Analysis
Attacks and Vulnerabilities
Critical infrastructure
ISA/IEC 62443
IT/OT Collaboration
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance
Reports
Supply Chain Security
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities

Dutch CSAN 2023 report emphasizes OT security importance despite challenges

July 05, 2023
Dutch CSAN 2023 report emphasizes OT security importance despite challenges

The Cybersecurity Assessment Netherlands 2023 (CSAN 2023) report highlights the importance of operational technology (OT) security despite facing challenges. It warns of state actors using cyberattacks for geopolitical goals, extortion as a lucrative business model, and new technologies like AI posing new threats. The report emphasizes the need for broader risk management and integration of digital risks into national security risks.

With these factors in mind, the Dutch agency calls on organizations to expect the unexpected. Digital security requires a continuous balancing of divergent interests, threats, and resilience. Organizations strive to increase digital resilience and remain free from cyber incidents. Implementing basic measures can impact cybersecurity, but they cannot always prevent unexpected incidents with unexpected causes and impacts.

“It has become clear that cyber actors are interested in compromising OT. Controlling the related risks requires specific knowledge, competencies, and cooperation,” the CSAN 2023 report revealed on Monday. “There is room for improvement despite the growing attention for the resilience of OT systems. It is important to focus further on this in order to guarantee the resilience of vital processes.” 

Drawn up by the National Coordinator for Counterterrorism and Security (NCTV), in close cooperation with the National Cybersecurity Centre (NCSC), the CSAN 2023 report identifies four national security risks – unauthorized access to information, espionage targeting central government communications, inaccessibility of vital processes, cybercrime, breaches of cyberspace, and large-scale outages. These risks include espionage targeting communications, inaccessibility of vital processes, cybercrime, breaches of cyberspace, and disruptions due to natural or technical causes or unintentional human action.

“We see that cybercriminals are becoming smarter and smarter. This is to be expected, seeing that there is a lot of money to be made. The downside of this is, that it greatly damages organisations and society,” Pieter-Jaap Aalbersberg, National Coordinator for Counterterrorism and Security, said in a news statement. “It is therefore important that we increase our resilience because the security of digital processes is and will remain linked to national security.” 

He added that more than ever, “our country, every sector, and every organisation is part of a digital ecosystem. A network of businesses, products, suppliers, and applications that are digitally interconnected provides knowledge and economies of scale but also leads to risks and vulnerabilities. Because of the close online interwovenness, everyone can experience the consequences of a cyber incident that at first glance seems unlikely.”

According to Aalbersberg, “We cannot always prevent cyber incidents, but we can increase our resilience, reduce the impact and limit the damage. Reducing the imbalance between the digital threat and resilience, therefore remains a major challenge. In short, expect the unexpected.”

The Dutch report also disclosed that the fact that OT networks are traditionally insecure-by-design is becoming increasingly problematic because OT has become more intertwined with IT over the past years. “Increased integration, also referred to as IT/OT convergence, is intended to improve the visibility, efficiency, and speed of operational processes. However, this also offers attackers more possibilities to gain access to an OT network via compromised IT systems. This is reinforced by the emergence of the Industrial Internet of Things (IIoT). This also increases the attack surface and offers attackers more opportunities to comprise operational systems,” it added.

Covering the new malware relevant to the Netherlands, the CSAN 2023 report said that the currency of the possibility of comprising operational systems is evident inter alia from the discovery of two new types of malware last year, which made it clear that these types of malware can be used to sabotage OT systems. “The first, Industroyer2, was deployed against a Ukrainian energy supplier but could be neutralised in time. ESET and the Ukrainian CERT attribute Industroyer2 to Russian state actor Sandworm. Industroyer2 is the first OT malware that builds on a previous variant. The second type of malware, known as Pipedream/Incontroller, gives an attacker multiple options in case of a digital attack and creates, among other things, a bridge between IT and OT environments.” 

According to Mandiant, Pipedream/Incontroller was presumably developed by a state actor but was discovered by investigators before it could be deployed. It is remarkable that both malware variants can be deployed more broadly and can also be deployed beyond the initial target. 

“Such developments are also relevant to the Netherlands. It is a known fact that state actors focus inter alia on preparatory acts for sabotage against vital and other crucial infrastructure,” according to the CSAN report. “In addition to sabotage, gaining insight into industrial processes as a result of espionage can also be an important motive on the part of state actors An exploratory act can already result in disruption of industrial environments and is very undesirable for this reason alone.”

CSAN 2023 also identified that ransomware actors also form a risk to the continuity of operational systems and physical processes. “For example, a new ransomware variant named Luna was discovered in July 2022. This variant includes a list of OT processes that if they are present are terminated before encryption takes place. Such a list is also referred to as a kill list. The use of a kill list was identified earlier in ransomware variants such as EKANS, MegaCortex, and LockerGoga. Killlists are not by definition the result of a targeted attempt to disrupt OT networks. They often consist of broad and incoherent lists of programmes to be terminated within both IT and OT environments that are presumably drawn up randomly,” It added.  

