Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

COVID-19 Puts ICS Security Initiatives 'On Pause'

Security pros concerned that increased remote access to vulnerable operational technology and stalled efforts to harden OT environments puts critical infrastructure at greater risk.

Much has been said about attacks on enterprise IT as more remote desktops go online in the era of COVID-19. But security pros are growing increasingly alarmed by a lack of attention to industrial cybersecurity, and the operational technology (OT) used by everything from manufacturers making personal protective equipment to energy companies powering remote work.

The challenges to securing ICS in general are manifold: from a lack of visibility into OT, to legacy devices, to the mentality of the industry at large.

Still building a cybersecurity culture

"One of the tenets on the IT side of cybersecurity is that it's not a matter of if, but when" you’ll face a cyberattack, said Mark Carrigan, COO at PAS Global. "I don't think that mindset has totally sunk in on the industrial side. There's still a perception of, 'we can keep bad guys out.'"

"We have this mentality in the IT space that we keep things up to date, whether hardware or patching software. We have a plan to keep our cyber assets safe," said Marty Edwards, VP of OT Security at Tenable. "In the OT world, and in ICS, these systems are quite often just forgotten about for decades, in a steel locked electrical cabinet gathering dust. It’s not uncommon to find Windows XP and older legacy operating systems still in use just sitting there the way they were 15 years ago."

Indeed, adds Galina Antova, co-founder of industrial cybersecurity company Claroty, "Most systems are basically a black box to security teams in that organization."

Both Antova and Carrigan acknowledge that the industry has begun to demonstrate awareness over the last few years of the importance of OT security, and the need to view their systems holistically – not OT security as one thing, IT as another, and digital transformation another.

Cybersecurity 'on pause'

But Carrigan also notes that once COVID-19 hit, many companies put OT security plans on the backburner to attend to the immediate concern of keeping their processes running and employees safe.

"The pause button got hit by a couple of months relative to COVID-19. By the same token, in some cases organizations opened up more access points to operate remotely. They're going to have to go back and shore things up a little bit," he said.

As many critical entities found themselves needing to ramp up production, reduce staff on the ground, and set up more remote connections in a variety of locations, industrial organizations have inadvertently opened their OT networks to attack.

What's worse is compromised OT can go easily undetected.

"The challenge with those networks and devices is that adversaries can just be there," said Antova. "Once they're on the network, they don't need malware or hacking per se. They just need access to the engineering station that changes code."

"In some cases those changes are so subtle, you can't trace where they’re coming from."

The threat to OT is particularly concerning at a time when attackers have been capitalizing on vulnerabilities surrounding COVID-19, ramping up ransomware, phishing, and other malicious hacks on vulnerable networks and individuals.

Security pros believe there’s good reason to worry that OT networks are the next frontier for attackers.

"Adversaries across the board are realizing one simple thing: OT networks are very critical to the organization’s bottom line. Especially for those in manufacturing. The fact that those networks are critical and valuable to the organization means some money could be made out of it," said Antova.

“My particular concern is the criminal element,” Tenable’s Edwards says. “ICS, especially within critical infrastructure, is a highly critical function within a business. Once criminals figure out how to cripple and hold it for ransom, I believe they will try.”

The way forward

Going forward, in addition to reprioritizing ICS security projects, there are several considerations industrial organizations need to make as the initial rush to keep people safely working has settled and preparations are made on how to operate in a new world.

To start with, says Antova, organizations need to resolve security issues with any ad hoc connections they’ve set up. “We’re not going back to where we were. Remote access solutions are there to stay. It’s really important that security is taken into consideration.”

Edwards adds that it’s crucial to “build security in from the beginning. Don’t try to bolt it on at the end.” Further, he said, don’t allow access points to always be on: “You should be enabling remote access for specific individuals and tracking and logging everything they’re doing. Have a complete audit trail of what’s performed during a remote access session, and when they’re done turn it off.”

In addition to securing existing remote access points, Edwards is also concerned about workers returning to the office with compromised devices that they’ve been using at home. “I actually think companies need to be hypervigilant about the devices as they come back into their corporate environments,” he said.

If there’s one silver lining in all of this, the crisis has helped make the case for ICS security, says Matt Selheimer, CMO, PAS Global. Speaking of a PAS client described as a “leading pulp and paper company,” Selheimer points out that the company was further ahead in planning for resiliency and therefore better able to meet the challenge of suddenly needing to ramp up production to meet skyrocketing demand for paper products during the pandemic, while establishing secure remote access to data and operations for engineers.

A PAS case study about the pulp-and-paper company states: “Remote operations capabilities provided by PAS solutions enabled the company’s operational staff to demonstrate resilience in the face of COVID-19 and preparedness for future operational challenges. Prior digitalization investments were validated, and digitalization and remote operations sceptics within the company were able to see how the future of paper goods manufacturing will be more digital, automated, and efficient.”

Whether or not it’s wishful thinking that struggling organizations will soon reprioritize tighter budgets to properly secure their industrial control systems remains to be seen. But the consequences of not doing so could indeed be catastrophic.

“Generally speaking, in the IT world you’re worried about the loss of information. In the OT world, you’re more concerned about loss of control of the process itself,” said PAS’ Carrigan. “Best case scenario, you lose productivity. Worst case, there’s a smoking hole in the ground and people don’t go home.”

Related content:

 

Nicole Ferraro is a freelance writer, editor and storyteller based in New York City. She has worked across b2b and consumer tech media for over a decade, formerly as editor-in-chief of Internet Evolution and UBM's Future Cities; and as editorial director at The Webby Awards. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2020 | 8:34:33 PM
On Pause vs Stalled
I think this differentiation needs to be made. I would say "On Pause" refers to a company that has always been security conscious and this pandemic is halting them from unveiling any new security platforms. "Stalled" I would say is a company that never had security as a priority and are using the pandemic as an excuse to postpone it further. One is understandable, the other is unforgiveable.  
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...