{"id":16807,"date":"2023-02-01T14:32:05","date_gmt":"2023-02-01T13:32:05","guid":{"rendered":"https:\/\/www.show.it\/cyber-insights-2023-ics-and-operational-technology\/"},"modified":"2023-02-01T14:32:05","modified_gmt":"2023-02-01T13:32:05","slug":"cyber-insights-2023-ics-and-operational-technology","status":"publish","type":"post","link":"https:\/\/www.show.it\/en\/cyber-insights-2023-ics-and-operational-technology\/","title":{"rendered":"Cyber Insights 2023: ICS and Operational Technology"},"content":{"rendered":"<\/p>\n
\n
\n
\n

About SecurityWeek Cyber Insights |<\/strong> At the end of 2022,\u00a0SecurityWeek\u00a0liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today \u2013 and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.<\/em><\/p>\n<\/div>\n<\/div>\n

\"Cyber<\/figure>\n<\/div>\n

SecurityWeek Cyber Insights 2023 | ICS and Operational Technology \u2013<\/strong> Recognition of the cyber threat to industrial control systems (ICS) and operational technology (OT) systems has grown over the last decade. Until recently, this has been largely a theoretical threat founded on the danger of what could happen rather than what is happening. This is changing, and the threat to ICS\/OT is now real and ongoing. The bigger danger is that this is likely to increase in 2023 and onward.<\/p>\n

There are several reasons, including geopolitical fallout and escalation of tensions from the Russia\/Ukraine war, and a growing willingness of criminals to target the ICS of critical industries. At the same time, ICS\/OT is facing an expanding attack surface caused by continuing business digitization, an explosion of IoT and IIoT devices, the coming together of IT and OT networks, and the use of potentially insecure open source software libraries to bind it all together.<\/p>\n

Background to the ICS\/OT Threatscape<\/strong><\/h2>\n

The IT\/OT overlap<\/strong><\/h3>\n

One of the biggest threats to OT comes from its convergence with IT. When the networks were separate, OT could be isolated from the internet and kept relatively secure. This is no longer reality.<\/p>\n

\u201cAs IT and OT systems continue to converge,\u201d comments Simon Chassar, CRO at Claroty, \u201cnation-state actors and cybercriminal groups such as Berserk Bear<\/a>, Conti<\/a>, Lazarus<\/a> and Mythic Leopard<\/a>, will shift their focus from IT to OT and cyber-physical systems; from stealing sensitive data to disrupting mission-critical operations.\u201d\u00a0<\/p>\n

For all its benefits, IT\/OT convergence without proper security means threat actors can take down operations by exploiting an IT access point or a cloud vector. \u201cThis yields maximum financial or political gain for the attacker,\u201d continued Chassar, \u201cbecause businesses have more incentive to pay a ransom when their means of production are at stake, which can have a long-term impact on revenue and the supply chain.\u201d<\/p>\n

\n
\"Ramsey
Ramsey Hajj<\/figcaption><\/figure>\n<\/div>\n

Ramsey Hajj, Deloitte\u2019s US and global cyber OT leader, expands on this theme. \u201cCyber attackers are increasingly weaponizing OT environments to attack hardware and software that control industrial processes and secure OT networks. Skilled workforce shortages and overlapping IT and OT environments can make cyber incident containment difficult.\u201d<\/p>\n

Supply chain attacks cannot be ignored, either on the IT side or directly against OT. \u201cSupply chain attacks continue to evolve for both ICS hardware and software,\u201d comments Pascal Ackerman, senior security consultant for operational technology at GuidePoint Security. \u201cThink implants for controls and automation equipment, attack chains that involve suppliers and service providers to ICS owners as an initial foothold or pivot point, and compromises on controls and automation vendors\u2019 file repositories with the purpose of adding implants in the provided software.\u201d<\/p>\n

