Much has been said about attacks on enterprise IT as more remote desktops go online in the era of COVID-19. But security pros are growing increasingly alarmed by a lack of attention to industrial cybersecurity, and the operational technology (OT) used by everything from manufacturers making personal protective equipment to energy companies powering remote work.
The challenges to securing ICS in general are manifold: from a lack of visibility into OT, to legacy devices, to the mentality of the industry at large.
Still building a cybersecurity culture
"One of the tenets on the IT side of cybersecurity is that it's not a matter of if, but when" you’ll face a cyberattack, said Mark Carrigan, COO at PAS Global. "I don't think that mindset has totally sunk in on the industrial side. There's still a perception of, 'we can keep bad guys out.'"
"We have this mentality in the IT space that we keep things up to date, whether hardware or patching software. We have a plan to keep our cyber assets safe," said Marty Edwards, VP of OT Security at Tenable. "In the OT world, and in ICS, these systems are quite often just forgotten about for decades, in a steel locked electrical cabinet gathering dust. It’s not uncommon to find Windows XP and older legacy operating systems still in use just sitting there the way they were 15 years ago."
Indeed, adds Galina Antova, co-founder of industrial cybersecurity company Claroty, "Most systems are basically a black box to security teams in that organization."
Both Antova and Carrigan acknowledge that the industry has begun to demonstrate awareness over the last few years of the importance of OT security, and the need to view their systems holistically – not OT security as one thing, IT as another, and digital transformation another.
Cybersecurity 'on pause'
But Carrigan also notes that once COVID-19 hit, many companies put OT security plans on the backburner to attend to the immediate concern of keeping their processes running and employees safe.
"The pause button got hit by a couple of months relative to COVID-19. By the same token, in some cases organizations opened up more access points to operate remotely. They're going to have to go back and shore things up a little bit," he said.
As many critical entities found themselves needing to ramp up production, reduce staff on the ground, and set up more remote connections in a variety of locations, industrial organizations have inadvertently opened their OT networks to attack.
What's worse is compromised OT can go easily undetected.
"The challenge with those networks and devices is that adversaries can just be there," said Antova. "Once they're on the network, they don't need malware or hacking per se. They just need access to the engineering station that changes code."
"In some cases those changes are so subtle, you can't trace where they’re coming from."
The threat to OT is particularly concerning at a time when attackers have been capitalizing on vulnerabilities surrounding COVID-19, ramping up ransomware, phishing, and other malicious hacks on vulnerable networks and individuals.
Security pros believe there’s good reason to worry that OT networks are the next frontier for attackers.
"Adversaries across the board are realizing one simple thing: OT networks are very critical to the organization’s bottom line. Especially for those in manufacturing. The fact that those networks are critical and valuable to the organization means some money could be made out of it," said Antova.
“My particular concern is the criminal element,” Tenable’s Edwards says. “ICS, especially within critical infrastructure, is a highly critical function within a business. Once criminals figure out how to cripple and hold it for ransom, I believe they will try.”
The way forward
Going forward, in addition to reprioritizing ICS security projects, there are several considerations industrial organizations need to make as the initial rush to keep people safely working has settled and preparations are made on how to operate in a new world.
To start with, says Antova, organizations need to resolve security issues with any ad hoc connections they’ve set up. “We’re not going back to where we were. Remote access solutions are there to stay. It’s really important that security is taken into consideration.”
Edwards adds that it’s crucial to “build security in from the beginning. Don’t try to bolt it on at the end.” Further, he said, don’t allow access points to always be on: “You should be enabling remote access for specific individuals and tracking and logging everything they’re doing. Have a complete audit trail of what’s performed during a remote access session, and when they’re done turn it off.”
In addition to securing existing remote access points, Edwards is also concerned about workers returning to the office with compromised devices that they’ve been using at home. “I actually think companies need to be hypervigilant about the devices as they come back into their corporate environments,” he said.
If there’s one silver lining in all of this, the crisis has helped make the case for ICS security, says Matt Selheimer, CMO, PAS Global. Speaking of a PAS client described as a “leading pulp and paper company,” Selheimer points out that the company was further ahead in planning for resiliency and therefore better able to meet the challenge of suddenly needing to ramp up production to meet skyrocketing demand for paper products during the pandemic, while establishing secure remote access to data and operations for engineers.
A PAS case study about the pulp-and-paper company states: “Remote operations capabilities provided by PAS solutions enabled the company’s operational staff to demonstrate resilience in the face of COVID-19 and preparedness for future operational challenges. Prior digitalization investments were validated, and digitalization and remote operations sceptics within the company were able to see how the future of paper goods manufacturing will be more digital, automated, and efficient.”
Whether or not it’s wishful thinking that struggling organizations will soon reprioritize tighter budgets to properly secure their industrial control systems remains to be seen. But the consequences of not doing so could indeed be catastrophic.
“Generally speaking, in the IT world you’re worried about the loss of information. In the OT world, you’re more concerned about loss of control of the process itself,” said PAS’ Carrigan. “Best case scenario, you lose productivity. Worst case, there’s a smoking hole in the ground and people don’t go home.”
- 'Ripple20' Bugs Plague Enterprise, Industrial, and Medical IoT Devices
- Healthcare CISOs Share COVID Response Stories
- Ryuk Hit Multiple Oil and Gas Facilities, ICS Expert Says