Cybersecurity Experts Predict Challenges Ahead for Industry
Jane Alexander | January 2, 2018
While cybersecurity concerns will continue to cast shadows over the industrial landscape in 2018, some rays of sunshine are breaking through.
A recent two-part blog by Mille Gandelsman and Yariv Lenchner of Indegy (New York) put the New Year into perspective with regard to industrial cybersecurity. Part I examined threats that industrial IT and OT security professionals can expect in 2018 and beyond. Part II highlighted some things that are on the horizon for the industrial-control-system (ICS) security area.
The discussion began with the authors’ acknowledgement of the increase and acceleration in connectivity and digital transformation in industry over the past few years—and the fact that continuing advances in such initiatives will be introducing new cybersecurity challenges and landscape changes. Their predictions, divided into a bad news/good news scenario, are summed up here.
BAD NEWS. . .
Ransomware will continue wreaking havoc on
In 2017, global ransomware outbreaks such as WannaCry, NotPetya, and Bad Rabbit, caused widespread disruptions among organizations in all industries, including manufacturing and transportation services. It’s a good bet this trend will continue in 2018.
The ransomware variants of 2017 weren’t specifically designed for industrial networks. But, since these environments included many legacy Windows-based systems that weren’t properly patched or secured, they were easily compromised. Thus, it’s important to apply appropriate patches and strengthen security controls to protect these systems.
Fortunately, the disruption to industrial organizations caused by ransomware in 2017 did not directly affect automation controllers. Controllers continued to operate manufacturing and other processes, even after Windows-based operator and engineering workstations were compromised and became unavailable.
Gandelsman and Lenchner do, however, predict that a new, more damaging type of ransomware will specifically target controllers. They cite a study conducted at Georgia Tech (Georgia Institute of Technology, Atlanta) in early 2017, wherein researchers designed a cross-vendor ransomware worm capable of targeting PLCs that are exposed online. Given the fact this proof of concept now exists, Gandelsman and Lenchner expect to see a threat in the wild in 2018.
BAD NEWS. . .
There’s a real possibility of a “red button” cyber weapon.
While much of the world’s attention recently has been focused on North Korea’s development of nuclear weapons and long-range ballistic missiles, the country poses another significant threat: It has quietly developed a cyber army capable of unleashing attacks against critical infrastructure that could have global implications.
Russia also has developed cyber-weapon capabilities. It has been accused of extensive attacks on Ukraine’s power grid, cutting off electricity to nearly a quarter of a million people in Dec. 2015, and taking down a transmission station in 2016. In Nov. 2017, during her annual speech in London’s Guildhall, UK Prime Minister Theresa May accused Russia of attacking Britain’s national grid and telecom companies.
These developments, according to Gandelsman and Lenchner, point to what is known as a “Red Button” capability, whereby adversaries have gained a foothold inside industrial networks and critical infrastructure and are capable of shutting down power grids, water supplies, and other crucial operations with the push of a button.
BAD NEWS. . .
Introduction of IIoT technology without full consideration
of security will continue.
The constant need to modernize industrial systems, increase productivity, and improve maintenance procedures is driving the implementation of IIoT (Industrial Internet of Things) technologies. This trend can expose already-vulnerable ICS networks to cyberthreats they have never faced.
Designed by various industrial vendors, many IIoT technologies may not include hacker protection. In turn, those devices might expose an ICS to a wide array of cyberthreats and exploitation attempts. Since OT environments lack visibility and security controls, it is very difficult to detect such threats in real-time or even post attack.
Gandelsman and Lenchner note that it’s important to carefully consider these threats and look into security controls that will help prevent and detect such threats before they take down operational processes and critical services.
BAD NEWS. . .
The ICS cybersecurity skills gap will continue to grow.
While the shortage of skilled ICS cybersecurity professionals isn’t a new concern, the skills gap continues to grow.
Despite awareness of the need for ICS cybersecurity, countless organizations struggle to develop a strategy and place skilled professionals in key roles. Many, in fact, are still debating who should be responsible for ICS security: Should it be the IT security operations center (SOC) team, which is familiar with cybersecurity best practices, yet lacks the understanding of operational technologies and their requirements? Or the operational team that knows and understands OT, but isn’t familiar with cybersecurity best practices and is already over tasked with the demanding work of maintaining and ensuring operational safety, reliability, and continuity?
According to Gandelsman and Lenchner, the successful deployment of industrial cybersecurity projects must leverage resources from IT and OT. Business-level oversight and leadership helps ensure that the two sides will collaborate effectively with each other.
GOOD NEWS. . .
Awareness of OT security gaps has been growing.
In 2017, more organizations implemented ICS security solutions and integrated them with existing SOC tools, such as SIEM (spell out) and incident-management systems than in previous years.
