Turn Your Cybersecurity ‘Inside Out’
EP Editorial Staff | February 20, 2019
Nuisance attacks and the incremental system degradation they cause are as disturbing as all those headline-grabbing hacks.
By Brian Wrozek, Optiv Security
When it comes to industrial cybersecurity, much has been reported about attacks designed to compromise critical infrastructure, force ransom payments, and cause system outages or halt production—and with good reason. Such incidents make headlines. Consider the massive 2017 WannaCry ransomware attack that targeted automotive plants, including France’s Renault operation, its Japanese-alliance partner Nissan, and a Honda factory in Japan. Then, in a March 2018 resurgence, WannaCry went on to target a Boeing production plant in Charleston, SC.
Attacks such as these are no doubt frightening and a risk that IT security teams should take seriously. For most operations, a far more likely—and ominous—class of attacks has been flying under the radar: They’re called “nuisance” attacks.
THE RISE OF NUISANCE ATTACKS
Nuisance attacks cause systems to incrementally degrade without arousing suspicion of a cyber attack. The potential for such attacks is unlimited, and they can be used to disrupt public and private infrastructure. For example, hacking industrial controls to slow down production or cause machinery breakdowns in plants would probably be chalked up to defective equipment or other “natural” causes, rather than a cyber attack, thus leaving the perpetrator undetected.
These types of attacks can be part of nation-state-sponsored industrial-espionage activities or a result of nefarious operations by criminals (shorting stocks and then disrupting operations, for example). They can exact significant costs through compromised production schedules, lost revenue, and increased expense. Worse yet, because nuisance attacks can be mistaken as equipment breakdowns or malfunctions, attackers can dwell on the network undetected for extended periods of time, leaving them free to engage in other damaging activities.
‘INSIDE OUT’ SECURITY
Cybersecurity can be overwhelming for plant IT professionals, and it’s easy to understand why. Never has it been easier for malicious actors to penetrate industrial networks, as the lack of security hygiene in industrial control systems (ICS), SCADA systems, sensors, and controllers has created a Swiss cheese of entry points for adversaries to compromise electrical grids, water systems, production systems, and other crucial infrastructure. This, along with the massive increase in vulnerable IIoT endpoints, has resulted in an extremely complicated security landscape. Unfortunately, most organizations are attempting to battle these new threats with an antiquated approach to security.
In simple terms, operations have traditionally taken an “outside-in” approach to cybersecurity, where external threats, e.g., ransomware or critical-infrastructure attacks, and compliance requirements, e.g., Critical Infrastructure Protection (CIP), cybersecurity reliability standards dictate technology purchases and security strategies. To put it another way, they identify new threats and regulations, and then react with technology procurement.
This approach has failed by leaving organizations with bloated, complex, and expensive security infrastructures that are not only impossible to manage (particularly with the thin staffs brought about by the skills shortage) but may actually create vulnerabilities and gaps in security programs. IT security staffs are consumed by an ever-increasing number of “fire drills” as they attempt to manage the cacophony of tools, services, and alerts, leaving no time for higher priority tasks that deliver business value. Last, but certainly not least, this approach causes organizations to focus on the “risk du jour,” such as a new or updated regulation, rather than addressing the broader risk environment.
It’s time for industry to flip the outside-in model on its head and adopt an “inside-out” approach. Instead of letting external threats and regulations dictate security strategy and spend, specific enterprise risk, based on the organization’s unique business objectives and risk profile, should be used to drive cybersecurity strategy and subsequent investments. Marrying cybersecurity strategy to the greater organizational business objectives allows security to become a business enabler rather than a roadblock.
This model empowers IT security teams to successfully prioritize risk and achieve the following key objectives:
• Rationalize technology infrastructure. With a risk-based reference architecture guiding the optimal mix of technology tools and services, organizations can transform complex environments with endless point solutions into streamlined infrastructures that are much more affordable, manageable, and effective at reducing risk.
• Optimize operations. Once enterprises understand exactly which technologies they need to effectively manage risk, they can make more informed staffing decisions for managing them. Security teams are freed to focus on higher-level projects that deliver business value rather than being mired in mundane “busywork.”
• Perform ongoing measurement. Once the entire security program is constructed around a coherent strategy of risk reduction, it becomes possible to implement key performance indicators (KPIs) that demonstrate the value security investments and strategies have on the business, while also giving security executives easy-to-understand metrics to report to other executives and board members.
In light of the dramatically expanding attack surface, the rise in plant-based attacks, and the need for IT security teams to secure OT devices and systems, the state of cybersecurity throughout industry has become extremely complex. With an inside-out security model, however, sites can learn from the past and break through the complexity to simplify, yet strengthen, their security programs, regardless of what’s being added to their network, who is targeting their network, or how the threat landscape is changing around them.
IT security professionals need to prioritize security now rather than wait for a catastrophic event to precipitate change. The good news is that an inside-out security model provides organizations with a blueprint for success: achieving a strong risk-based security and compliance posture, while keeping their programs simple, manageable, affordable, and measurable. EP
Background in Brief: Trouble Comes in Threes
Cybercrime is a business. Just like any other business, cyber-criminals seek to gain maximum return on investment (ROI) for the least amount of effort. This principle, combined with the convergence of operations technology (OT) and information technology (IT) networks, is making industrial sites increasingly popular targets for malicious actors.
This is a new world for IT security teams, given the fact that OT networks historically were isolated from the corporate network and not connected to the internet. This meant that industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, controllers, and sensors were not subjected to the threats that IT networks faced, so they were never built to be able to run security software.
But today, as IIoT (Industrial Internet of Things) and digital transformation trends continue to transform sites, OT networks are increasingly connecting to IT networks. Systems and devices that were once isolated are now IP-enabled (but still unable to run security software), turning them into IIoT endpoints that are open to attack. The situation has created a triple threat for plant IT security professionals:
• OT networks are significantly increasing the size of the overall enterprise attack surface, practically overnight.
• The inability of OT endpoints to run security software makes it challenging to secure them.
• IT/OT networks are being attacked with increased frequency and ferocity, because they give cyber- criminals a way to penetrate “two networks for the price of one.” In other words, they can penetrate the IT network and then move laterally onto the OT network, or vice versa. This opens multiple potential revenue streams for them, whether it’s selling access to SCADA systems, spreading ransomware across the IT network, or simply stealing whatever data they can get their hands on.
Brian Wrozek is vice president of corporate security, risk and compliance management, and physical security for Optiv Security, Denver. For more information regarding cybersecurity, visit optiv.com.