Written by Anthony Perridge, VP International, ThreatQuotient
Criminals are tirelessly attacking critical infrastructure (CRITIS) around the world and compromising the Industrial Control System (ICS) and the Supervisory Control and Data Acquisition (SCADA) systems that control these infrastructures. In 2010, the Stuxnet worm infiltrated numerous control systems and damaged nuclear power plants. Five years later, the BlackEnergy malware attack on the Ukrainian power supply became the first cyberattack that caused a blackout.
However, the term CRITIS not only covers the power grid, but also areas such as military, manufacturing, healthcare, transport, water supply and food production. In 2017, the outbreak of the ransomware WannaCry affected several healthcare companies. In 2018, the US CERT, together with the British National Cyber Security Center (NCSC) and the FBI, issued a warning that the Russian government had launched an attack on critical infrastructure in various industries. In addition, for several years, threats to air travel booking and public transit systems have been making headlines. In early 2019, the ransomware variant LockerGoga began infiltrating and disrupting the production processes of chemical companies and aluminium producers.
According to an investigation by (ISC)2, there is a shortfall of nearly three million cybersecurity experts worldwide, and nearly 60 percent of the 1,452 survey respondents believed that their company was at medium to high risk of virtual attacks. The existing security teams are barely able to handle the myriad of alerts. Moreover, they are often not sufficiently represented at senior management level to receive the necessary attention and support for important initiatives. For example, only 31 percent of organisations in the aviation industry have a dedicated CISO.
To make the most of their existing resources, security teams must be able to understand and prioritise the threat data and alerts within the context of their organisation. This gives teams the opportunity to easily and clearly communicate relevant security issues to management, and to justify additional resources needed to improve security processes.
More and more attacks use multiple vectors in parallel and make the defense more difficult. The US CERT warning mentioned above mentions a variety of these used TTPs, including spear-phishing emails, watering hole attacks, credential capture, and specific attacks on ICS and SCADA infrastructures. At the same time, the attack surface is growing as CRITIS operators increasingly migrate to the cloud, introducing mobile devices and IoT. More than two-thirds of IT executives in the oil and gas industry said they are more vulnerable to security breaches because of digitisation (the provision of digital technologies for advanced automation).
Companies can protect their digital landscape against threats only if they have an overview of the entire infrastructure and the ability to continuously evaluate and prioritise threat intelligence.
Many ICS and SCADA systems have been in use for years and do not have modern security features that can protect against current threats. The number of reported weaknesses in the production area increased significantly in 2018 compared to the previous year. However, these systems are rarely updated as operators fear interruptions. Despite increasing attacks on critical infrastructures, protection has not been extended. Rather, it has become even worse as the devices and systems are increasingly connected to the Internet without paying attention to the security implications. Although those responsible for Information Technology (IT) and Operational Technologies (OT) have different goals, processes, tools, and concepts, they must work together as their environments grow closer together.
Surveys among security officers say that 75 percent of businesses assume they will be the victims of cybersecurity attacks on OT / ICS systems. However, only 23 percent adhere to the industry’s minimum legal requirements for cyber security.
Headlines about attacks on critical infrastructures are quickly portrayed as a sensation. It is often difficult to find the facts behind the report and to understand the impact of a large-scale cyber campaign on the business. It is not enough to update only the ICS and SCADA devices. With a trusted threat intelligence platform, can companies identify and respond to the truly relevant threats.
Tips to help organisations minimise their cyber risk:
Consolidate all sources for external (such as OSINT) and internal (SIEM, for example) threat and vulnerability data in one central repository.
Collect security-related information about the entire infrastructure (local, cloud, IoT, mobile, and legacy systems) by integrating vulnerability data and threat intelligence in the context of active threats.
Filter non-relevant information, avoiding overload due to too many alerts, and easily navigate massive amounts of threat data to focus on critical resources and vulnerabilities.
Prioritise the most important data depending on the individual situation, with the possibility of dynamic adaptation as new data and insights become available.
Proactively search for malicious activity that can demonstrate malicious behaviour, denial of service attacks, and other disruptions and potential harm to customers, employees, and key components.
Focus on aspects beyond reactive measures to aid detection, response and recovery.