The Rise of Industrial Cybersecurity

Let’s start by defining what an Industrial Control System (ICS) is. According to NIST,[1] ICS is a general term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations, such as Programmable Logic Controllers (PLC), often found in the industrial sectors. It consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy).

They are also known as embedded cyber devices that operate critical infrastructures[2] (system and assets, whether physical or virtual, so vital to a country that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters) and are lesser-known devices that are unique to what we know as operational technology (OT), which is different from the well-known enterprise information technology (IT).

Now that we have the definition for ICS, let’s define Industrial Cybersecurity: “The prevention of (intentional or unintentional) interference with the proper operation of industrial automation and control systems. These control systems manage essential services, including electricity, petroleum production, water, transportation, manufacturing and communications. They rely on computers, networks, operating systems, applications and programmable controllers, each of which could contain security vulnerabilities[3]”.

ICS Cyber Incidents

Despite what we might think, ICS cyber incidents started a very long time ago, so I’ll mention just a few examples.  In 1903, Marconi’s wireless telegraph was hacked during the Preliminary Conference on Wireless Telegraphy presentation held in Berlin. This is considered the first malicious hacking of secure communications.

In 2000, the Maroochy water system in Australia was hit by a cyberattack, altering electronic data, in particular sewage pumping stations, and causing malfunctions in their operations, resulting in the release of more than 265,000 gallons of untreated sewage.

In 2005, a destructive cyberworm attack on 13 of Daimler-Chrysler’s U.S. automobile manufacturing plants caused an estimated US$14 million in damage.

But the game changer occurred in 2010, with STUXNET, a computer worm created to cause substantial damage to the Iranian nuclear facility located in the city of Natanz. This is the first cyberweapon built jointly by the US and Israel in a collaborative effort known as Operation Olympic Games.

Another annoying aspect that impacts industrial cybersecurity is that cyberspace is also being used as a battlefield. We have observed this since 2008, during the Ossetia war between Russia and Georgia, when several cyberattacks were carried out on critical infrastructure in Georgia causing, for example, the Baku–Tbilisi–Ceyhan gas pipeline explosion. [A1] Also, in June 2017, Ukraine was hit by several cyberattacks that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity companies.

During 2021, we observed more advanced and destructive supply chain attacks than ever seen before. Threat actors are focusing their efforts on finding technical vulnerabilities (known as CVEs) and the bad news is that they are having a lot of success. Also, modern cyber-criminal operations have become so developed that a service industry has emerged with a common business model – ransomware-as-a-service (RaaS) is severely impacting ICS and is expected to increase in the coming years.

Challenges

First, we need to understand that cyber warfare today is asymmetrical. Why? There are several reasons. It is enough for threat actors to find one single hole to be able to infiltrate the defender’s networks (enterprise and industrial) for the cyberattack to take place and for a full compromise. The cost of protecting these OT assets is getting higher and harder to fulfill. On the other hand, attacks are getting cheaper to deploy and more profitable for attackers. Finally, for cyberattackers, there is almost no price for attempting an attack – they can keep trying until they finally succeed.

The bad news is that threat actors are looking for more and more ways to penetrate these OT networks and, unfortunately for us, they are having success. There are several reasons for this but we can say that they are driven by different factors. Here are four that are very relevant: 

1. IT/OT convergence – ICS ceased to be isolated once the incorporation of IT components in the ICS domain became a common practice. Converging OT with IT networks enabled organizations to simplify the management of complex environments while also introducing new cybersecurity risks. Managing IT/OT integration is a significant challenge.
2. High obsolescence on legacy ICS – It is very common to find Windows operating systems running (on ICS) that are no longer supported, which is pure gold for threat actors due to the number of technical vulnerabilities that are present on these OS.
3. Lack of security patches – This is related to the prior factor because it is very hard to maintain the latest versions of the technical patches on an ICS ecosystem. In these environments, applying updates is challenging since this operation needs to be scheduled and performed during downtime.
4. Talent shortage – A lack of operational technology (OT) security professionals is threatening industrial companies. Many companies have faced significant OT security staffing challenges, such as overloaded employees and difficulties attracting personnel, and this is a very challenging situation.

Call to Action

Threat actors are finding a very lucrative area in the OT space. They have realized that it is a greenfield where they can easily abuse and generate huge profits with low effort. We have a clear disadvantage on the defensive side: threat actors have everything they need to succeed and we as defenders have a lot to do to start protecting our OT environments.

To face this situation, it is very important for industrial organizations to carry out a series of steps and activities that can help them to enhance their cybersecurity posture, protect their OT assets and manage cyber risks in an orderly, focused, and prioritized manner. For example, the use, adoption and application of cybersecurity standards, guidelines and best practices are the keys to success regarding cyber protection to properly manage threats in the actual landscape.

For good or bad, we are at a turning point. Today, organizations that operate ICS should start, or continue, building their OT cybersecurity program to be prepared for the next cyberattack, because sooner or later this will happen. A holistic security approach is a must; people, process and technology should be part of the OT cybersecurity strategy. If you are not sure where to begin, you can start by identifying the crown jewels, establish a multidisciplinary team, get professional advice from OEMs[4] and other specialized OT cybersecurity companies and start protecting your industrial ecosystem.

[1] National Institute of Standards & Technology

[2] Critical Infrastructure (NIST SP 800-30)

[3] Wikipedia, Control system security

[4] OEM original equipment manufacturer: Maker of a system that includes other company’s subsystems, an end-product producer, an automotive part that is manufactured by the same company that produced the original part used in the automobile's assembly, or a value-added reseller.