The onslaught of the COVID-19 pandemic on industrial cybersecurity led to the need to arrange for secure remote operation of production floors and industrial facilities worldwide, according to OT cyber vendor Radiflow. It also spurred a shift in budgeting priorities because of the pandemic’s economic downturn effect.
2020 has seen its share of trends and incidents with Work from Home (WFH), the SolarWinds supply chain attack, ransomware attacks on industrial organizations, OT cyberattacks funded or fully operated by nation states, the rise of OT-MSSPs (managed security service providers), and adoption of OT network risk-based decision-making and governing standards, wrote Ilan Barda, the company’s CEO, in a blog post.
Probably the nightmare of every industrial CISO this year, WFH required setting up various security tools and procedures for remote operation of industrial facilities. With no precedent to follow, SCADA and ICS operators had to scramble to make tough decisions.
Radiflow released recommendations on IT-OT segmentation, MFA authentication for VPNs, periodic reviews of access policies, and gaining visibility into the OT network and into the risk facing the network. Multi-factor authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account or a VPN.
With tech companies committed to allowing WFH well into 2021, the jury’s still out on whether the trend will stick, and how it would apply to industrial operations, Barda said.
The SolarWinds attack gave supply chain attacks their day in the sun, leaving CISOs and owners of industrial operations wondering who could be attacked next. The attack involved penetrating the SolarWinds network and infected an official update version of the Orion IT network management software. As a result, over a period of several months, malware-weaponized Orion updates were downloaded around 18,000 times, thus infecting the customers’ internal networks.
Once installed in the customer’s network, the malware was able to communicate with its external control by masquerading SolarWinds’ own protocol and applying multiple detection-avoiding mechanisms, such as command & control servers in the victim’s country.
Supply chain attacks often manifest in slight changes to network behavior. Industrial networks need to be continuously monitored to detect any change in network patterns; risk assessments also need to be continuously updated to account for newly-published attack bulletins, which should be part of a structured backup and resilience plan.
While the SolarWinds attack was allegedly perpetrated by nation-state sponsored hackers, it is safe to say that unaffiliated actors will likely replicate the attack’s methods and TTPs, so that supply chain risk will increase, and any supply chain software should be assumed to be compromised, Barda said.
The June 2020 ransomware attack that halted Honda’s global operations may have made the headlines, but it is definitely part of a trend that started just a few years ago. As opposed to previous years’ malware attacks that attempted to take control of industrial machinery controllers, ransomware is all about the money; and as IT-intensive organizations got better in protecting their networks, hackers moved on to the lesser-protected OT sector such as manufacturing and healthcare.
In many cases, the attacks used traditional methods of spearphishing and steganography (hiding code inside an image or file). This year’s crop of ransomware includes both familiar names as well as newcomers such as LockerGoga, MegaCortex, Ryuk, Maze and Snake/Ekans, which was used in the Honda incident. OT organizations need to double up on increasing employees’ cyber awareness; and backup and contingency plans in case of ransomware need to be set in place.
Ransomware will become more OT-specific, and will target both IT networks that may impact the production, as well as the industrial devices directly, Barda forecasted for next year.
Incidents of one nation cyber-attacking another’s critical infrastructure facilities have been on the rise. Notable cases include the alleged SolarWinds attack, multiple attacks on Azerbaijan’s renewable energy sector attributed to Russian actors, multiple attacks on Israel’s main water supply system attributed to Iranian-based hackers, and a (possibly retaliatory) attack that disabled an Iranian seaport, according to Barda. It should be noted that due to political sensitivities, it can be assumed that those attacks made public were just the tip of the iceberg.
Radiflow expects such attacks to increase in the year ahead.
For many industrial operators, setting up an in-house OT-dedicated cybersecurity system is both cost- and personnel-prohibitive, as expert security personnel are in high demand. This is where cloud-based MSSPs come in handy. By hiring an OT-MSSP, industrial operators can get a level of security and ongoing network activity monitoring that is on par with that of IT networks.
Radiflow has teamed up with several MSSPs with its extensive solution suite, which has enabled them to roll-out a wide range of OT services, from detection, monitoring and alerting to asset management, risk assessment and compliance planning, based on need and regulations.
The year ahead is expected to witness steady growth and increasing acceptance.
Understanding OT network risk is a key factor in devising an effective cybersecurity plan. However, the complexity and the scale of modern, Industry 4.0 ICS networks render risk evaluation by traditional risk assessment procedures practically impossible. Users can no longer “eyeball” risk with ad-hoc or annual risk reviews no longer sufficient. Adequate protection requires continuous risk monitoring that instantly accounts for each and every change on the network, throughout the OT cybersecurity lifecycle.
For these reasons, OT organizations are warming up to the need for accurate risk assessments that inform the operator as to the efficacy of their security system vis-à-vis the risk the network faces. At the same time, governing standards notably IEC 62443 have provided guidelines and a framework for risk management. The use of the IEC62443 guidelines assists OT operators to focus on using the standard as a guideline for network security, and not merely for achieving compliance.
Last month, Radiflow joined with Mitsubishi Electric UK to address the IEC 62443 cybersecurity standard needs in the critical infrastructure and industrial automation markets. With the new offering covering cybersecurity software, hardware and consultancy services, Mitsubishi customers can protect systems through adherence to critical industry security frameworks.
Barda pointed out in conclusion that cyberthreats to industrial organizations will continue to increase, in both volume and sophistication. “We’ve reached a point where cyberattack are not a question of if but rather of when and what could be done to prevent that attack or minimize its harm,” he said.