On the afternoon of September 13, 2018, a series of natural gas explosions rocked homes in Merrimack Valley, Mass. For hours after this catastrophe, cybersecurity professionals and pundits spiraled through hushed, horrified speculation: was this the cyberattack they were fearing? The big one?
In reality, like many industrial catastrophes, these tragic explosions were caused by human error. There was no cyberattack – no intentional disaster. However, to many people working outside the industrial cybersecurity field, an intentional cyberattack seemed entirely plausible and terrifying.
There are numerous misconceptions about the cybersecurity of industrial control systems (ICSes). On one hand, they’re often treated as exceptions to security policy because of their sensitivity. On the other hand, ICSes are also commonly considered woefully insecure, hackable, and a potential source of catastrophic societal failure. Every unexplained power outage or explosion generates some tense speculation about a potential cyberattack. Fear of these events has permeated our fiction, political discourse, and collective subconscious.
So how much should we fear for-profit hackers or nation-states tampering with industrial devices to cause a catastrophe?
Hackers can easily cause damage or disruption to industrial control devices. ICS devices are frequently simple, old, insecure by design, and reliant on a specific set of commands and allowed states. However, industrial devices are commonly a small part of a complex holistic process. Industrial systems are fault-tolerant and redundant. Damaging, infecting, or tampering with a single device may cause a totally unpredictable impact, or may cause no practical impact at all.
Unskilled tampering and commodity malware infections absolutely do pose threats to industrial environments. They may cause unforeseen disruptions, or trigger facility shutdowns because of safety concerns. However, attacks with a specific intention, such as turning off power or causing an explosion, require specialized expertise.
In truth, targeted attacks against industrial systems are very expensive. Process systems are complex, varied, and usually contain a variety of digital, analog, mechanical, and human controls and redundancies to reduce failure and unsafe conditions. Adversaries attempting to cause these systems to fail in specific ways must invest significant time and money to understand each process. They must learn how its devices, protocols, and controls are configured and may fail, as well as how to hack into the system.
For these reasons, well-resourced adversaries have been observed increasing reconnaissance and foothold-building in industrial environments across many verticals. The cost of targeted attacks against industrial networks makes it foolhardy for them to let themselves be easily detected without a concrete financial or geopolitical goal. Instead, they usually quietly work to gain a deep understanding and access to potential future targets. This subtle approach can make it difficult for unaware organizations to justify changing their cybersecurity posture. Nobody brought down their process last year, so why increase the cybersecurity budget? However, adversaries may well have had no reason to launch an attack against their environment last year. It would have served no purpose and come at great expense. When they do have a concrete reason to launch an attack, they’ll do so with surgical precision. The reasons could vary from a new technology to steal to a geopolitical event that tempts sabotage against infrastructure.
Securing industrial process environments against realistic threats has never been more critical. Here are five essential recommendations for improving industrial cybersecurity:
- Increase communication between OT and IT staffs. Ensure that there’s routine honest and constructive dialogue between process operations technology (OT) teams, and IT and cybersecurity teams. Process engineers know more about operations than cybersecurity specialists ever will, and vice versa. It’s important for them to collaborate.
- Evaluate the organization’s industrial processes. At a high level, understand the industrial processes that occur in your organization, what safety and operational concerns surround them, and the potential consequences of process and safety device failure.
- Understand how OT and IT evaluate risks. Top management should understand that OT personnel typically have different (and valid) health and safety, security, and risk management priorities than IT personnel. An infection or vulnerability might not mean anything if it can’t result in a serious consequence. Alternatively, it may be a huge concern if it may cause a life, safety, or production disaster.
- Develop an incident response plan that includes both OT and IT. Ensure that documents critical to cybersecurity such as an incident response plan, asset inventory, collection management, and network maps exist in the operational environment, and are tailored appropriately for them with process engineer input.
- Determine the most realistic cybersecurity posture. Understand that industrial control systems often consist of complex technical integrations which may limit modern cybersecurity tactics. For example, downtime can cost a lot of money. Systems may require legacy or unpatched components to function safely and remain under warranty. Security teams should also explore mitigations such as passive monitoring, system isolation, data diodes, and access controls.
Those of us working in the industrial cybersecurity industry face a conundrum: we must decrease irrational panic about implausible cyberattacks, while also helping organizations prepare to face threats resulting from substantially more prepared advanced adversaries and increasingly connected industrial networks. Insider threats and commodity malware (particularly ransomware) continue to pose a risk to ICS, and the COVID-19 pandemic has expanded the internet connectivity of many industrial environments. Resourced adversaries are positioning themselves to launch surgical and purposeful attacks when presented with certain geopolitical conditions. It’s no cause for panic, but it certainly makes sense to have a plan.
Lesley Carhart, principal incident responder, Dragos