Another ransomware variant that used such a list, known as Cl0p, was reported in the news in August 2022 in connection with an attack against British company South Staffordshire Water. The attackers claimed that they had access to the drinking water company’s OT systems. The organization itself indicated that the attack only involved the IT environment and that the drinking water supply was never in any danger. 

The Dutch report observed that It is expected that ransomware actors will continue to develop new tactics to pressure their victims even more. “Industrial environments are also increasingly often identified as revenue models for cyber actors. Although attacks that are not directly aimed at OT can result in operational problems, a further and possibly more targeted disruption of OT systems cannot be excluded in this context. This is facilitated by the increasing intertwining of OT and IT,” it added. 

Hacktivists appear to be taking an increasing interest in compromising OT because it can be used as a coercive measure to realize ideological objectives, the CSAN 2023 report said, adding that this is evident from an increasing number of alleged attacks that are claimed by hacktivist groups. “The motives cited by hacktivists vary in nature. Reference is made among other things to the war against Ukraine, but also to other social issues and geopolitical developments worldwide. However, such attacks are generally opportunistic in nature and aimed at systems of which the attackers themselves often have no specific knowledge.” 

The Dutch report also identified that hacktivists, for instance, use exploit modules that are available to the public (tools) and directed against OT systems connected to the internet. “Its impact appears to be very limited for the time being and the outcome of attacks seems uncertain. It is often difficult to verify claims which mainly serve a symbolic purpose. Moreover, compromising a single OT system is insufficient to realise a targeted outcome. Because if attackers wish to realise a targeted effect, they have to know exactly how they can manipulate an entire network containing various systems. Being able to carry out attacks that have prolonged physical consequences requires time, knowledge, and capacity. It is therefore not likely that they can be carried out by a less-advanced actor,” it added.

The CSAN report observed that the limited set of measures within an OT network does not mean that OT environments are not resilient. For example, a lot of measures are being implemented to guarantee the security of the process in case of a (digital) emergency. In addition, digital resilience is characterized by the measures intended to prevent attackers from gaining access to the OT network. Within IT and OT different starting principles, standards, and priorities in the area of safety (damage to persons and/or the environment) and security (availability, integrity, and confidentiality) are applied. Moreover, OT systems generally last many years longer than IT systems. 

“These differences must be taken into account in the design of the interface between IT and OT environments (and the measures realised as a result),” according to the Dutch report. “This does not always take place sufficiently, partly because traditionally the teams involved in IT and OT operate independently of each other.”

The CSAN 2023 report observed that there is increased attention on the part of the government for helping organizations with the security of their OT environments. Priorities for the future have since been set employing the Dutch Cybersecurity Strategy. Additionally, efforts were made during the past year to offer shared security standards. One such example is the Basic Cybersecurity Measures for Industrial Automation & Control Systems (BIACS), which in turn is derived from the Objects Cybersecurity Implementing Directive 3.0 (CSIR), in which both the Government Information Security Baseline (BIO) and the IEC 62443 system of standards are processed.

Furthermore, several starting points and tools are being developed to help organizations along with the security of their OT environments, such as the ‘Process Automation Security Check.’ 

The Cyber Resilience Act (CRA) is the European Commission’s proposal for security requirements relating to digital products, several additional requirements are imposed for the suppliers of systems that are frequently used in OT environments, such as SCADA systems and PLCs. Private and public organizations are increasingly able to work together in this connection. Multiple partnerships have been initiated to provide insight into threats and risks and to jointly develop best practices.

The CSAN 2023 report said that the resilience of OT environments is linked to the employees who realize this resilience. OT environments are different from IT environments and require different knowledge and competencies in the area of cybersecurity. There is often still insufficient attention within organizations for the usefulness and need for OT cybersecurity. 

It observed that OT cybersecurity teams often have to work with limited means. “In addition, it is not easy to transfer knowledge between OT specialists due to the difference in OT environments in the various sectors. There is a limited number of specialists who have the required expertise. This is caused in part by the fact that training courses focus more on IT security. It is also due in part to the fact that traditionally there has been less attention for the security of OT environments because of the separation from other networks.”

The Dutch report identified that although for a long period, resilience against digital threats was not a priority, the threat of disruptions and the importance of digital resilience has become more necessary and is being acknowledged more broadly over the past years. Due to the growing attack surface and the potentially-disruptive consequences of a digital attack against OT systems, it is important to build on this. Investments, building up knowledge, and supporting technological developments are essential in this connection.

Last week, the EU-NATO Task Force’s final assessment report identified security challenges in the energy, transport, digital infrastructure, and space sectors. It suggests strengthening infrastructure resilience and deepening cooperation through information exchanges, alternative transport routes, and security research ties.

Singapore’s Cyber Security Agency (CSA) also reported last week that threat actors have been researching and refining methods to strike targets since the 2010 Stuxnet computer worm disabled Iran’s Natanz nuclear facility. These threats are considered national security concerns.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights