In the last few months, the cybersecurity of industrial organizations has been under the spotlight following the release of several studies disclosing vulnerabilities that pose a threat. The studies, carried out by Forescout, highlighted that as industrial organizations digitalize their environments, they become more susceptible to cyber-attacks.
The first piece of research highlighted how attackers can now hold industrial networks, critical operational technology (OT) and internet of things (IoT) devices hostage via ransomware. Ransomware attacks have been growing in severity and frequency over the last few years, and while most have focused on holding data hostage to disrupt an organization’s operations, security experts recognized it was only a matter of time before attacks evolved and became more physical. The bad news is that this next frontier of cyber-attacks is already upon us.
Today, attackers can target an industrial organization via its enterprise IT, then move laterally across its network, turning off security settings until they reach IoT and OT devices. From there, they can target the software behind the devices with precise denial of service (DoS) attacks, which essentially knock them offline, both virtually and physically. To put this into context, this could mean plant machinery is brought to a standstill, physical doors (which are virtually controlled) are sealed shut or air conditioning units are rendered inoperable.
Worryingly, these connected devices exist in many industries, including healthcare, so it’s easy to see the direct impact this could have on society if they are hit with an attack. This makes these attacks attractive to both cybercrime gangs and nation-state actors.
An additional recent piece of research from Forescout uncovered how critical vulnerabilities exist in OT technology because they were traditionally built with an insecure-by-design engineering process. Dubbed OT:ICEFALL, this set of 56 vulnerabilities affects popular devices from 10 OT vendors and allows for credential theft, remote code execution and firmware or logic manipulation. The research highlights how vulnerabilities are inherent in OT because they were never built with security in mind. OT was traditionally air-gapped, so security was not paramount, but as external connectivity abounds, these vulnerabilities highlight that security teams have a mountain to climb.
Couple these two pieces of research together, and attackers have a wealth of opportunities to compromise OT and industrial networks. So, what is the solution? Firstly, connectivity is here to stay. The benefits it offers industrial organizations are endless, from improving plant safety to cutting costs and increasing efficiency.
However, this does not mean every single device within an industrial plant needs to be connected to the web. The first step organizations need to take is around discovery and analysis to understand what devices are connected to the internet and whether they need to be. Often, devices are connected without any real reason. This needs to be addressed and any devices that do not need this added connectivity should be disconnected. For devices that do require automation and internet connectivity, industrial organizations must establish a way to reap the benefits of this modernization where security is routinely embedded. The best way to achieve security is through improvements to visibility. It is impossible to protect what you can’t see, so industrial organizations must ensure all connected devices on their networks can be seen and secured.
Once devices are properly inventoried, it is time to focus on network segmentation. Vulnerable devices will always exist in OT environments because many are too old or fragile to be patched. When a device falls into this category, segment it from mission-critical systems, preventing lateral movement attacks. However, when patches can be applied, ensure devices are updated quickly and always monitor vendor patch cycles to ensure systems are constantly kept up to date.
When internal resources to detect and mitigate threats do not exist or are limited, organizations can turn to vendor services like Forescout Frontline. Frontline is a complimentary threat hunting, risk identification and incident response service for organizations that lack the internal resources and visibility to defend themselves from or respond to cybersecurity attacks, including ransomware and advanced persistent threats. The service offers unrivaled intelligence into OT cybersecurity threat activity, so organizations can efficiently and effectively plan for attacks.
Industrial cybersecurity is critical today because attackers possess every tool in their arsenal required to carry out devastating attacks. However, by carrying out assessments to understand threats, using automated tools to improve security and bringing in assistance to help with remediation, industrial organizations can remain one step ahead, keeping their networks and critical processes safe.
