Concerns regarding cyberattacks against critical infrastructure have elevated industrial control systems (ICS) security to a mainstream topic. The first half of the year saw an increase in vulnerabilities found in ICS, exposing the high risk for attacks. As businesses continue connecting devices to the internet and converging operational technology (OT) under IT systems management, it’s more important than ever to understand these vulnerabilities and adequately mitigate and respond to risks.
Many of the events that increased awareness of current ICS risks and vulnerabilities were ransomware attacks. These incidents elevated awareness of ICS and OT network security and brought these topics into mainstream conversations.
Colonial Pipeline, the East Coast’s largest gasoline, diesel and natural gas distributor, was hit by a ransomware attack in May 2021, and the attack impacted oil and gas delivery for millions of people. DarkSide, a Russian cybercrime group that sells ransomware as-a-service (RaaS), was responsible for the attack. Colonial paid a $4.4 million ransom in Bitcoin ($2.3M of it was recovered by the U.S.), however, shortly after the attack, DarkSide reportedly abandoned its operation.
This incident not only made headlines but also shed light on how ransomware attacks have evolved to impact the physical world. Because DarkSide gained access to Colonial Pipeline’s systems by exploiting an inactive account that didn’t use multifactor authentication, it put pressure on businesses to assess similar risks within their own network of systems.
Oldsmar, Florida Water Treatment Facility
In early February 2021, a remote attacker changed the levels of sodium hydroxide in residential and commercial drinking water at a water treatment facility in Oldsmar, Fla. Operators inside the facility detected two intrusions from outside the plant, the second of which involved a remote attacker.
Thankfully, the operators kept the contaminated water from ever reaching the public. While this attack could have had more dire results, it shed light on the risks posed to systems without secure remote access and the importance of ICS safeguards. As the pandemic accelerated digital transformation, critical infrastructure was further exposed as operators used remote access to manage systems off-site.
JBS, the world’s largest meat supplier, was attacked by the RaaS group REvil, leading to a shutdown of plants in Australia, Canada and the U.S. and wiping out nearly one-fifth of the U.S. plants’ meat processing capacity.
JBS maintained a backup system and was able to resume operations by using it to restore the data. Regardless, the company reportedly paid the attackers an $11 million ransom to recover its data and operational capability.
RaaS has become an emerging business model that allows essentially anyone to exploit vulnerabilities and launch attacks. It’s proven to be a profitable business model, too; as with Colonial Pipeline, attackers realized that critical infrastructure organizations make lucrative targets. Not only do they have the financial resources to pay, but any disruption to operations could put lives at risk—meaning they’re highly motivated to do whatever it takes to resume operations.
On top of that, many food and beverage production sites run on legacy OT that was never designed to be connected to the internet. OT networks predate the internet and, with digital transformation leading many food and beverage companies to automate parts of the manufacturing processes, OT is suddenly being exposed to a whole host of new cyberthreats.
Security Measures in Response to Vulnerability Trends
While these attacks have raised awareness about current vulnerability trends we are seeing, awareness itself is not enough. The next step is to act on the lessons learned from these instances to minimize risks.
With more devices connected to the internet and managed via the cloud, measures such as network segmentation must be prioritized. Network administrators should:
- Segment networks virtually and configure them so they can be managed remotely.
- Create zone-specific policies tailored to engineering and other process-oriented functions.
- Reserve the ability to inspect traffic and OT-specific protocols to detect and defend against anomalous behaviors.
Secure Remote Access
As organizations adjust to increased remote connections to corporate resources, they must do so securely. This is especially vital within OT environments and critical infrastructure, as operators and engineers require secure remote access to industrial assets to ensure process availability and safety. Security practitioners are encouraged to:
- Verify VPN versions are patched and up-to-date with current versions.
- Monitor remote connections, particularly those connected to OT networks and ICS devices.
- Enforce granular user access permissions and administrative controls.
- Enforce multifactor authentication.
Ransomware, Phishing and Spam Protection
Remote work has increased reliance on email as a vital communication mechanism. These conditions also increase the risk of personnel being targeted by phishing or spam attacks and associated ransomware and other malware infections. Users should:
- Not open emails or download software from untrusted sources.
- Not click on links or attachments in emails from unknown senders.
- Not supply passwords, personal or financial information via email to anyone.
- Always verify the email sender’s email address, name and domain.
- Back up important files frequently and store them separately, away from the main system.
- Protect devices using antivirus, anti-spam and anti-spyware software.
- Report phishing emails to the appropriate security or IT staff immediately.
Protecting Operations Management and Supervisory Control
Most operations management and supervisory control vulnerabilities are software-based as opposed to basic control, where the majority of vulnerabilities are firmware-based. With the inability to patch over time, especially for device firmware, it is recommended that critical infrastructure organizations invest in segmentation, remote access protection and better protection of the operations management and supervisory control levels. This is imperative because they provide access to the basic control level and, eventually, the process itself.
Cybersecurity is an all-hands-on-deck effort, which means organizations must ensure roles are clearly defined and proper systems are in place to support this new normal. With digital acceleration brought on by the pandemic, the only thing we know for sure is change is imminent. To effectively protect critical infrastructure, it is crucial to continue evaluating the ICS vulnerabilities created as a result of that change so that while innovation continues, we can effectively mitigate risks.