As the son of a lifelong sailor and a current part time farmer, I’ve had many lessons on reading the wind and judging the weather for impending storms. As a nearly 15-year veteran in cybersecurity, I’ve become accustomed to watching threat cycles emerge while we’ve collectively been too slow to recognize and respond to them. With those experiences at my core, I can’t help but conclude that we are on a dangerous course related to our most sensitive networks – those that power the essential services and elements of production that drive our global economy. I believe that the winds have shifted significantly in Industrial Control Systems (ICS) / Critical infrastructure cybersecurity over the past few years – and that specifically over the past few months, we can see that dark clouds are forming.
I also believe that we are standing on incredibly shaky ground with respect to our preparedness – that despite decades of discussion, we’re not ready to meet and counter the evolving threat.
In the past six months alone, we’ve arguably seen more threat activity targeting or impacting these networks than we have in the past few years. While we’ve not seen major disruptive or destructive attacks – causing severe, widespread and prolonged disruption to essential services – we have seen instances in which red-lines have been crossed and cyber-attacks against Energy targets have led to outage.
The incidents in Ukraine in 2015 and 2016 should be a stark wakeup call for us all. They represent the erosion of what were previously believed to be bright “red-lines” that nation states would not cross. They also embolden future activity and the entrance of new players in this dangerous game given the lack of any real response or retribution. This is evidenced by a recent wave of disclosures related to threat activity in this space (detailed further below).
We must be careful to understand, however, that these are not the only scenarios to concern ourselves with in ICS cybersecurity. In April of 2017, we warned of the impending threat of ransomware to the ‘shop-floor.’ We believe that cybercriminals are increasingly recognizing the importance of these networks, the ease with which they can be targeted and the huge potential for monetary gain. When looking at the impact of the spill-over of WannaCry and Petya/NotPetya ransomware into ICS networks, our thesis is proven and – although most believe nation-states were behind these attacks/that they were not specifically targeted at ICS – copy-cat activity is likely to manifest.
Let’s look at some of the recent threat activity in this space and then talk a bit about steps that can be taken to drive better security.
Nation-State Targeting of Energy, Nuclear, Critical Manufacturing and Transportation:
- October 2017 - FireEye warns of North Korean campaign targeting US Energy
- October 2017 – DHS releases public warnings of threat activity targeting Critical Infrastructure – expanding list of targets to Water, Critical Manufacturing, Transportation, Global Government
- September 2017 – Symantec releases “Dragonfly 2.0” report detailing threat activity (believed to be Russian) against global critical infrastructure targets (could be but not proven to be the same activity as July reports below)
- July 2017 – A US-CERT report detailing (believed to be Russian) threat activity against US Nuclear and Energy finds its way to the press
- 2016 – Ukraine Energy grid attack
- 2015 – Ukraine Energy grid attack
- 2014 – Sandworm Team targeting global government, US Energy (believed to be the same actors behind Ukraine)
A Nearly $1b Financial Hit from Ransomware Spill-Over
In the Claroty labs we spent a good deal of time analyzing both the WannaCry and Petya/NotPetya ransomware. The good news is that we could not find any indications that either were specifically targeted at ICS. The bad news – it didn’t matter. Both still found their way into ICS networks – and both still caused disruption even though they did not specifically encrypt ICS specific extensions.
Taking the case of Petya/NotPetya to heart we should be able to see the dramatic consequence of future attacks that either spill-over or are specifically targeted.
The losses are major…
- Maersk – estimated losses from Petya/NotPetya at $300m
- FedEx – estimated losses form Petya/NotPetya at $300m
- Mondalez reported material impact/revised growth forecast
- Reckitt Benckiser estimated losses at more than $100m
Hopefully, you’re reaching the same conclusion that I have reached – threats to this space are evolving at a rapid pace and we must immediately take note/take action to counter this reality.
Against that backdrop, I offer some constructive thoughts on things that can be done by pointing to a recently published article.
Galina Antova – Claroty’s Co-Founder – recently published an article in SecurityWeek which prescribes some actions that can be taken to get your organization on a path to better preparedness against these growing threats. You can read the full article here and below you can see some of the key takeaways.
1. Acknowledge the threat and communicate it LOUDLY across your organization: A year ago, you might struggle to find examples that would be cause for pause or turn heads inside your organization. Today, you should be able to clearly demonstrate the need for action…
- Stand up a project NOW – this year – to improve security for your ICS network as early as possible into 2018: If you believe the thesis that the threat is growing and we will see more attacks in the very near future, then there is no time but the present to take action…
3. Talk to your suppliers, your peers and industry analysts about where you should be focusing: In the past few months, a number of the world’s biggest ICS equipment vendors have announced partnerships with cybersecurity firms. These are the people that make your network gear/that have a responsibility to help you protect it. Talk to them…
4. Tackle the biggest issues first: Asset discovery is a major issue in ICS network environments. “No way, Galina – we know exactly what is in our network. I have it all documented right here on this Excel spreadsheet dated this time last year.” Trust me, this is a norm in this space. I cannot even enumerate how many times we’ve walked into an engagement and immediately shown the practioner a huge list of assets they didn’t even know they had. You can’t secure what you don’t know you have. So, prioritize asset discovery. Also – look into monitoring solutions specifically built for the ICS domain. There are half or dozen or so companies engaged in this space. You have to start with a solid foundation – you need to know what is coming and going/what “normal” is in these environments so that you can get on the path to rapid detection, response and remediation of threats.
In a follow-on article soon to be published, she will tackle technical advice in the hopes of providing a blueprint you can follow to make rapid and impactful changes to your own security posture.
Here’s to hoping we recognize what is going down and can be judged as being on the right side of history.