The World Economic Forum has released its 2018 Global Risks Report, identifying and analyzing the most pressing risks that are faced on a global level. Global economic, technology and government experts were asked to assess the perceived likelihood of defined events occurring, as well as the potential impact on the geopolitical and economic status quo. Cyber- attacks were among the events identified with the highest risks to international stability. Survey respondents believe a major incident could occur in the next five years. Cyber attacks were the only technology-affiliated event with a likelihood and impact score similar to natural disasters and environmental catastrophes in 2018.
The report is just the latest to highlight the rising sense of urgency that many organizations and governments share today with regard to Industrial Control Systems (ICS)and critical infrastructure cybersecurity. However, the investments to date aimed at improving ICS cybersecurity have regretfully not matched the perceived risk and sentiment.
Why the Pressure is On
2017 was the year of malware. Notable attacks include:
- WannaCry: Affected 300,000 computers across 150 countries
- NotPetya: Caused quarterly losses of US$300 million for a number of affected businesses.
- Triton: ICS specific malware targeted Triconex industrial safety technology made by Schneider Electric SE
With the exception to the Triton malware attack, most of the global cyber incidents were IT born, but spread globally to impact everything from city transit control networks to automation plants, especially in Europe and Asia. So how did these cyber events escalate to this level of risk so quickly?
The heightened risk of cyber attacks cited in the WEF report can largely be attributed to both a general hesitancy of industrial stakeholders to invest in ICS cybersecurity technologies combined with the over-eagerness to invest in Industrial IoT systems without the proper cybersecurity measures in place. Connecting once-isolated industrial assets to the internet and cloud-based platforms expose OT devices, such as Programmable Logic Controllers (PLCs) and Remote Terminal Units (RTUs), to tailored malware attacks, vulnerabilities and other cyber-born threats that they’re unequipped to identify, manage or remediate.
In the past, ICS and industrial systems were largely secured by their relative isolation from the internet or enterprise network. These systems ran on proprietary control protocols, specialized hardware, implemented proprietary embedded operating systems and were connected by copper and twisted pair. Today, that scenario has completely changed with ICS and industrial systems increasingly linked to enterprise networks. They are run on common internet protocols, use general purpose hardware, utilize mainstream IT operating systems and are more often connected to wireless and cloud technologies. Cyber attacks have risen to become a high-risk category according to the World Economic Forum because the division between IT and OT has become blurred, creating various challenges. These challenges can be segmented into two general categories.
- IT and OT are domain-specific: Many technologies require specialized knowledge of industrial control systems technology and communications. Enterprise IT security technologies are generally not ICS-aware or able to ingest OT data.
- OT deficiencies: PLCs and RTUs are low computational computers built for controlling physical components such as valves, pumps, motors, etc. These OT assets, and others like them, are not generally equipped to manage the data influx and complex AI techniques required to identify and remediate modern cyber threats.
Why ICS Cybersecurity Matters
The disparity that exists between industrial connectivity and industrial cyber readiness has resulted in serious risk implications for future technological development, global labor markets and even political unrest. Cyber attacks are at the core of the World Economic Forum Risk Report figure III, connected to information infrastructure breakdown, critical infrastructure failure and potential state collapse. While temporary disruptions may be tolerable within an IT environment, this risk matrix highlights further that systems managing critical infrastructure cannot fail. Furthermore, the security challenges resulting from the convergence of OT and IT cannot be solved with only conventional defensive technologies, such as SIEMs software and firewalls. A new approach is required.
OT applications and industrial systems, like SCADA, DCS or MES, are engineered from non-homogenous technologies and devices that are often comprised of domain-specific technologies over time. These systems are ill-equipped to manage the advancing cyber threats that are affecting them. What is needed is increased oversight into industrial applications, with the ability to remediate identified cyber threats, in a way that is non-intrusive and scalable.
Cybersecurity approaches that place the emphasis on anomaly detection using modern artificial intelligence (AI) techniques stand to offer the most pragmatic approach to introduce real-time analytics and system monitoring that mitigates data loss and system shutdown.
Next Generation Solutions
The heightened risks associated with cyber attacks in 2018 can only be expected to increase; targeting enterprise networks, consumer data and ICS. Of these three categories, cyber attacks on ICS pose the highest risk for a geopolitical catastrophe. However, these risks can be managed with tactical investments in ICS cybersecurity technologies that extend the capabilities of existing OT and IT platforms, networks and security infrastructure. Here are some next-generation technologies for combatting cyber-attacks against industrial control systems that govern critical infrastructure:
- Passive Monitoring – to provide real-time analysis without impacting industrial network communication and latency.
- Detailed OT Asset Inventory – supports automatic building of a cyber asset inventory, including basic configuration data and message connectivity. Manual collection is impractical in ICS given the size and geographic distribution of cyber assets and the need to detect new devices and connections.
- AI supported Anomaly Detection – automatic detection of suspicious system behavior with a low rate of false positives. This includes identifying ICS and process problems. An ideal solution automatically learns normal behavior, helps companies establish a secure baseline, and leverages signature detection to rapidly detect known threats.
- Pervasive Alerts – alerting with information about the nature of the suspicious activity and the cyber assets involved. An ideal solution provides incident correlation that combines alerts from a single attack into one incident to speed incident response and minimize operator “alert fatigue.”
- Integration – bi-directional integration with security information and event management (SIEM) and other cybersecurity applications to enable seamless integration within the enterprise.
- UI/UX – User interface and user experience ultimately will be a huge indicator of how well operations and security teams will adopt an ICS cybersecurity solution. If key data insights are hard to acquire, then remediation of identified threats will also be challenging. An ideal solution will come with flexible dashboards and a clear display of the network environment; whether it’s a substation network or an oil and gas facility.
The World Economic Forum Global Risks report has rightfully identified the relevance of cybersecurity by highlighting the implications of cyber attacks. Of all cyber attacks, attacks on OT assets and ICS pose the greatest risk to geopolitics, economic welfare and society as a whole.
Operators and security stakeholders of critical infrastructure need to rethink and reinvest in new cybersecurity solutions that extend the capabilities of conventional IT approaches, while bringing improved monitoring and threat detection.
About the Author:
Thomas Nuth is the Director of Product & Solutions at Nozomi Networks. He has an extensive background in Industrial IT, middleware and software technologies. Thomas brings a unique vertical perspective of OT/IT applications of security and networking technology.