\n\n\n\n
Learn More at SecurityWeek\u2019s ICS Cyber Security Conference<\/a><\/strong>
The leading global conference series for Operations, Control Systems and OT\/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
\"ICS<\/a>
October 23-26, 2023 | Atlanta
www.icscybersecurityconference.com<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Geopolitics and the Russia\/Ukraine war<\/strong><\/h3>\n

\u201cOne of the biggest concerns around the potential for large-scale attacks in the wake of the war in Ukraine is around ICS\/OT,\u201d says Christopher Budd, senior manager of threat research at Sophos. \u201cWhile we haven\u2019t yet seen attacks on a scale as feared, there have been documented attacks like this in Ukraine as part of the ongoing hostilities.\u201d<\/p>\n

He suspects this will focus both government and industry on strengthening the security of ICS\/OT systems, even if it\u2019s done quietly. This may already be evident in the new Cross-Sector Cybersecurity Performance Goals (CPGs) issued by CISA in late October 2022. Claroty describes them as, \u201ca foundational set of IT and OT practices and recommendations that can help smaller, lesser-resourced organizations better prioritize cybersecurity efforts and reduce risk.\u201d<\/p>\n

Claroty highlights four OT recommendations in the CPGs. There should be a single leader responsible for OT asset cybersecurity; there should be specialized OT-focused cybersecurity training for OT engineers; there should be compensating controls such as network segmentation and access controls used as mitigations until software patches and firmware updates can be applied; and there should be unique credentials for assets, use of MFA, and the removal of default passwords.<\/p>\n

We can expect that government agencies will, and private industry should, work on conforming to CISA\u2019s CPGs during and from 2023.\u00a0<\/p>\n

\n
\"\"
Danielle Jablanski<\/figcaption><\/figure>\n<\/div>\n

Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, expects further assistance from CISA in 2023. \u201c2023 will usher in the fruits of new CISA programs further building mechanisms for enhanced trust and verification \u2013 CyberSentry and RedEye for example \u2013 which will broaden the aperture for understanding OT and ICS incidents.\u201d<\/p>\n

One less-obvious effect of global geopolitical tensions will be a deterioration in international law enforcement cooperation. \u201cBesides the growth of hacktivist activity \u2018working\u2019 to internal and external political agendas,\u201d suggests Kaspersky, \u201cwe might also see more ransomware attacks on critical infrastructure due to the fact that it will become harder to prosecute such attacks.\u201d<\/p>\n

Chassar is more direct. \u201cThere is going to be an increase in the number of threats from nation-state actors, as well as groups that are associated with nation-states in 2023,\u201d he says. \u201cTheir activity targeting the critical infrastructure industry, from manufacturing to water and energy, will continue to grow, fueled by ongoing global geopolitical conflicts such as the Russia\/Ukraine war, as well as the current economic climate.\u201d<\/p>\n

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS\/OT of critical industries, while cybercriminals have had their restraints reduced.<\/p>\n

Specifically\u2026<\/strong><\/h2>\n

IoT\/IIoT\u00a0<\/strong><\/h3>\n

\u201cThere are now more known vulnerabilities impacting IoT devices than IT devices,\u201d says Bud Broomhead, CEO at Viakoo, \u201cand IoT devices are often the easiest for cybercriminals to access.\u201d IoT and IIoT is a massive and expanding part of the ICS\/OT attack surface, providing an entry point, and enabling lateral movement.\u00a0<\/p>\n

\u201cBreached IoT devices are having devastating impacts,\u201d he continued, \u201csuch as ransomware, data loss, changing the chemical balance in a municipal water supply, replacing real camera footage with deepfakes, or disrupting transportation systems.\u201d<\/p>\n

The scale (sometimes up to 20x more than IT devices) and the physical location (widely distributed rather than focused within data centers), together with the growing use of vulnerable open source software libraries, make vulnerability remediation difficult.<\/p>\n

Broomhead believes the shift to open source software presents the most immediate threat. \u201cThe dangers open source vulnerabilities present is that they require multiple vendors to provide patches, they are often found in OT and IoT devices that are hard to remediate, and they can be exploited many years after they were discovered.\u201d<\/p>\n

