Cybersecurity risks in US critical infrastructure sectors call for better skills, technologies, processes

The industrial cybersecurity sector in 2022 continued to face adversarial attacks in critical infrastructure networks that illustrated knowledge of control system components, industrial protocols, and engineering operations. Fighting these attacks requires a different set of security skills, technologies, processes, and methods to manage the different risks and risk surfaces, setting ICS (industrial control systems) apart from traditional IT enterprise networks. The year was also marred by the conflict between Russia-Ukraine, with the war reshaping the threat landscape and proving to be an abject lesson for all those tasked with protecting critical infrastructure.

A recent study conducted by cybersecurity firm Nozomi Networks and the SANS Institute identified the risks and threats impacting critical infrastructure and provides direction on managing ICS risk to maintain the safety and reliability of operations. It outlines how the industry responds to these incidents with greater preparedness and more willingness to budget for ICS cybersecurity. However, there are still a substantial number of organizations that are vulnerable and have big challenges ahead of them in getting up to par with the threat landscape.

Some of the challenges faced in securing ICS/OT technologies and processes include the use of legacy and aging OT (operating technology) technology technically integrated with modern IT systems, deployment of traditional IT security technologies not designed for control systems, IT staff not understanding OT operational requirements, and insufficient labor resources to implement existing security plans.

Looking at the ICS threat landscape, the report identified some sections more targeted than others this year. These include business services, healthcare and public health, and commercial facilities are the top three sectors deemed most likely to have a successful ICS compromise that will impact safe and reliable operations. Only 11 percent positively reported that they had experienced an incident impacting their ICS/OT systems. Of these, most reported fewer than 50 incidents. Yet even with these low numbers, disruptions could be impactful. 

With a war in Russia looming at the beginning of the year, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) rolled out a ‘Shields Up’ alert. The move notified every organization in the country of potential risk from cyber threats that can disrupt essential services and potentially lead to impacts to public safety. Apart from shoring up cyber defenses at home, the growing trend of using cyberattacks to target critical infrastructure networks prompted the U.S. government to intensify its support to Ukraine, specifically to its network defenders. 

By June, the U.S. administration looked upon these initiatives as a ‘new normal’ baseline, marked by continuous investments in resilience and an alert system primed to catalyze the right response by the right people at the right time, which would potentially bolster the nation’s cybersecurity posture. In October, CISA topped up existing measures by publishing a set of voluntary and not comprehensive cross-sector cybersecurity performance goals (CPGs) to help establish a standard set of fundamental cybersecurity practices for the critical infrastructure sector. These baseline objectives will likely help raise industrial cybersecurity posture while prioritizing decisions, spending, and driving action.

When the Nozomi-SANS survey inquired about the top threat vectors of concern to respondents, with the influx of ransomware seen globally, it is no surprise that ransomware, extortion, or other financially motivated crimes ranked as number one. Even ransomware impacting IT business networks may have an impact on ICS operations, though this would depend on the location of ICS support services and network architecture.

2022 has seen an avalanche of cybersecurity incidents with adversaries using malware, ransomware, and phishing techniques targeting critical infrastructure installations. Strategic competition is intensifying because China, Russia, Iran, and North Korea have become more confident in the force modernization they have undertaken for years and perceive more opportunities to advance their ambitions. 

The U.S. faces challenges from competitors who have and are developing new capabilities intended to challenge, limit, or exceed U.S. military advantage. These state and nonstate actors are selectively putting those capabilities into play globally and regionally. The threats those capabilities pose span across warfighting domains, including maritime, land, air/air defense, electronic warfare (EW), cyberspace, information, and space. 

Rapidly evolving technology, advances in special materials, high-performance computing, robotics, artificial intelligence (AI), and biotechnology will augment the adversaries’ military capabilities and pose additional challenges. China and Russia, in particular, are pressing ahead with advances in space and counter-space capabilities and using cyberspace to increase their operational reach into U.S. infrastructure.  

