Over the last several years, cyber actors and online criminal gangs have used cyber warfare to disrupt business and infrastructure across the globe. Today, they are becoming even more aggressive and are using their resources to target Operations Technology (OT) and Industrial Control System (ICS) networks. According to the Canadian government's Canadian Centre for Cyber Security, it is "very unlikely" that state-sponsored cyberthreat actors "would intentionally seek to disrupt Canadian critical infrastructure and cause major damage in the absence of international hostilities," but cyber warfare is a modern tool to antagonize and destabilize enemies with little chance for repercussion or attribution, and cyberattacks themselves can be international hostilities.
Cybersecurity Is Vital for Successful Operations
Whether or not threat actors are state-sponsored, organizations should not neglect the cybersecurity of their industrial control networks. On July 23, 2020, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert recommending "immediate actions to reduce exposure across operational technologies and control systems" because of an "increase in adversary capabilities and activity." This alert should be heeded by OT and ICS network operators everywhere.
The threat of a nation state-sponsored attack is very real. Cybersecurity researchers, using software forensic tools and threat intelligence, have traced the origins of many sophisticated cyberattacks to Advanced Persistent Threat (APT) groups based in countries like Russia, China, North Korea, and Iran. APT groups are clusters of hackers or attackers that use powerful cyber warfare tools designed to steal from, destroy, and disrupt operations of key targets. Their determined and deliberate methods show them to be well-funded and well-trained in cyber warfare. APTs are widely suspected to be operating under the direction and funding of nation state sponsors and/or organized crime.
Canada, the U.S., and the UK have all alleged that China and Russia have executed state-sponsored cyber espionage and attacks. Few organizations are exempt from international diplomatic tensions, trade disputes, and hostilities. Cyberattacks can be used by nation states to escalate and retaliate subversively, without publicly antagonizing rivals.
Unlike traditional warfare, cyber warfare is silent. In cyber warfare, there are no infantry massing, there is no need to send bombers precariously close to international boarders, and usually the perpetrator remains unconfirmed. Cybersecurity analysts are good at identifying hacker groups, and often where they are based, but tracking the chain of command and source of funding of these groups based on malicious code is imprecise. This allows nation states to act with impunity, without fear of international retaliation. The impact of a cyberattack can be as debilitating as a physical attack, particularly when the attacks move from the information technology (IT) world to the OT world.
Cyberbreaches Can Be Difficult to Identify
Over the past decade, cyberattacks have moved beyond traditional IT systems into the operational networks that control critical infrastructure. Attacks on OT across the world have been well-documented; the now infamous Stuxnet and Triton attacks were designed specifically to compromise OT systems. In 2015 and 2016, OT-focused cyberattacks caused power outages in Ukraine. In 2017 the NotPetya attack, named for the malicious software used, halted operations for hundreds of companies and caused an estimated $10 billion loss. OT cyberattacks have the potential to be particularly impactful to a nation because they can directly affect fundamental infrastructure–power, water, transportation, and communications.
Like IT systems, OT systems are vulnerable to "zero-day" attacks, that is, attacks that expose a previously unknown vulnerability in a device, operating system, or software. Popular anti-malware tools are often helpless against zero-day attacks, unable to identify or stop them. APT attacks may lurk undetected in a system for months, waiting for a timed sequence or outside control signal to act. Without a rigorous prevention program, combined with specialist tools for detecting intrusions, companies may be infected without even knowing.
While IT cybersecurity awareness grows and IT infrastructure is frequently updated, OT cybersecurity often does not keep pace, making OT systems vulnerable. There are many reasons for this lag. Each OT system is bespoke, containing technology available at the time of its design and often put in place to last for decades. In a single company, it's common to have great differences in technology deployed in systems that perform nearly identical functions, simply due to the year the systems were designed and the technology available at the time.