As Gandelsman and Lenchner wrote, the increase in security alerts generated from ICS environments is raising awareness among IT and executive management of the critical security gaps that need to be addressed in these environments.
Take, for example, the fact that cybersecurity protection is critical for industrial-building management/automation systems. Buildings are typically not considered critical infrastructure, yet they house operations such as data centers and healthcare and government services. Building-management systems/building-automation systems (BMS/BAS) centralize a wide range of important control functions and services, including HVAC, lighting, water and wastewater management, fire-suppression systems, closed-circuit television (CCTV), and access control.
Since modern BMS/BAS systems are often connected to the corporate network and the internet to enable remote control and management, they, too, are exposed to cyberthreats. Gandelsman and Lenchner caution that such systems, similar to many industrial systems, haven’t been designed with security in mind. They note, however, that increased awareness in the importance of and threats to BMS/BAS systems is finally boosting interest in protecting them from cyber incidents.
GOOD NEWS. . .
Adoption of industrial cybersecurity frameworks
Though most industrial cybersecurity frameworks aren’t mandatory, Gandelsman and Lenchner described a significant uptick in organizations looking to implement them during 2017. They expect this trend to continue in 2018. While cybersecurity compliance is an important goal, they wrote that it’s even more imperative to implement measures that provide much needed visibility into industrial network activity to detect incidents and conduct the right incident response. Such frameworks include:
- * NIST Cybersecurity Framework: The National Institute of Standards and Technology (nist.gov, Gaithersburg, MD) published the first version of the Cybersecurity Framework (CSF) for operators of critical infrastructure in 2014. In 2017, NIST released an update titled “Framework for Improving Critical Infrastructure Cybersecurity Version 1.1.” that incorporates feedback and comments from the agency’s Dec. 2015 Request for Information. NIST also published the “manufacturing profile” of the cybersecurity framework (CSF), which enhances (but does not replace) current cyber-security standards and industry guidelines. It can be used as a roadmap for reducing manufacturer cybersecurity risk.
- * NERC CIP: The North American Electric Reliability Corp. (nerc.com, Atlanta) introduces Critical Infrastructure Protection (CIP) standards to ensure reliability of the nation’s Bulk Electric System (BES). The current version of NERC CIP includes 11 critical infrastructure-protection cybersecurity standards that specify a minimum set of controls and processes power-generation and -transmission companies should follow to ensure the reliability and security of North America’s power grid. Deploying traditional IT security controls such as firewalls and antivirus software, is not sufficient for CIP compliance. To meet NERC’s CIP standards, electric-utility owners and operators must also have complete visibility into all ICS assets and network activities.
- * Pharmaceuticals Manufacturing Guidelines: The current good manufacturing practice (cGMP) regulations for validating pharmaceutical manufacturing require drug products to be produced with a high degree of assurance that they meet all attributes they are intended to possess. The U.S. Food and Drug Administration (fda.gov, Washington) issued guidance that requires manufacturers to maintain processes in a state of control over their entire lifecycle, even as materials, equipment, production environment, personnel, and manufacturing procedures change.
GOOD NEWS. . .
Secure and encrypted industrial protocols will be introduced.
In 2018, Gandelsman and Lenchner expect industrial technology vendors will introduce devices that support encryption and other embedded security controls. Although this is a positive trend and a crucial step toward making industrial control systems and critical infrastructure more secure than in the past, they predict it will take decades before all legacy technologies are replaced. Even then, they believe no single product, technology, or methodology can fully secure ICS environments.
The solution? A defense-in-depth approach, they wrote, “one that addresses internal and external security threats,” is what’s needed. As they put it, this begins with consolidated OT-network-activity monitoring and integrity validation for critical devices such as industrial controllers.
Cyberthreats are everywhere. And they’re not going away. The bottom line, according to Gandelsman and Lencher, is clear: Referencing past, current, and future industrial realities, they conclude that significant increases in ICS network threats demonstrate the need for organizations to take cybersecurity far more seriously in the coming year. That is, if those organizations, really want to reduce the risk of successful cyberattacks on critical infrastructure.
To read the full two-part blog series on which this article is based, as well as download various resources associated with the discussion, go to blog.indegy.com.
ABOUT THE EXPERTS
Mille Gandelsman is CTO of Indegy, where he leads the company’s technology research and product development. Prior to Indegy, he led engineering efforts for Stratoscale and spent several years managing cybersecurity research for Israel’s elite intelligence corps. Gandelsman is an IDF Talpiot graduate with over 15 years of experience in ICS and cybersecurity.
Yariv Lechner is director of Product Management for Indegy. An expert in ICS, VoIP, IP networking, and call-center technologies, he has held technical-management positions at CyberArc, Nice Systems, and RiT Technologies.