportunistic attacks infecting vulnerable systems, according to Kunal Agarwal, general manager for Symantec's IoT security group.

"The majority of infections are accidental, and they usually are those malware that are very good at spreading," he said. "But once they get into the system, they are able to infect the entire environment, which is what actually causes the actual downtime or the impact to operations which you read about."

The renewed focus on industrial control and IoT systems follows a brutal string of attacks. In 2017, two major ransomware operations—WannaCry and NotPetya—caused significant disruptions for many companies, freezing manufacturing at Merck, delaying operations at FedEx, and disrupting medical services at the U.K.'s National Health Service.

The ransomware outbreaks did not target those specific companies but were opportunistic attacks that spread widely. In addition, because the attacks impacted operational technology (OT), not just information systems, they severely impacted business operations. For example, Merck lost at least $300 million, FedEx lost $400 million, and the NHS lost almost £100 million, according to the organizations. In 2018, chip maker Taiwan Semiconductor Manufacturing Company (TSMC), announced a variant of WannaCry infected its systems in August, resulting in a shutdown of its manufacturing that cost the company more than $250 million.

Management: Worry More. Specialists: Talk More

Most business leadership's view of their ability to secure their operational networks and industrial Internet of the Things (IIoT) systems remains optimistic – perhaps more than is warranted by the facts on the ground. More than 90 percent of company executives are at least somewhat confident that in their ability to secure their control devices and systems, according to the 2018 SANS Industrial IoT Security Survey.

Security professionals who have to deal with those systems, however, have a less rosy view of their ability to secure those systems. Only two-thirds of operational technology professionals are at least somewhat confident in their ability to secure their networks. While no executive admitted to being not at all confident or completely unprepared to secure their IIoT, a third of OT professionals had no faith in their ability to secure such systems.

"Management is actually more confident than they should be, and they should be listening to someone down the food chain," said SANS's Filkins.

IT and OT specialists need to talk to one another, because their perspectives are different, said Sandy Carielli, director of security technologies for Entrust Datacard, who co-wrote the Industrial Internet Consortium's Security Model. A major challenge for companies is to figure out what makes sense in each environment and how the environments should interact, she said.

"I come from an IT security background, so I'm not an operations person, and that affects my biases and background in terms of what I think are acceptable practices," Carielli said. "Some of the things we have accepted as normal in IT and OT security, really might not hold water."

Protect the Pivot Points

With opportunistic attacks on the rise, protecting operational networks generally means having network segmentation in place to block attackers who attempt to jump from the information systems to the operation network. Two major vectors that allow pivoting between the different networks are USB drives and networks-connected OT controllers, said Symantec's Agarwal.

"These are pivot points between OT and IT networks," he said. "Attackers are injecting themselves into the IT network, and then trying to pivot into the OT world by attacking a controller."

The most vulnerable systems are those that have been kept around past their intended life time. In addition, because operational systems are often designed to last for decades, vulnerabilities will continue to leave them open to attack.

"There are often systems sitting off to the side that actually carry an important business process and it is still running Windows XP and there is nothing in front of it to protect it," said SANS's Filkins. "You see this all the time in these industrial environments."

Also, companies should adopt a framework for industrial system security, whether the NIST Cyber Security Framework or the Industrial Internet Consortium's security model, and constantly iterate on their approach to securing their systems, said Entrust Datacard's Carielli.

"The security maturity model is really designed to give organizations an idea of where they need to be and what controls they need to implement," she said.

In the end, companies need to constantly be on guard and take a measured approach to security, she said.

"Your requirements for security will differ if you are working with a smart lightbulb compare to a manufacturing floor," she said. "The security maturity model is really designed to give organizations an idea of where they need to be and what controls they need to implement."