From Theory to Action: Strategies Against Industrial Cyberattacks

Cyberattackers have expanded their targets, increasingly focusing on operational technology (OT) networks. From power plants, nuclear facilities, and refineries to manufacturing and water treatment environments, critical infrastructure is under constant attack.

Unlike information technology (IT) environments, OT systems have lagged in security measures due to their recent internet connectivity and interaction with external systems. OT security systems still display low protection levels, with software often needing updates and patches, making them highly vulnerable to cyberattacks.

5 Methods Used by Threat Actors

What paths are cybercriminals taking to penetrate industrial networks? Here, we explore five commonly used methods and provide recommendations to thwart their intrusion and minimize their impact.

1. Through the IT back-office or enterprise network
   Many successful intrusions into OT networks begin with attackers penetrating the IT network, gaining management, visibility, and control.

To counteract this, it's advisable to shield the industrial network with an "iron dome," akin to Israel's missile defense system. This approach detects, analyzes, and intercepts threats, monitoring traffic between OT and IT, filtering it to identify risks while enabling necessary operations.

Once this aspect is under control and separation between IT and OT is established, Zero Trust strategies can begin to be implemented in industrial environments.

2. Via transient information assets
   These are physical devices connected to OT environments. Manufacturers, suppliers, and users of industrial networks often introduce laptops, USB drives, or even modems to connect to the internet and perform tasks, such as modifying, updating, or developing components. Examples include programmable logic controllers (PLCs), human-machine interfaces (HMIs), or optimizing data collection in SCADA systems.

These transient information assets often introduce infections to industrial networks, as many are contaminated with malware from the IT world.

Cybersecurity experts recommend implementing secure boundaries, requiring all devices to be audited and "cleaned" before being introduced to an industrial environment.

This process involves sanitization kiosks equipped with solutions and services that audit and eliminate any threats in transient information assets. Passing through this secure boundary must be mandatory before entering critical infrastructure.

3. Exposed control systems on the internet
   This vulnerability arises when technicians leave equipment connected to the internet, either accidentally or intentionally. For example, a master PLC transmitting sensor-generated data to the cloud.

Any device connected to the internet becomes a potential target for threat actors, who scan for vulnerabilities. When they identify a legacy operating system or a critical production line component, they relentlessly seek to compromise it.

Limiting the exposure of control systems to the internet, implementing firewalls, or using an iron-dome protection system between IT and OT is essential. Monitoring OT network behavior and communications can also prevent risks.

4. Privileged remote access
   Industrial environments often span multiple regions and include equipment from various manufacturers. Manufacturers and operators eventually need remote access to perform maintenance, troubleshoot issues, add functionalities, and update systems, typically requiring privileged access.

Unfortunately, these actions often lack adequate cybersecurity measures, making them prime opportunities for cyberattackers to infiltrate industrial networks.

To address this, continuously monitor privileged remote access activities and maintain strict control over who enters and exits an industrial environment. This sets the stage for implementing Zero Trust in operational networks, where it’s critical to segment and protect information assets, authorizing only necessary and pre-approved external connections.

5. Malicious insiders
   People remain the weakest link in the security chain. CISOs must pay close attention to employees who may pose real threats. Their motivations to enable breaches range from dissatisfaction and grievances to collusion with threat actors offering rewards to compromise security architecture.

This challenge is significant, as the consequences can be disastrous, and identifying root causes or changing employee mindsets is complex.

How can this weak link be strengthened? Through awareness, training, and communication, alongside integrating exhaustive personnel verification processes into the cybersecurity strategy. Additionally, privileged accounts in industrial networks must be monitored, authorized, and validated, keeping a close watch on individuals' activities, changes, and updates.

This also makes it possible to identify unauthorized movements or actions performed outside operating hours.

Two Different Worlds

As discussed, attack vectors in industrial environments may resemble those in IT. However, the approach to protection is vastly different.

In combating cyberattacks on industrial networks, awareness and proactive action are critical. Adopting robust and specific security strategies for OT environments, coupled with understanding vulnerabilities and their mitigations, is essential to preserving the integrity of critical infrastructure. A comprehensive, evolving approach that adapts to emerging threats is fundamental. Only through this level of dedication can current and future challenges in the industrial cybersecurity landscape be effectively addressed.