How the Past 6 Months Have Shaped ICS Risk

During the past year, there has been heightened awareness of the risks posed by industrial control system (ICS) vulnerabilities, with researchers and vendors focusing on identifying and remediating these vulnerabilities as effectively and efficiently as possible. This isn’t a new phenomenon, but the interest in understanding these risks has gained traction among organizations and researchers alike. Understanding, evaluating and reporting on the comprehensive ICS risk and vulnerability landscape benefits the entire operational technology (OT) security community and allows asset owners to address risk in a responsible and effective way.

To see the full picture of the ICS risk and vulnerability landscape today, it’s important to take a step back and look at the external factors influencing it.

Events ranging from security incidents and regulatory changes to geopolitical developments and global crises have shaped the world of ICS vulnerabilities. This relationship of correlation and influence helps define this ICS risk landscape and its impact on OT security practitioners, the industrial operations they are entrusted to protect and the ICS community as a whole.

Three major events likely played a role in shaping this landscape during the first half of 2020.

  1. The COVID-19 Pandemic

Cyber adversaries have been known to take advantage of global instability, and the economic, cultural and behavioral uncertainty brought on by COVID-19 is no exception. Three areas in particular have been intensified by the pandemic:

Phishing Attacks and Spam Campaigns: While phishing attacks are not a new attack vector in OT environs, the frequency of phishing attacks and spam campaigns gained momentum around the same time that COVID-19 was recognized as a global pandemic. Cyber adversaries began registering domains containing terms such as “corona” and “covid19” and creating fraudulent websites to spread malware or solicit funds under the disguise of pandemic-related health insurance applications or fundraising campaigns.

Cyber Attacks Targeting the Healthcare Sector: COVID-19 has no doubt increased the susceptibility of hospitals and medical centers to fall prey to ransomware groups. Adversaries recognize these types of institutions as a vital necessity. They hold valuable data and information on advances in technologies, developments around coronavirus vaccines, intellectual property (IP), public health data and patient information. These institutions are more likely to pay ransoms because they simply cannot afford to lose access to their critical systems. Needless to say, several targeted ransomware attacks impacted the U.S. and European healthcare sectors during 1H 2020.

Uptick in Remote Workforces: Shelter-in-place mandates forced by COVID-19 have required companies to find remote alternatives for their employees. The rapid increase in remote workers created security gaps and an expanded attack surface for many organizations. Having quickly realized that targeting remote workers provides a viable path into enterprise networks—and for industrial enterprises and critical infrastructure organizations, including OT networks—adversaries have continued to exploit unpatched virtual private network (VPN) systems and legacy Windows vulnerabilities.

  1. The Attempted Cyberattack on Israeli National Water Supply

In April 2020, an attempted cyberattack targeted the command and control systems of the Israel Water Authority’s water treatment station, which led Israel’s National Cyber Security Authority to issue an alert for all companies to secure their publicly accessible devices.

While water infrastructure isn’t always recognized by the general public as a major source of cyber risk, it remains susceptible to both targeted and opportunistic threats. Although most water utilities are owned and operated at a local level, the water and wastewater sector warrants high prioritization of cybersecurity on a global level, due to the combination of its legacy systems and growing connectivity. This is reinforced by findings in our “Biannual ICS Risk and Vulnerability Report,” which revealed water and wastewater to be one of the top sectors impacted by ICS vulnerabilities, with 171 unique Common Vulnerabilities and Exposures (CVEs) out of 385 across all sectors.

Reliable and safe access to water plays an essential role in modern life. Amid the COVID-19 pandemic, cyberattacks against water infrastructure have high potential to cause a significant threat to public health, making effective vulnerability management an especially high priority for this critical infrastructure sector.

  1. The Disclosure of Ripple20 Vulnerabilities

In June, cybersecurity firm JSOF disclosed a set of 19 zero-day vulnerabilities collectively known as Ripple20. The vulnerabilities are present within the Treck TCP/IP stack, which is used by hundreds of millions of devices—including OT and internet of things (IoT) devices. For any such devices still in use, the risks are significant and range from denial-of-service attacks and data exposure to remote code execution on affected devices. JSOF identified the industrial, medical, retail, transportation, oil & gas, aviation and government sectors as particularly affected by the Ripple20 vulnerabilities.

Minimizing ICS Risk

While this can be alarming, organizations can implement the following to help minimize the risk and mitigate the impacts of ICS vulnerabilities:

Protecting Remote Access Connections: Security practitioners are encouraged to verify current patch levels of  VPN versions, monitor remote connections (particularly those to OT networks and ICS devices), enforce granular user-access permissions and administrative controls, and enforce multi-factor authentication.

Protecting Against Phishing, Spam and Ransomware: The increase in remote work means an increased risk of personnel being targeted by phishing or spam attacks. Employees can mitigate this by adhering to the following:

  • Do not open emails or download software from untrusted sources.
  • Do not click on links or attachments in emails that come from unknown senders.
  • Do not supply passwords or personal or financial information via email to anyone.
  • Always verify the email sender’s email address, name and domain.
  • Backup important files frequently and store them separately from the main system.
  • Protect devices using antivirus, anti-spam and anti-spyware software.
  • Report phishing emails to the appropriate security or IT staff immediately.

Protecting Internet-Facing ICS Devices: If not properly protected, internet-facing ICS devices can provide a pathway into OT networks and the vital industrial processes they underpin. Making matters worse, adversaries are known to have at their disposal multiple open source, legitimate, internet-scanning services to help them easily identify web-based human machine interfaces (HMIs) and other ICS devices that may have become inadvertently exposed to the internet. OT security teams should:

  • Ensure all internet-connected ICS devices are password-protected and that stringent password hygiene is enforced.
  • Implement granular role- and policy-based administrative access for all ICS devices and connected systems.
  • Secure all remote access connections using mechanisms such as encryption, access control lists and appropriate remote access technologies suitable for OT networks.
  • Adhere to OT security best practices such as maintaining an accurate asset inventory, properly segmenting OT networks, implementing continuous threat monitoring and maintaining comprehensive risk and vulnerability management practices.

To sum it up, the best practice for minimizing risk is twofold: comprehensive visibility and proper risk assessment. This means having both a complete understanding of the devices in your network infrastructure, including how devices communicate with each other, in addition to identifying the correct risk profile of each device to protect them as best as possible. While the world continues to adapt to new normals, it’s equally important to keep up with and understand how the ICS risk and vulnerability landscape changes.

Amir Preminger

Amir Preminger is VP of Research at Claroty

amir-preminger has 1 posts and counting.See all posts by amir-preminger