A recent Takepoint Research survey reported that about 60 percent of respondents say their current cyber attack recovery plan does not adequately support OT/ICS. Moreover, 63 percent report that they are not confident in their cyber attack recovery plan for critical OT workstations and machines. An overwhelming 90 percent of respondents disclosed that the OT recovery process should be owned by OT professionals and not by IT, due to the considerable differences between OT and IT environments in the OT/ICS recovery process. 

There has also been an increase in ICS adversaries now more than ever ‘living off the land’ in the control environments. These ICS attack groups have been observed to abuse systems, features, and industry protocols native to industrial environments turning control systems against themselves. Some examples of living off the land are an attacker gaining access to an HMI with legitimate operator access but then using the HMI commands against the process to, for example, open circuit breakers in the field in an electric substation or change the chemical mixture in a water treatment facility. 

The Nozomi-SANS survey noted that no malware is used to cause the impact, though the adversaries are using built-in and legitimate engineering software, features, and/or ICS protocols to cause impacts. Living off the land can be seen as far back as HAVEX in 2014, more recently with the tailored CRASHOVERRIDE ICS-specific framework targeting electric power, and the 2022 discovery of the Incontroller/PIPEDREAM scalable ICS attack framework.

During the year, Forescout’s Vedere Labs discovered 56 vulnerabilities caused by ‘insecure-by-design’ practices affecting devices from ten OT vendors, including Baker Hughes (Bentley Nevada), Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa. Collectively called OT:ICEFALL, these security loopholes are divided into four main categories – insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates, and remote code execution via native functionality. 

Last month, Vedere Labs disclosed three more vulnerabilities affecting OT products from two German vendors – Festo automation controllers and the CODESYS runtime, used by hundreds of device manufacturers in different industrial sectors, including Festo.

The role of ‘people’ in the ICS security workforce is in high demand, as hiring managers may be looking for specific ICS certifications. Existing employees may look to options to increase their knowledge or solidify their career path by obtaining accreditation in ICS security. Organizations recognize its value and will do well to obtain and retain ICS-specific skilled resources; however, they may need to be flexible in hiring and look harder for the required skill sets.

The Office of the National Cyber Director (ONCD) is developing a national strategy focused on the cyber workforce, cyber training and education, and digital awareness in a three-phase approach. The Department of Energy (DOE) also accepted applications for the next cohort of its OT Defender Fellowship, which aims to expand the cybersecurity knowledge and capabilities of U.S. energy sector cyber defenders. Furthermore, Dragos launched its Dragos OT-CERT (Operational Technology – Cyber Emergency Readiness Team), a cybersecurity resource designed for industrial asset owners and operators primarily built to address resource gaps in securing industrial infrastructure.

OT vendors came together during the year to form an OT Cyber Coalition (Operational Technology Cybersecurity Coalition) that works with government and industry partners, while also advocating for vendor-neutral, interoperable, standards-based cybersecurity solutions. Representing the entire OT lifecycle, the Coalition will focus on using collective experience to safeguard the nation’s critical infrastructure assets and improve the cybersecurity of OT environments.

On the legislative front, an ICS cybersecurity training bill cleared the House of Representatives in June and the Senate in September. The bill authorizes CISA to undertake and fund a new initiative to deliver ICS security training.

The CISA and the Science and Technology Directorate (S&T) are developing and testing new technologies and tools that will help combat daily threats, both physical and online. Earlier in May, the ICS Cyber Emergency Response Team of CISA expanded the scope of the Idaho National Laboratory’s Control Environment Laboratory Resource (CELR) research zone.

Amid the growing threat landscape, Lloyd’s of London said in August that it is set to introduce cyber insurance exclusions to coverage for ‘catastrophic’ state-backed attacks from 2023, as cyber-attack risks involving state actors have additional features that require consideration. The move to limit systemic risk in the insurance market has prompted warnings that it would lead to legal disputes over whether certain attacks had state support while further restricting cover vital to businesses.                

Industrial Cyber contacted cybersecurity experts to assess the effect of the cybersecurity landscape, which has been further threatened by the looming Russian war in Ukraine. Additionally, the experts analyze the role played by legislative and executive measures across the ICS and OT environments and whether organizations are in a better position to detect, discover and safeguard their security gaps.

