Whilst working for a management consultancy, I learned a lot more about industrial control systems (ICS) than I ever imagined I would. In many cases, this wasn’t from working on them directly; it was from simply speaking to the technicians and reading documentation. Oftentimes, we have the false belief that our systems are safe from compromise because no one really knows how they work. It’s like security through obscurity. However, what I have also learned over time is that humans are the architects of these solutions. Whilst they may vary slightly, these solutions are not so innovative that one can’t uncover their nuances in a bit of time. Therefore, relying on obscurity to keep things safe is one of the poorest excuses to not take action.

Common Threat Types to Consider

As noted in the Verizon 2019 Data Breach Investigations Report (DBIR 2019), a majority of attacks against ICS involve phishing and the use of stolen credentials. Over in IT, we recognize this as having almost always been an issue, one that continues to get worse as phishing increases in sophistication. Further still, as the report states, 68% of incidents and breaches were financially motivated – which is the number one motivation for all malicious attacks across any industry. Due to this, it’s not hard to understand why malicious actors were able to create custom malware to target systems, as see in the Ukraine power grid hack of 2015.

One way to describe a breach as someone sticking their hand into a box, not being able to see directly, but feeling their way around in it to find the best prizes. Essentially, even in a targeted attack, unless you have insider information and know exactly what to look for, usually you’re on the system attempting to map it out, understand (Read more...)