Wendy Frank, Deloitte\u2019s US cyber IoT leader, believes part of the threat comes from a lack of adequate security governance covering the implementation of IoT, IIoT, OT and ICS devices. As their number grows, so the expanded attack surface creates more security, data, and privacy risks.<\/p>\n

\u201cLeading organizations,\u201d she says, \u201cwill focus in the year ahead on connected-device cyber practices by establishing or updating related policies and procedures, updating inventories of their IoT-connected devices, monitoring and patching devices, honing both device procurement and disposal practices with security in mind, correlating IoT and IT networks, and monitoring connected devices more closely to further secure those endpoints, manage vulnerabilities, and respond to incidents.\u201d<\/p>\n

Ransomware and other malware<\/strong><\/h3>\n
\n
\"\"
Thomas Winston<\/figcaption><\/figure>\n<\/div>\n

\u201cRansomware remains the most likely threat to cause disruption in industrial infrastructure environments in 2023,\u201d states Thomas Winston, director of intelligence content at Dragos. \u201cBased on our visibility of ransomware events, manufacturing organizations remain the most frequent target with 70% of observed ransomware events, year-to-date [ie, 2022], continuing to target primarily manufacturing.\u201d<\/p>\n

Ackerman sees ransomware beginning to target OT specifically. He expects to see: \u201cRansomware targeting the industrial environment \u2013 in contrast to ransomware on the IT side accidentally compromising the OT space \u2013 with attacks on virtualization stacks (VMware), data repositories (Historian), controls equipment like PLCs, and controls project repositories (file shares).\u201d<\/p>\n

Partly, this will be exacerbated by native code execution on PLCs, with the attacker adding arbitrary code to the PLC\u2019s OS, and paving the way for ransomware and rootkits running on the PLC.<\/p>\n

Winston is particularly concerned for those organizations without adequate segmentation between IT and OT, but notes that \u201cRansomware rarely uses novel methods \u2013 making the application of key elements of a defensible ICS\/OT architecture particularly effective.\u201d<\/p>\n

He recommends the five critical controls outlined by SANS in October 2022: implementation of an ICS-specific incident response plan; development of a defensible architecture [perhaps in conjunction with an attack surface management plan]; ICS network visibility and monitoring; secure remote access; and a risk-based vulnerability management program.<\/p>\n

Beyond ransomware, Winston is concerned about the evolution of Pipedream<\/a> (also known as Incontroller). \u201cPipedream is an existential threat to the ICS community. This toolset is likely being actively developed and financed,\u201d he said.\u00a0<\/p>\n

\u201cIt is already capable of disruption across industries, including CrashOverride<\/a>-style disruption, pipeline disruption, and servo manipulation. We\u2019ve confirmed that Pipedream, with little development effort, can target devices speaking the ubiquitous CODESYSv3 and OPC UA protocols. It can manipulate servos in the 1S-Series of Omron Servo drives.\u201d While it cannot target Omron Safety Controllers, he believes this is undoubtedly the next step in its development.\u00a0<\/p>\n

Hijacking remote access sessions<\/strong><\/h3>\n

Ian Pratt, global head of security for personal systems at HP Inc, sees an increase in session hijacking in 2023. \u201cIncreased use of features like Windows Defender Credential Guard are forcing attackers to pivot \u2013 either capturing users\u2019 passwords to enable lateral movement, or hi-jacking the remote session itself to access sensitive data and systems. The latter is particularly powerful.\u201d<\/p>\n

By targeting users with elevated rights, the attacks are more potent, harder to detect, and more difficult to remove. \u201cThe user is typically unaware that anything has happened. It takes just milliseconds to inject key sequences and issue commands that create a backdoor for persistent access. And it works even if privileged access management (PAM) systems are being used to employ MFA, such as smart cards.\u201d<\/p>\n

