In light of increasing cyber attacks on critical national infrastructure, what are the immediate risks to industrial control systems and other operational technology, and what steps can be taken to address them?
The industrial control systems (ICS) that underpin our critical national infrastructure (CNI) are facing ever-increasing risk, and the immediate risks to ICS and other operational technology can be seen in the growing incidence of ransomware, changing connectivity and increased attention.
Ransomware can have a devastating effect on a business or organisation, as the UK NHS found out with WannaCry in 2017. The impact of these kinds of attacks means an immediate response is required to recover operational capabilities. The fact that the effects are often clearly visible to the public, as was the case with Deutsche Bahn when their customer information displays were encrypted, also creates pressure for swift action.
A more recent example was the attack on Norsk Hydro by the LockerGoga ransomware. This was a financially motivated, criminal attack, conducted directly against the company’s networks. The attack resulted in production stoppages in Europe and the US and the company reverted to manual operations while the issue was contained. It affected 22,000 computers across 170 different sites in 40 countries, with recovery taking over three months and costing at least £45m.
A disturbing trend, particularly facing critical infrastructures, is the way ransomware is evolving with some versions specifically targeting industrial control systems, making it easier to hold critical infrastructure operators to ransom.
Changes in connectivity to operational technology is another factor that is increasing the risk to control systems. The changes include the increasing adoption of cloud technology to support or process data from operational technology that results in operational data residing outside traditional boundaries.
A further vulnerability arises from the closer integration of IT and OT infrastructures, generally for valid business or productivity reasons, but which creates an increased number of access paths to the operational technology.
In addition, the increasing use of commercial-off-the-shelf (COTS) technology means operational technology is at greater risk from common attack techniques and tools which previously would have been limited by the technology to IT infrastructure. Then there is the risk from the growth in remote working caused by the current travel and distancing restrictions which means more use of remote access.
Greater interest in critical infrastructure
The recent attempted attack on the Oldsmar water treatment plant in Florida is an example of an attempt to exploit remote access to compromise operational technology. The attacker was able to gain access to industrial control software to alter the concentration of sodium hydroxide in the treatment system from 100 ppm to 11,100 ppm. Luckily in this instance, a vigilant plant operator noticed the change and reversed it immediately, but if this had not happened, the attack could have affected the health of around 15,000 residents supplied by the plant.
Operational technology is also receiving increased attention because there is more information available to attackers. Dedicated internet search tools, such as Shodan, help discover industrial devices which are connected to the internet and dedicated operational technology hacking tools, such as “Industroyer”, reduce the level of knowledge required to attempt an attack.
In parallel, there is ever increasing knowledge about industrial systems and operational technology, partly as a result of the changing connectivity and merging technology, but also from increasing disclosure of vulnerabilities.
So, bearing these immediate risks in mind, what can be done?
Understand your systems
This first piece of advice is as old as some of the technology in use. It is essential to know what assets you have in your operational technology and understand how they relate to what you do.
If a vulnerability is disclosed for a component, the potential impact of the vulnerability can only be properly assessed if the proliferation of the component within the infrastructure is known. The response will be very different for a component in limited use on an isolated system compared to a common component across multiple critical systems.
Understand the risks
Risk assessments must be completed for all critical systems and revisited on an annual basis, or in response to a significant change in threat or system configuration. The risk assessments should be based on credible threat scenarios for the organisation and should develop into risk mitigation plans.
Ensure critical infrastructure is ‘Secure by Design’
It is widely acknowledged that it is easier and more cost effective to design something securely from the start, as opposed to trying to incorporate security features at a later stage. Whilst this approach can only be adopted for new systems, the guiding principles of “secure by design” should be incorporated where possible.
In addition, the approach should be sufficiently broad to look beyond the technology and make the people and processes “secure by design” as well.
Actively monitor critical systems
It is essential to understand what is happening both within your network and at the boundaries, as well as having an established baseline of normal behaviour for your infrastructure and systems. This can be much easier to achieve with the greater availability of mature and OT-specific monitoring solutions.
Be ready to respond to incidents
Finally, there has to be a tried and tested incident response plan which properly considers cyber causes of failure and guides the appropriate responses to recover systems to restore operations in line with business objectives.