Here are a few stories that turned our heads in Operational Technology (OT)/ Industrial Control Systems (ICS) security over the past week:
The Trump administration accused Russia on Thursday of engineering a series of cyberattacks that targeted American and European nuclear power plants and water and electric systems, and could have sabotaged or shut power plants off at will.
United States officials and private security firms saw the attacks as a signal by Moscow that it could disrupt the West’s critical facilities in the event of a conflict.
They said the strikes accelerated in late 2015, at the same time the Russian interference in the American election was underway. The attackers had compromised some operators in North America and Europe by spring 2017, after President Trump was inaugurated.
Our Take: The continuing trend of political gamesmanship playing out in the critical infrastructure apparatus around the world is obviously very concerning. The normal sequence of attack (or, reconnaissance, as it appears in this case), followed by accusations and denials, is becoming more frequent. As many industrial targets are owned by private industry, but attacked by government-sponsored hacking teams, a protection strategy is going to require thinking differently about national security and involve a greater coordination of the public and private sectors. It appears the U.S. has a way to go on that front based on the next story.
When it comes to cyberattacks against critical infrastructure, election systems and businesses, Sen. Mark Warner (D-Va.) believes the United States is "woefully unprepared" to handle threats from nation-states and others.
"We don't have our act together at all," Warner said at March 12 panel at South by Southwest. "We don't have a whole of government strategy… There needs to be a much greater sense of urgency."
Warner added this unpreparedness "goes back a decade-plus," and pointed to America's $700 billion in annual defense spending -- by far the most in the world -- with proposed decreases in non-defense-specific research and development dollars and without a current cyber warfare doctrine.
"I would argue from a national security standpoint, we may be investing in the best 20th century military money can buy, and we ought to be thinking a lot of the conflict of the 21st century is going to be in cyber and misinformation and disinformation," he said. "A reallocation of some of those resources would be worthy of debate."
Our Take: Private industrial sectors are only now beginning to address their OT cyber-security risks following what we’ve called “the lost decade”. Many (including Senator Warner) argue the public sector is at least as far behind in addressing OT security as a matter of national security.
In August, a petrochemical company with a plant in Saudi Arabia was hit by a new kind of cyberassault. The attack was not designed to simply destroy data or shut down the plant, investigators believe. It was meant to sabotage the firm’s operations and trigger an explosion.
The attack was a dangerous escalation in international hacking, as faceless enemies demonstrated both the drive and the ability to inflict serious physical damage. And United States government officials, their allies and cybersecurity researchers worry that the culprits could replicate it in other countries, since thousands of industrial plants all over the world rely on the same American-engineered computer systems that were compromised.
Investigators have been tight-lipped about the August attack. They still won’t identify the company or the country where it is based and have not identified the culprits.
Our Take: The implications of this attack clearly ups the ante in cyber-warfare. The potential for massive destruction and loss of life hopefully makes it easier for the world’s leaders to recognize industrial hacking as a new kind of weapon and prioritize investment in an OT cyber-defense strategy. On the positive side, tools like Claroty Continuous Threat Detection can detect these types of previously unseen attacks. Last year’s Triton attack, targeting Schneider Electric Triconix controllers, is an example. Check out our blog post on Schneider’s presentation at January’s S4X18 for more detail.
Homeland Security Today: Utility Firms Say Cybersecurity Threats Will Have Biggest Impact on Operations
A survey of over 20,000 utility employees found that cyber threats are what they fear could have the biggest impact on operations.
The BRIDGE Energy Group’s 2018 BRIDGE Index Grid Security Survey found that 35 percent of respondents cited cyber threats as the factor most likely to impact their operations, more than double the next largest cited factor of critical employee retirements.
The survey also found that the firms surveyed varied in how they allocated responsibility for managing cybersecurity risks. Thirty percent allocated such responsibility to their compliance team, while 27 percent allocated it to asset owners.
“Utilities will need to re-think their own provisioning of internal Cybersecurity and CIP compliance services to reduce burdens and free-up minds and resources to address the challenges ahead,” Bridge Energy Group said.Our Take: One of the troubling aspects of this story is the ownership for managing OT cyber-risk. 57% of the firms surveyed have assigned ownership for managing cyber-security risk to either the compliance team or asset owner. The concern is one of priorities and motivation, and possibly skill set. Compliance teams tend to align to external mandates (government regulation, etc) which define the minimum requirement to avoid penalties. Asset owners are generally aligned with Operations teams which are focused on uptime and productivity. While we have to assume the security team in an influencer in both of these scenarios, we believe industrial firms must unify their ownership of IT and OT cyber-risk and manage it holistically across the business.