Written together with Mille Gandelsman, Indegy's CTO, and Yariv Lenchner, Indegy's Director of Product Management.
In 2018, we can expect an increase and acceleration in the connectivity and digital transformation initiatives that have taken root in the industrial sector over the past few years.
Sometimes called Industrie 4.0 or the Smart Factory, such advances will introduce new cyber security challenges and landscape changes. In Part One of our 2018 predictions, we examine the threats that industrial IT and OT security professionals can expect next year and beyond. The second installment will examine the innovations in industrial control system (ICS) security that are on the horizon for the near and mid-term future.
New Ransomware Will Continue Wreaking Havoc on Industrial Organizations
In 2017, global ransomware outbreaks such as WannaCry, NotPetya, and most recently, Bad Rabbit, caused widespread disruptions among organizations in all industries, including manufacturing and transportation services. Expect this trend to continue in 2018.
The ransomware variants of 2017 were not specifically designed for industrial networks. However, since these environments include many legacy Windows-based systems that are not properly patched or secured, they were easily compromised. Therefore it remains important to apply appropriate patches and strengthen security controls to protect these systems.
The disruption caused by ransomware to industrial organizations last year did not directly affect the automation controllers.
<<What Does 2018 Hold for Industrial Cyber Security? Watch the 1-minute video below to find out>>
The controllers continued to operate manufacturing and other industrial processes, even after Windows-based operator and engineering workstations were compromised and became unavailable.
However, we expect that a new, more damaging type of ransomware will specifically target controllers. Early in 2017, researchers at the Georgia Institute of Technology designed a cross-vendor ransomware worm known as LogicLocker capable of targeting PLCs that are exposed online.
According to the report: “LogicLocker uses the native sockets API on a Schneider Modicon M241 to scan the network for known vulnerable targets, namely Allen Bradley MicroLogix 1400 PLCs and Schneider Modicon M221 PLCs, and infect them by bypassing their weak authentication mechanisms, locking legitimate users from easily recovering the PLC, and replacing the program with a logic bomb that begins to dangerously operate physical outputs threatening permanent damage and human harm if the ransom is not paid in time.”
Since this proof of concept now exists, we expect to see a threat in the wild in 2018.
A Red Button Cyber Weapon is a Real Possibility
Threats, sanctions and missile tests are not new developments in the US-North Korea relationship. In 2017, we saw an escalation which could result in a war between the two nations.
While much of the world’s attention has focused on North Korea’s development of nuclear weapons and long-range ballistic missiles, the nation has quietly developed a cyber army capable of unleashing attacks against critical infrastructures that could have global implications.
Along with North Korea, Russia has also developed cyber weapon capabilities. It has been accused of extensive attacks on Ukraine's power grid, cutting off electricity to nearly a quarter of a million people in December 2015, and taking down a transmission station in 2016.
Security experts believe Russia was using Ukraine as a testing ground to develop techniques that could be used to launch cyber attacks against other nations.
In November, during her annual speech in London's Guildhall, UK Prime Minister Theresa May accused Russia of attacking Britain's national grid and telecom companies, claiming that Russia had "...mounted a sustained campaign of cyber-espionage and disruption". She went on to say, “We know what you are doing and you will not succeed.”
These developments all point to what is known as a “Red Button” capability, whereby adversaries have gained a foothold inside industrial networks and critical infrastructure, and are capable of shutting down power grids, water supplies, etc. with the push of a button.
In early 2017, Indegy's CEO Barak Perelman warned about the advent of this type of capability in an Inc.com article about the rise of cyber crime in the physical world.
There’s a very real possibility we could see a Red Button incident in 2018.
Introduction of IIoT tech - Without Full Consideration of Security Implications
The constant need to modernize industrial systems, increase productivity and improve operational maintenance procedures is driving the implementation of connected technologies and IIoT. This trend can expose already vulnerable ICS networks to cyber threats they have never faced before.
Designed by various industrial vendors, IIoT technologies can assist in predictive maintenance - improving supply chains and more. However, most do not include protections to ensure devices can’t be exploited by hackers. As a result, these devices might expose ICS to a wide array of cyber threats and exploitation attempts.
Since OT environments lack visibility and security controls, it is very difficult to detect such threats in real-time or even post attack. Therefore it is important to carefully consider these threats and look into security controls that will help prevent and detect such threats before they take down operational processes and critical services.
The ICS Cyber security Skills Gap Continues to Grow
The shortage of skilled ICS cyber security professionals is not a new concern, yet the skills gap continues to grow. While most companies are aware of the need for ICS cyber security, they struggle to define their ICS cyber security strategy and place skilled professionals in key roles.
Many organizations are still debating who should be responsible for ICS security.
Should it be the IT security operations center (SOC) team which is familiar with cyber security best practices yet lacks the understanding of operational technologies and their requirements? Or the operational team that knows and understands OT, but is not familiar with cyber security best practices and is already over tasked with the demanding work of maintaining and ensuring operational safety, reliability, and continuity?
The successful deployment of industrial cyber security projects must leverage resources from both IT and OT. Business-level oversight and leadership helps ensure that the two sides will collaborate effectively with each other.
To learn more about IT/OT cyber security convergence read our blog post, Building a Successful Industrial Security Strategy in a Converging IT/OT World.
In addition, to streamline OT incident handling and unify people, processes and technologies across both sides of theIT/OT divide, we expect an increasing interest in ICS security solutions that integrate with IT SOC solutions.