Session hijacking does not involve exploiting a fixable vulnerability \u2013 it is about abusing the legitimate functionality of remote session protocols, such as RDP, ICA and SSH. \u201cIf such an attack connects to OT and ICS running factories and industrial plants, there could also be a physical impact on operational availability and safety \u2013 potentially cutting off access to energy or water for entire areas.\u201d<\/p>\n

APTs targeting CNI through OT<\/strong><\/h3>\n

\u201cAttacks targeting critical national infrastructure tend to be the work of APT groups working on behalf of nation states with specific goals,\u201d comments Joseph Carson, chief security scientist and advisory CISO at Delinea. Those goals are governed by the current state of geopolitics, and the global tension caused by the Russia\/Ukraine conflict means the stakes are high.<\/p>\n

\u201cThese high-level adversaries are hard to defend against as they have the time and resources required to repeatedly test security measures and find gaps, whereas more opportunist criminals in search of profits will select soft targets,\u201d he continued.<\/p>\n

Although OT and IT networks are converging, there remains a fundamental design difference between the two. \u201cOT systems have often been designed with a lifespan of decades in mind, and are a poor fit with the fast-moving world of modern IT networks. Gaining centralized visibility and management of such a complex environment can be extremely challenging,\u201d he added.\u00a0<\/p>\n

This results in gaps between the two networks that APT actors can find, infiltrating the IT network and moving across to the OT network. \u201cThese issues elevate the potential threat of a nation state actor infiltrating the system and causing serious disruption,\u201d he continued.<\/p>\n

According to Kaspersky\u2019s experts, there will likely be a shift in APT activity against industrial organizations in new industries and locations. \u201cReal economy sectors such as agriculture, logistics and transport, the alternative energy sector, and the energy sector as a whole, high-tech, pharmaceuticals and medical equipment producers are likely to see more attacks next year,\u201d they say. \u201cMoreover, traditional targets such as the military industrial complex and the government sector will also remain a focus.\u201d<\/p>\n

Kaspersky also warns that there will likely be an increased level of cooperation between criminals and APTs. \u201cOther risks to watch out for are the heightened criminal activity with a goal to harvest user credentials as well as more volunteer ideological and politically motivated insiders working with criminal groups, usually extortionists and APTs,\u201d it says. \u201cThese insiders may be active in production facilities as well as technology developers, product vendors and service providers.\u201d<\/p>\n

Human costs<\/strong><\/h3>\n

Attacks on the OT of critical industries have real world implications, which may worsen in 2023. \u201cWhether it\u2019s contaminated water supplies or minimal access to fuel, we\u2019ve seen the costs these cyberattacks have firsthand,\u201d comments Edward Liebig, global director of cyber-ecosystem at Hexagon Asset Lifecycle Intelligence. \u201cWhile hackers\u2019 activities will likely still be money-driven, we can expect to see human cost become more of a play in the following year.\u201d<\/p>\n

He is concerned that IT and OT security convergence is still not effective. \u201cAttacks that have been close calls in the past (such as the poisoning of the water supply<\/a> from a Florida plant in 2021) will eventually have human costs.\u201d<\/p>\n

Catastrophic attack on the energy grid<\/strong><\/h3>\n

Liebig is also concerned about attacks on the energy grid. \u201cAs Ukraine stands its ground in its conflict with Russia, we\u2019re likely to not only see more attacks on Ukrainian energy infrastructure, but the US\u2019s infrastructure as well,\u201d he warns. \u201cAt the beginning of 2022, Homeland Security warned that domestic extremists had been developing plans to attack the US electric power infrastructure for years.\u201d<\/p>\n

As a result, he continued, \u201cThe combination of aforementioned factors makes the US\u2019s power grid more vulnerable to cyberattacks than it has been in a long time.\u201d<\/p>\n

