In case you missed the first in an on-going series of contributed articles to SecurityWeek, reposting it here for your consideration. Our view - the threat to critical infrastructure is real, there is no time to continue talking about this as a theoretical problem...
I’ve been working in Industrial Control Systems (ICS) security for years and I’ve had conversations with hundreds of IT security and OT/ICS network practitioners. I’ve talked with them about the need to drive better security strategies for their industrial networks, gain deeper visibility, implement stronger defenses, and bridge the collaboration gap between security teams and the shop floor. My early conversations left me concerned as there didn’t seem to be much recognition of a problem. Increasingly, we’ve been met with a more encouraging amount of agreement in those discussions – from energy, to manufacturing, to oil and gas and so on – a majority understand they have serious problems to fix but we’d estimate only roughly 50% of those are prioritizing their resources to fix them.
What of the remaining 50%? They fall into two categories:
A. They don’t understand the level of exposure of their ICS networks/have a false sense of security. Unlike IT networks where dozens of security technologies are deployed/reporting back on activity, ICS networks are generally a blind spot for Security teams.
B. They think the risk is still hypothetical / doesn’t warrant a priority focus over the dozens of IT Security projects they need to tackle because the volume of attacks pales in comparison to the noisy IT domain.
To a degree, when using this attack based calculus, these folks aren’t – or, better phrased, weren’t wrong. The daily barrage of attacks from all angles and from all adversaries isn’t a reality in ICS…yet. Clearly, there are major gaps that need to be filled on the IT side to drive better security - and as a result, this needs to be a priority. But where the argument falls apart rather quickly is when we do the math – literally! The only way to adequately prioritize activities is to calculate the risk. I’ve attempted this below by using the cyber risk framework outlined in NIST 800-82, taking into account the rapidly evolving ICS threat landscape, and measuring the consequence (impact) of attacks on these networks against those felt in the IT domain.
Risk = t v x(tv) where t = threat, v = vulnerability and x(tv) = consequence of the threat successfully exploiting the vulnerability
Let’s Start with Consequence (Impact):
One could argue rather reasonably that the ‘cat and mouse’ or ‘whack-a-mole’ approach to IT security that we’ve relied upon for the past 10-20 years has been ‘effective enough.’ We’ve played a game with our adversaries wherein we see the early stages of trends in their attack methodologies and rush countermeasures to market. When we’ve done it well, we’ve been ahead of the bell curve and cut off major damage. When we’ve done it poorly, we’ve reacted far too late and responded after much bloodletting. When averaging things out – we’ve done ‘ok’…I suppose. To truly accept that conclusion, you’d have to be willing to accept that the billions in lost Intellectual Property, the tens of millions of stolen identities, the massive intelligence gains through campaigns like the one targeted at OPM weren’t that bad…
In ICS, we aren’t talking about data theft, we’re not talking about micro-level impact where individuals, companies or certain Government agencies/agendas are impacted - we’re talking about a macro level issue related to the potential disruption of essential services that drive the global economy and support day to day life. We cannot afford to rely on the same (sub)standard we used in IT Security over the past 10 years.
Let’s look at Vulnerability Next:
In the context of ICS, it is more meaningful to assess “attack surface exposure” of which vulnerabilities are just one aspect. We need to understand that there is inherent exposure due to some serious systemic issues:
1. There are many unique ICS threat vectors due to:
• Flat networks
• Legacy systems which can be 20-30 years old / systems shipped without security as a focus
- Many of these systems are ‘end of life’
- New systems are being shipped on insecure, ‘end of life’ operating systems like WinXP
• Increasing interconnectivity
• Poor remote access designs/remote access allowed for multiple vendors
2. There is basic or completely missing cyber hygiene in ICS networks compared to what we expect in IT.
• AV cannot be deployed on PLCs without prior certification by the ICS vendor or the warranty will be voided
• Segmentation of networks is challenging as it requires downtime in most cases
• IT security tools don’t work off the shelf in ICS networks – at best they do nothing, more often, they crash networks
• No consolidated governance – CISOs do not have eyes on those networks
• Many vulnerabilities don’t have patches (or the gear is end of life) – consider a 2016 FireEye Report which found that 33% of the 1,552 known vulnerabilities analyzed had no patch at the time of disclosure
• Many systems cannot be patched because of uptime requirements on the shop floor – consider a 2016 Kaspersky study which looked at patching in ICS and found that for one widely used vendor, “the proportion of the vendor’s software with unpatched vulnerabilities…could range between 17% and 93%.”
The “red lines” that conventional wisdom once held would prevent disruptive or destructive attacks against critical infrastructure have now been crossed numerous times, and we can safely assume they will be again.
The notion of cold-war era “Mutually Assured Destruction” as a deterrent force has dimmed and nation-states, jihadists and even cyber-criminals have taken notice. With Stuxnet, the 2013 New York Dam attack, the 2014 “Sandworm Team” campaign which penetrated U.S. Electrical Utilities, the December 2015 Ukraine power-grid attack (believed to have been perpetrated by Sandworm Team), a repeat of that attack late in 2016, and with IBM releasing an end of 2016 report pointing to a 110% increase year-over-year in ICS attacks, the writing is clearly on the wall.
Nation-states do not fear reprisal and are likely to use ICS attacks as a component of geo-political conflict. Alarmingly, offensive cyber tools are becoming commonplace, lowering the bar for rogue nations, jihadists and hacktivists to get into the ICS attack game. And, cyber-criminals are figuring out that ICS networks are critical and therefore valuable, meaning it is only a matter of time until we see major ransomware trends in ICS.
Because of all of the above, I firmly believe that there is no more important work in the field of cyber right now than driving a rapid, exponential advancement in the security posture of industrial control networks. The threat is at our doorstep – this is the challenge of our industry for the next decade.
When these threats finally manifest themselves, will we be able to say we rose to that challenge or will we see the results of our inaction reverberate globally in a massive shock to our economic stability?