Most OT systems were not built with cybersecurity as part of their design criteria, and often include discontinued devices that cannot be secured. OT networks frequently include operating systems and communication protocols that are not typically encountered in IT. When IT cybersecurity tools detect these systems, they can incorrectly classify normal operations as cyberattacks. Operation of IT security tools in OT networks can interfere with critical processes, leading to loss of production or even safety issues.
One of the most fundamental methods of executing a cyberattack is through tricking target company staff into unwittingly helping the attacker. This is commonly referred to as "social engineering." The COVID-19 pandemic has made the success of this technique even greater. Companies have made drastic changes to procedures and processes to prevent the spread of the disease. Travel restrictions across the globe have made it difficult for specialists of all kinds to perform services on OT systems. The quick solution is to open the OT network to the internet to allow for remote connection and maintenance. Attacks could come directly from the internet on a poorly configured temporary remote access solution, or perhaps through a well-designed social engineering scheme to trick staff into installing a malicious program for a hacker impersonating a trusted party. The rapid changes seen through this pandemic have led to confused staff, poor training, and work-arounds that all increase the risk of a successful cyberattack.
To provide remote working capabilities and the improved productivity that can come with connected OT systems, companies must balance changes with investments in cybersecurity technology and training to mitigate risks. Government legislation can set a base requirement for cybersecurity, as has been done for utilities connected to the North American electric grid, but all markets and companies cannot be secured in an identical way. Private companies must thoroughly review their cybersecurity risk profile and make business decisions on the level of investment required to mitigate cyber risks. The challenge faced by many firms is the lack of skilled cybersecurity staff to perform such assessments and to mitigate the risks identified.
OT systems, complicated by challenging operational requirements and niche computer communications protocols, are outside of the expertise of traditional IT cybersecurity staff. Often the cybersecurity of these important networks is pushed on the operations staff. This introduces a significant risk to organizations. Operations people may not have sufficient training or experience in cybersecurity to truly understand their own competence levels. These organizations are in danger of underestimating the complexity of cyber risks, and often lack the training required to apply reasonable and prudent cyber defenses. Companies that do understand the need for OT cybersecurity-specific staff sometimes struggle to hire, develop, train, and retain the talent needed. Without the right people, companies simply will not know the extent of their exposure until they are compromised.
Best Practices for Protecting OT Systems
Fundamentally, companies in the OT space need to know what assets they have and the risks associated with them. Based on that understanding, they should enact the following five key best practices to help protect critical infrastructure:
- Develop and implement an OT cybersecurity program, including multi-factor authentication, patching, malware protection, physical security, post-infection detection, and forensic tools. Use your OT stakeholders, systems, and technologies to your advantage and leverage any existing IT cybersecurity program.
- Review and update the OT asset inventory and network diagrams to make sure all OT systems, including software and firmware, are well-documented. Categorize the importance and the risk for each asset.
- Implement an OT vulnerability management program to keep on top of the changing threat landscape, monitoring updates from agencies such as the Canadian Center for Cyber Security and the U.S. Department of Homeland Security (DHS).
- Invest in OT security-awareness training, including cybersecurity topics such as social engineering and OT malware. It's also important to train or hire competent OT cyber-focused resources and ensure their cybersecurity mandate is a clear priority.
- Document and practice an IT and OT incident response plan, which includes key IT security and OT personnel. It should also include OT vendor contacts, safety, tabletop cyberattack exercises, and verification that backups are protected and functional. No system, no matter how much security is applied, is impenetrable.
Action needs to be taken now, and you can start with the people and technology that you already have. Cybersecurity threats are not going away. APT groups are actively attacking infrastructure targets across the globe. No location is immune to cyberthreats, but with the right training and well-designed cybersecurity programs, network administrators can defend against and minimize the impact of potential cyberattacks.
–Eric MacDonald, P.Eng. is Business Development Manager, Cyber Security and Digitalization with Siemens Energy Canada, and Chris Sistrunk, PE is Technical Manager of Mandiant ICS Consulting at FireEye.