This article was updated on October 1, 2019.
After a year that began with the fall-out from another Ukraine electric grid attack, saw the discovery of the first toolset since Stuxnet to target physical systems (CrashOverride/ Industroyer) and included significant harm from ransomware attacks (WannaCry, Petya/NotPetya), what’s in store for 2018?
Our team looked ahead 12 months and thought about how ICS cyber security will be different at the end of that period. From there we came up with 5 predictions you won’t want to miss.
1. The Era of Internet Prohibition for Industrial Networks Will End
In the days of alcohol prohibition, the rates of irresponsible drinking were higher than they are now. Prohibitions simply drove behavior underground, often with dramatically bad effects.
Similarly, Internet connectivity is officially very restricted for most industrial networks. For example, ICS servers and stationary operator and engineering workstations may only be allowed to connect to the Internet during maintenance windows.
And, in the wake of high profile Internet attacks on critical infrastructure systems, some organizations are working to “re-oxygenate” Internet air gaps as a primary security control. Yet, Internet connections are a primary source of malware infections of industrial systems.
These connections come from contractor and system integrator computers, the workstations of administrators and developers, and mobile devices. Kaspersky reports that “40% of all machines in industrial control infrastructure have regular or full-time Internet connections.”
We are also starting to see major customers willing to use ICS cyber security products running on Internet infrastructure, such as Amazon Web Services. Furthermore, cloud services and IIoT devices are proliferating.
Nozomi Networks Prediction: Real-world practicalities and major technology trends both mean that air gap protection strategies will “backfire”. We predict that progressive organizations will embrace Internet connectivity and implement the technology and procedures necessary to defend their ICS from this source of cyber threats.
2. Artificial Intelligence Moves Beyond its Buzz to Make a Real Difference in ICS Security
Up-to-now, most industrial organizations have perceived Artificial Intelligence (AI) as a buzzword, and have not been familiar with the role it can play in ICS cyber security. However, the word-of-mouth around how AI empowered cyber security solutions are making a difference for faster threat detection and troubleshooting, is out.
Organizations grappling with ICS cyber security staffing and skills shortages are turning to AI solutions to achieve security and productivity goals. We see this happening both at the level of large multinational customers with mature cyber security programs and processes, and at the level of smaller organizations who realize they have no other choice.
For example, a recent US-CERT advisory on Dragonfly 2, (Alert TA17-293A), recommended checking 17 different logs and repositories for indications of the malware. That could take a lot of scarce staff time, versus using an automated threat detection solution that can do the same check very rapidly.
Nozomi Networks Prediction: In 2018 Industrial organizations will adopt AI powered ICS cyber security solutions to radically automate threat detection and mitigation. The outcome will be better reliability and security and more effective use of staff resources.
3. ICS Cyber security Services Will Proliferate
The shortage of ICS cyber security skills is also leading to more service offerings. These offerings are moving beyond risk assessments to become more full service.
For example, Fortinet, a leader in IT security, has introduced “FortiGuard Industrial Security Service”, an ICS threat intelligence service.
Nozomi Networks Prediction: IT cyber security companies will move aggressively into OT cyber security and additional types of services, specifically designed for OT, such as monitoring, detection and incident management, will be introduced.
4. ICS Malware Moves Beyond Windows Exploits to ICS-Specific Malware
Up to now, most malware that has infected ICS have used Windows vulnerabilities or protocols to infect and spread. For example, in 2017, WannaCry, Industroyer and Dragonfly 2 all used the Windows protocol, SMB, as a key infection and proliferation mechanism.
Nozomi Networks Prediction: Malware attacks using OT device software, for example PLC software, will start to occur adding to the sea of Windows-dependent attacks.
5. Security-by-Design Starts to Improve ICS Security, A Bit
Historically, ICS systems are notorious for being insecure-by-design. The good news is that we are seeing major customers demanding security be included in new automation equipment purchases. For example, requiring that RTUs have encrypted software.
Cyber security certification is also rapidly growing and major automation vendors are having their products tested for the ISA Secure certification, for example. Thus, there are fewer new ICS devices shipping “naked” of cyber security capabilities.
Nonetheless, the sheer volume of installed devices with security vulnerabilities means they will continue to be susceptible to cyberattacks.
Nozomi Networks Prediction: Customer demand will result in more new automation devices shipping with security baked-in. It will, however, take time for this to improve overall ICS cyber security and the use of detection will be needed as a safe guard against unknown and known vulnerabilities.
2018: Industrial Cyber Security Goes Mainstream
Our predictions for 2018 add up to the fact that ICS cyber security is going to be more mainstream 12 months from now. IT/OT convergence will advance, more OT security services will be available, and many more industrial organizations will be lightening the burden of securing their process by using AI powered tools.
In addition, cybersecure products will be increasingly demanded by major customers. Unfortunately, “going mainstream” also means there will likely be new malware that directly attacks OT device software.
We look forward to the maturation of industrial cyber security practices, products and services. We’ll certainly be working with our customers to help them meet the challenge and burden of cyber security with top notch ICS threat detection and operational visibility tools.
Nozomi Networks Industroyer Mitigation Brief
- 3 main phases of Industroyer
- How anomaly detection mitigates impacts
- What YaraRules are and how they help
- How “assertions” facilitate threat hunting
- How real-time ICS monitoring provides cyber resiliency