The Home of the Security Bloggers Network
Home » Security Boulevard (Original) »
Concerns regarding cyberattacks against critical infrastructure have elevated industrial control systems (ICS) security to a mainstream topic. The first half of the year saw an increase in vulnerabilities found in ICS, exposing the high risk for attacks. As businesses continue connecting devices to the internet and converging operational technology (OT) under IT systems management, it’s more important than ever to understand these vulnerabilities and adequately mitigate and respond to risks.
Many of the events that increased awareness of current ICS risks and vulnerabilities were ransomware attacks. These incidents elevated awareness of ICS and OT network security and brought these topics into mainstream conversations.
Colonial Pipeline, the East Coast’s largest gasoline, diesel and natural gas distributor, was hit by a ransomware attack in May 2021, and the attack impacted oil and gas delivery for millions of people. DarkSide, a Russian cybercrime group that sells ransomware as-a-service (RaaS), was responsible for the attack. Colonial paid a $4.4 million ransom in Bitcoin ($2.3M of it was recovered by the U.S.), however, shortly after the attack, DarkSide reportedly abandoned its operation.
This incident not only made headlines but also shed light on how ransomware attacks have evolved to impact the physical world. Because DarkSide gained access to Colonial Pipeline’s systems by exploiting an inactive account that didn’t use multifactor authentication, it put pressure on businesses to assess similar risks within their own network of systems.
In early February 2021, a remote attacker changed the levels of sodium hydroxide in residential and commercial drinking water at a water treatment facility in Oldsmar, Fla. Operators inside the facility detected two intrusions from outside the plant, the second of which involved a remote attacker.
Thankfully, the operators kept the contaminated water from ever reaching the public. While this attack could have had more dire results, it shed light on the risks posed to systems without secure remote access and the importance of ICS safeguards. As the pandemic accelerated digital transformation, critical infrastructure was further exposed as operators used remote access to manage systems off-site.
JBS, the world’s largest meat supplier, was attacked by the RaaS group REvil, leading to a shutdown of plants in Australia, Canada and the U.S. and wiping out nearly one-fifth of the U.S. plants’ meat processing capacity.
JBS maintained a backup system and was able to resume operations by using it to restore the data. Regardless, the company reportedly paid the attackers an $11 million ransom to recover its data and operational capability.
RaaS has become an emerging business model that allows essentially anyone to exploit vulnerabilities and launch attacks. It’s proven to be a profitable business model, too; as with Colonial Pipeline, attackers realized that critical infrastructure organizations make lucrative targets. Not only do they have the financial resources to pay, but any disruption to operations could put lives at risk—meaning they’re highly motivated to do whatever it takes to resume operations.
On top of that, many food and beverage production sites run on legacy OT that was never designed to be connected to the internet. OT networks predate the internet and, with digital transformation leading many food and beverage companies to automate parts of the manufacturing processes, OT is suddenly being exposed to a whole host of new cyberthreats.
While these attacks have raised awareness about current vulnerability trends we are seeing, awareness itself is not enough. The next step is to act on the lessons learned from these instances to minimize risks.
With more devices connected to the internet and managed via the cloud, measures such as network segmentation must be prioritized. Network administrators should:
As organizations adjust to increased remote connections to corporate resources, they must do so securely. This is especially vital within OT environments and critical infrastructure, as operators and engineers require secure remote access to industrial assets to ensure process availability and safety. Security practitioners are encouraged to:
Remote work has increased reliance on email as a vital communication mechanism. These conditions also increase the risk of personnel being targeted by phishing or spam attacks and associated ransomware and other malware infections. Users should:
Most operations management and supervisory control vulnerabilities are software-based as opposed to basic control, where the majority of vulnerabilities are firmware-based. With the inability to patch over time, especially for device firmware, it is recommended that critical infrastructure organizations invest in segmentation, remote access protection and better protection of the operations management and supervisory control levels. This is imperative because they provide access to the basic control level and, eventually, the process itself.
Cybersecurity is an all-hands-on-deck effort, which means organizations must ensure roles are clearly defined and proper systems are in place to support this new normal. With digital acceleration brought on by the pandemic, the only thing we know for sure is change is imminent. To effectively protect critical infrastructure, it is crucial to continue evaluating the ICS vulnerabilities created as a result of that change so that while innovation continues, we can effectively mitigate risks.
Chen Fradkin is a security researcher at industrial cybersecurity company Claroty with over seven years of experience researching ICS and IT network security. She specializes in analyzing all components of network security, from protocols and topology to connected devices, as well as developing security systems. She graduated from the Open University of Israel with a degree in computer science.
chen-fradkin has 1 posts and counting.See all posts by chen-fradkin
The Home of the Security Bloggers Network