Earlier this year, CISA stood up the ‘Shields Up’ campaign as a response to Russia’s invasion of Ukraine which could impact organizations both within and beyond the region, to include malicious cyber activity against the U.S. homeland, Eric Goldstein, executive assistant director for cybersecurity at the CISA, told Industrial Cyber. “In the course of this campaign, CISA and our partners issued numerous advisories and guidance that have collectively informed significant improvements in many organizations’ ability to detect, protect against, and respond to intrusions.” 

“As the nation’s cyber defense agency, CISA stands ready to help organizations—large and small—prepare for, respond to, and mitigate the impact of cyberattacks,” Goldstein said. “We all have roles and responsibilities in cyberspace, and we must all work together to raise the cybersecurity baseline of our nation from current or emerging cybersecurity threats,” he added.

“Due to innovations from industry and an emphasis from policymakers, we’ve made significant progress this year in helping ICS/OT systems operators see and understand possible cyber threats,” Wen Masters, vice president of cyber technologies at MITRE, told Industrial Cyber. “While this increase in visibility is a requirement for progress, it isn’t by itself sufficient to defend ICS/OT from intentional cyber hazards. Now we need to help organizations prioritize and implement mitigation measures to protect against adversary actions.”

The escalation of the Russian-Ukrainian conflict highlighted that cyber operations are an integral part of military activities, and they have consequences for critical infrastructures, Masters said. “Ukraine continues to experience and has demonstrated significant skill in defending against offensive cyber activity integrated with conventional military action.” 

Masters also pointed to how cyber action around the conflict also highlighted how cyber effects targeted at a critical infrastructure can impact multiple critical infrastructures. “For example, we saw how European energy systems were impacted by the attack on ViaSat networking devices. Infrastructure operators need to take a deep look at their supply chains to ensure that they have resiliency in safety critical operations,” she added.

“Over the past year, we have seen cybersecurity become a top priority for the Biden administration in reaction to the global cyber threat landscape. Since the outset of the war in Ukraine, cyberattacks globally have increased more than 15%,” Michael McLaughlin, associate – policy advisor at national law firm ​​Baker Donelson, told Industrial Cyber. “In light of historic Russian targeting of critical infrastructure and industrial control systems, the threat this increase represents has been most acutely felt in critical infrastructure sectors.” 

McLaughlin said that to address threats from both nation-states and ransomware actors, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act in March. “This new law mandates stringent cyber incident reporting requirements for “covered entities” in critical infrastructure sectors: 72 hours to report a ‘covered cyber incident’ and 24 hours to report a ransomware payment.” 

He also pointed out that the CISA is currently in the rulemaking process to define what ‘covered entities’ and ‘covered cyber incidents.’ “While this new legislation will give CISA and the federal government greater visibility of cyber incidents, it will not alone enable organizations to better detect, discover, or safeguard their security gaps,” McLaughlin added. 

The experts also weigh in on the role that focuses on the software supply chain has brought to the OT and ICS environments. Furthermore, they look into how capable are industrial organizations of adhering to SBOMs and VEX requirements, in light of the legacy systems and outdated software that operate within such infrastructures.

Goldstein said that the increase in attention to supply chain risks has helped shift priorities and investments for the OT world as it has in the broader software ecosystem. “CISA works closely with industrial control system (ICS)/OT vendors and security researchers through its Coordinated Vulnerability Disclosure (CVD) process, which enables greater collaboration on vulnerability management issues including automation,” he added.

“CISA appreciates the participation of ICS-focused manufacturers, asset owners, and security vendors in the ongoing enhancement and refinement discussions around the transparency tools for software bill of materials (SBOM) and Vulnerability Exploitability eXchange (VEX). These can ultimately complement traditional scanning tools,” Goldstein added.

The challenges in the supply chain that have drawn news attention continue to make it clear that we are facing a crisis of visibility and security, Masters said. “We cannot see our supply chains, and as such need to focus on both remedying our lack of visibility and on equipping our defenders with greater capability to check quality and security before installation and throughout the lifecycle. Remedying our lack of visibility will take time, technology, and regulatory/acquisition change.”  

