Throughout this blog series, I have examined real-world ICS cyber-related incidents as a way of looking back to predict what the next attack may look like. The three categories of attacker that I have considered so far are disgruntled insiders, ransomware groups, and APT. Knowing about past events, their impact, and how they unfolded can be critical for thwarting similar attacks in the future. As citizens with little or no control over the ICS in our lives, having this knowledge may help us prepare for catastrophe by having appropriate supplies or emergency plans.

As important as it is to study the past and learn from what is already known, it would be foolish to limit our consideration to the events which are behind us. (You wouldn’t drive using just your rear-view mirror, would you?) In this final installment of the series, I will attempt to turn on the headlights and speculate on what other disruptive ICS events may be on our horizon.

It is likely that all three of the attack sources I’ve discussed in this series will continue to happen until serious efforts are made to prevent intrusions or at least identify and evict intruders before they can cause harm. It’s also worth mentioning that the above groups are not mutually exclusive. A disgruntled insider may sell access to a ransomware gang or get recruited by a foreign adversary. Some ransomware attacks have also been attributed to military operations either as a false flag or simply as a means of generating revenue. As I have observed in my own research as well as countless infosec briefings, many ICS networks are very exposed and give attackers an open door to access ICS networks. Fortunately, the complexity of these systems and the real-world implications of their failure are enough to (Read more...)