The way forward<\/strong><\/h2>\n

Sam Curry, CSO at Cybereason, believes there needs to be a fundamental change of approach from the ICS\/OT system providers. \u201cMany of the security basics are simply not present, such as leveraging roots of trust and trusted execution environment, strong cryptographic options, hardening, secure update and shipping with strong identity options and no default access, to name a few,\u201d he says. \u201cMost devices don\u2019t ship with hardening options or advice, have poor documentation and no understanding of ultimate use cases.\u201d<\/p>\n

This results in customers setting up devices, but rarely coming back to manage the ongoing device lifecycle, let alone maintaining security aggressively as they should. \u201cThere are missed business opportunities for security services and secure management services as a service that are being left behind. Done correctly, there\u2019s not only lower risk for business, but there\u2019s money to be made and real value to provide.\u201d<\/p>\n

He adds, \u201c2023 needs to be the year to reset ICS and OT standards for security.\u201d<\/p>\n

\n\n\n\n
Learn More at SecurityWeek\u2019s ICS Cyber Security Conference<\/a><\/strong>
The leading global conference series for Operations, Control Systems and OT\/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
\"ICS<\/a>
October 23-26, 2023 | Atlanta
www.icscybersecurityconference.com<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Ronnie Fabela, CTO and co-founder at SynSaber, also sees scope for improvement in standards. \u201cFrom the practitioner side of ICS cybersecurity, 2023 will continue to see an overwhelming message of guidance, regulation, media, and FUD about topics such as ransomware, threat actors, and nation-states,\u201d he says.<\/p>\n

\u201cMy prediction for 2023 is that while this will continue, the industry\u2019s response will be loud and focused: \u2018Enough guidance and FUD. Help us execute.\u2019\u201d His position is that industrial operators and asset owners know their systems better than anyone. Now they are on board with cyber, empowering the operating community is the only true way to move the needle.<\/p>\n

\u201cA shift from \u2018We know better\u2019 to \u2018You know better\u2019 will be tough for a cybersecurity industry that is used to being the hero,\u201d he adds. \u201cThe faster all of us can change this mindset; the more successful 2023 will be for defending critical infrastructure.\u201d There will consequently be continued movement from guidance to regulation.<\/p>\n

But Jablanski offers a word of warning, more to do with party politics than geopolitics: \u201cNew direction and bolstered industry involvement will produce greater situational awareness, trust, and resolve across the critical infrastructure security community. As a warning, policymakers should avoid a partisan future for reducing cybersecurity risks to critical infrastructure.\u201d<\/p>\n

\n
\n
\n

About SecurityWeek Cyber Insights |<\/strong> At the end of 2022,\u00a0SecurityWeek\u00a0liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today \u2013 and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.<\/em><\/p>\n<\/div>\n<\/div>\n

\"Cyber<\/figure>\n<\/div>\n

Related<\/strong>: Omron PLC Vulnerability Exploited by Sophisticated ICS Malware<\/a><\/p>\n

Related<\/strong>: ICS Vendors Respond to Log4j Vulnerabilities<\/a><\/p>\n

Related<\/strong>: U.S. Warns ICS\/SCADA Malware Can Damage Critical Infrastructure<\/a><\/p>\n

Related<\/strong>: Energy Provider in Ukraine Targeted With Industroyer2 ICS Malware<\/a><\/p>\n

The post Cyber Insights 2023: ICS and Operational Technology<\/a> appeared first on SecurityWeek<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

About SecurityWeek Cyber Insights | At the end of 2022,\u00a0SecurityWeek\u00a0liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today \u2013 and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum […]<\/p>\n","protected":false},"author":2,"featured_media":16808,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[143,69,105,43,149,150,151,133],"tags":[],"class_list":["post-16807","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyberinsights2023","category-featured","category-ics","category-ics-ot","category-industrial-cybersecurity","category-ot","category-scada","category-supply-chain-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16807","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/comments?post=16807"}],"version-history":[{"count":0,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16807\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media\/16808"}],"wp:attachment":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media?parent=16807"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/categories?post=16807"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/tags?post=16807"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}