Cyber-attacks on critical infrastructure have increased in recent months with attackers crafting malware specifically to target these systems - Flame, Triton and GoldenEye are recent examples. We’ve even seen this focus yield results in the Ukraine both in 2015 and 2016. As these attacks continue to evolve in sophistication, it is important to ensure industrial control systems are well-protected.
In response to the growing threat, critical infrastructure owners and operators must take steps towards strengthening their cybersecurity posture and conduct onsite cybersecurity assessments of their industrial control systems. Not easy given the ever-changing threat landscape and the widely reported skills gap further complicating their endeavors.
Can new technologies bridge the security gasp and help remotely detect threats in real-time to speed the investigation of incidents, and contain attacks before significant damage is done?
What’s changing in the threat landscape?
With attacks on critical infrastructure on the rise, cybersecurity must become a bigger priority for ICS owners and providers.
The challenge, however, is that the mechanism of control, automation and connectivity of these systems has changed. Indeed, the vulnerabilities have always been there but they were either unrecognised or the risk ignored with the belief that they industrial assets were inaccessible.
Traditionally cyber security practices in critical infrastructure relied upon the relative isolation of industrial assets from the outside world, and the enterprise environment for that matter. Today, as industrial assets grow connected, this approach of ‘air-gapping’ is no longer a viable solution. Modern industrial assets are potentially discoverable to anyone looking, leaving critical infrastructure exposed to tailored malware attacks and system shutdown.
Attacks are changing, with the people behind them becoming increasingly creative and/or devious in performing their antics. For example, earlier this year we witnessed the first ever cryptomining attack against a critical infrastructure system. This attack highlighted the delay between infection and identification for an ICS operator that is manually trying to identify these instances.
In addition, we’re beginning to see more tailored attacks specifically for ICS networks. One of the most recent examples of this is the Triton attack in December. At the time, malicious actors used sophisticated malware to infiltrate one of Schneider’s Triconex safety controllers, which resulted in the malfunction, or shut down of operations, in industrial systems and nuclear facilities at a plant. Shutting down CNI systems allows hackers to extract data from companies for corporate espionage purposes and to hold companies, regions or nations at ransom due to economic pressure. The geopolitical connotations of those attacks are huge.
The motivations behind such attacks are numerous. However, one thing is certain – any successful attack has the potential for devastating consequences to industrial organizations of any size, anywhere in the world.
It is crucial for organizations to identify these threats and mitigate them before any significant damage is done.
Critical Infrastructure Operators’ Cyber Security Priorities
When it comes to implementing security, the top priority for ICS owners and operators is to keep systems running and ensure downtime is prevented, or at worst restricted, while achieving a level of personnel and environmental safety. Indeed, plant or system shutdown could have dangerous consequences. For example, eight years ago, Stuxnet, a malicious computer worm that specifically targets SCADA systems, was responsible for causing substantial damage to Iran's nuclear systems. The malware infected over 200,000 computers and caused 1,000 machines to physically degrade.
Another thing that’s changing for industrial priorities that resulted from AI and ML and more intelligent systems such as CloudSCADA and MES is preventive maintenance. Preventive maintenance is a big part of the potential benefit that industrial operators and companies can acquire from IOT or Industry 4.0. And a lot of that understanding of potential network failure – basically preventing it before it happens – is maximising the lifeline of capital equipment is going to fall on the shoulders of ICS stakeholders.
CNI organizations should give a high priority to re-assessing their cyber security programs, evaluate where they are in relation to government recommendations, and inform themselves about current technologies available for protection. Organizations are still very early in the adoption of cybersecurity protection for ICS networks - for many industrial providers out there this is still an obscure space, but it’s becoming less obscure.
Organizations need to bring some visibility and threat detection to their industrial assets. This can be done by applying technologies that are able to monitor the traffic passively to detect anomalies or suspicious activities. They should look for proven technologies that leverage artificial intelligence and machine learning to continuously monitor their networks for irregular behaviour and indicators of compromise.
Real-time cybersecurity and operational tools rapidly identify critical infrastructure threats and provide tools to stop or mitigate attacks before harm is done. Implementing such technology now as part of defence in depth programs will help prevent harm to people, the environment and society that could result from breaches to critical infrastructure systems.
In addition, for any organisation to reap the full benefits of connectivity, each device connected to the network must be viewed as a potential entry point so needs to be secured. It is crucial for organizations to ensure that multiple levels of protection are in place – from securing the network itself to monitoring it in real-time for anomalies that could indicate signs of compromise or that a cyber threat is present.
Overall, AI and ML can enhance cyber-attack detection by allowing the industrial sectors to monitor their networks in real-time and rapidly detect any changes from baseline behavior, thus facilitating containment and remediation efforts. They also speed up investigations of incidents to contain attacks before significant damage can occur, without needing to add additional staffing thus improving both the reliability and operational efficiency of critical industrial operations.
Edgard Capdevielle, CEO of Nozomi Networks
Image Credit: Den Rise / Shutterstock