“Additionally, supply chain participants see and discuss supply chain risks differently, making different risk choices due to their lack of a common view of what risks are possible,” according to Masters. “Without common thinking on what risks are present, the actions and choices of each participant can end up at odds with others.”

Masters also pointed out that SBOMs and VEX have a role to play over time, “if we start to manage them well from here on out. They are not immediately helpful given the heavy legacy installs and long lifespan of ICS. In addition, software is critical but only one part of the supply chain problem. There is insufficient market capability – regardless of cost – to detect hardware compromises and counterfeits,” she added.

McLaughlin looks at an insecure software supply chain that represents a critical vulnerability for OT and ICS. “When software companies issue their software, it is rarely perfect. Because software developers often ‘borrow’ code from multiple publicly available online repositories, when the final program—possibly consisting of millions of lines of code—is issued commercially, it will frequently contain vulnerabilities. Because OT and ICS are often isolated from other networks or run legacy software, they are typically not updated or patched as frequently as information technology. As a result, they retain the many vulnerabilities that have been patched in updated editions of the software,” he added.

“A Software Bill of Materials (SBOM) and a vulnerability exploitation exchange (VEX) work in tandem to allow a network owner to identify vulnerabilities in their systems based on the version of software running,” according to McLaughlin. “Though these tools are important to identify vulnerabilities, they are not a panacea of security. For example, medical device hardware can have a lifespan of 10-30 years. The software that operates these devices, by contrast, generally stops receiving updates or patches in 5-8 years. As a result, legacy systems combined with poor cybersecurity practices have resulted in 53 percent of connected medical devices in hospitals having known critical vulnerabilities.” 

Despite knowing about vulnerabilities in legacy devices, many hospitals have no way of mitigating the risk without completely replacing the devices, McLaughlin said. “And – for the vast majority of healthcare systems – this is cost prohibitive. For many industrial and manufacturing companies, replacing legacy systems is similarly cost prohibitive,” he added.

As we head into 2023, the experts provide focus areas from a cybersecurity perspective for industrial and manufacturing companies, as OT systems become more complex and interconnected.

“The rapidly growing cybersecurity threat to operational technology (OT) and industrial control systems (ICS), particularly across critical infrastructure, is one of CISA’s highest priorities,” Goldstein said. “While CISA provides a variety of services and recommendations around securing OT and ICS, one place we would encourage industrial and manufacturing companies to start in assessing their disposition is to review CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) for critical infrastructure.” 

Goldstein added that “based on our operational experience, and the input of numerous OT experts, we believe that the collection of goals in the CPGs represents the most impactful actions that companies can and should take to secure their OT and ICS environments.” 

In 2023, “we would like companies to assess how well they are executing the CPGs, and when they determine there might be goals they are perhaps falling short on or have not yet implemented, to prioritize those areas for investment and improvement,” Goldstein said.

“Mechanisms that have a substantive positive impact on resiliency are an important focus,” Masters said. “Leveraging the progress that has been made in increasing visibility and compliance, additional focus is needed on understanding systematic impact of cyber components blended with an understanding of which components are likely to be exploited by adversaries.” 

In many cases, the effort is being expended on mitigating vulnerabilities in components that are unlikely to be leveraged by adversaries or do not have substantive impact on the safe and reliable operation of industrial processes, Masters added.

McLaughlin said it is critical for industrial and manufacturing companies to ensure their OT systems are regularly patched, updated, and – where possible – isolated from external networks. “With the rise of the industrial internet of things (IIoT), isolation will become increasingly challenging. Companies will need to focus simultaneously on security at the device, the network, and the cloud levels – frequently referred to as ‘full stack security.’ This type of construct incorporates end-to-end protection, including regular monitoring for indicators of compromise and secure data transfer. 

As companies adopt IIoT, establishing or contracting for a 24/7 security operations center (SOC) and secure access provisioning for ICS and OT is imperative, McLaughlin concluded.