The cybersecurity challenges and threats facing critical infrastructure today are too great for any one organization to tackle alone. Globally, adversaries continue to target healthcare and manufacturing facilities and threaten critical services such as electric grids and water systems. These attacks not only compromise data and information, but also threaten human health and life at scale. This is especially true when we look at attacks aimed at industrial control systems (ICS) and operational technology (OT). This software and hardware that interacts with the physical world is what makes critical infrastructure critical.
The World in Which We Operate Is Changing
Even as recent as ten years ago, the heterogenous nature of industrial infrastructure made it difficult for adversaries to create attacks that were repeatable across sites and industries and could cause disruption or physical destruction. As the community has moved toward a more homogenous infrastructure with common software packages, network protocols, and facility designs that bring efficiency and other advantages to industry, we have in some ways made it easier for adversaries to operate more efficiently, too.
The Threat Group CHERNOVITE for example, identified in 2022, is associated with the development of the first ICS/OT malware capable of repeatable attacks across targets and industries, PIPEDREAM. The breadth of potential impacts demonstrates the effect increasingly uniform OT environments have had on making adversary operations more efficient. Targeting ubiquitous protocols used across hundreds of vendors and thousands of systems, PIPEDREAM could be used to harm electric grids, oil and gas pipelines, water distribution, and the manufacturing industry, among others. Furthermore, Dragos assessed that PIPEDREAM could achieve an end-to-end attack; the malware could be leveraged for IT intrusion and pivot to OT to execute an ICS/OT attack. Fortunately, Dragos and its partners discovered and analyzed PIPEDREAM before it was employed in the wild buying defenders time. However the capability cannot simply be patched away and still looms as a significant threat to the unprepared.
Compared with previous OT malware, which was restricted to singular events and facilities, PIPEDREAM represents an evolution in ICS/OT capability development. Any future ICS/OT malware developments will be able to capitalize on adversaries’ expanding body of knowledge and past success.
Growing connectivity and digitization are also central to the increasing threat. A decade ago, industrial networks that do things like generate, transmit, and distribute electricity, manufacture medicine and consumer goods, make refineries and pipelines functional, control rail, or clean and distribute water were largely disconnected from other networks. This lack of connectivity and digitization meant that cyber adversaries could not as easily interact with these systems through cyber means. Because of this, they were largely unable to achieve their disruptive or destructive objectives. However, industrial environments started to become connected and digitized almost twenty years ago. That trend has only accelerated in recent years and adversaries have paid attention.
There are several threat groups that take advantage of this fact, specializing in behaviors that help inform and enable more focused attacks on industrial processes, targeting IT for initial access and in some cases, with the capabilities to pivot to OT networks. Also discovered in 2022, the threat group BENTONITE has persistently and opportunistically targeted maritime oil and gas (ONG), government, and manufacturing sectors. BENTONITE is primarily conducting espionage to facilitate access and long-term persistence, but in the past has employed disruptive capabilities, such as deploying wiper malware or ransomware within compromised networks. It is known for targeting vulnerabilities in internet-exposed assets for initial access, which it has in common with other threat groups including KAMACITE and KOSTOVITE. Notably, KAMACITE is associated with enabling ELECTRUM to be in the position to deploy the 2016 CRASHOVERRIDE attack by way of initial access to the OT network.
Ransomware groups, while not targeting ICS/OT systems explicitly are still achieving a considerable impact on industrial operations, as demonstrated during recent events. The attack on the Port of Nagoya in Japan, for example, impacted the port’s operations and subsequently affected the supply chains of other industrial organizations, including the Toyota packaging line. Over the course of 2022, ransomware attacks targeting industrial organizations increased by 87%, and the numbers only continue to rise. In the second quarter of 2023, ransomware attacks increased by 18% over the previous quarter with 253 known incidents. Of those, 14 percent or 35 incidents occurred in Asia, and the manufacturing sector bore the heaviest burden with 70 percent of attacks. Ransomware groups are expected to continue having an outsized impact, whether through the integration of operational technology (OT) kill processes into ransomware strains, flattened networks allowing ransomware to spread into OT environments, or precautionary shutdowns of production by operators to prevent ransomware from spreading to industrial control systems.
Beyond Regulation: Evolving the Partnership Between Government and Industry to Meet the Challenge
This trend of growing industrial connectivity and digitization, combined with shared supply chains and many common vendors creates cybersecurity risks we haven’t previously faced as a community. This community includes infrastructure owners and operators, operational technology developers and manufacturers, cybersecurity practitioners, researchers, and global policy makers from the Government, critical infrastructure sectors, and academia. To build and protect resilient infrastructure, the fight is more global than ever, but it is no longer just government to government.
Governments must work with industry more closely and effectively to prevent, discover, and respond to threats in the new industrial cybersecurity landscape. This starts with a new model of collaboration that fully uses industry and private sector expertise and capabilities to defend critical infrastructure, which is largely owned and operated by the private sector. There are tools developed and already deployed by the private sector that can answer key strategic questions for the government or provide agencies with the visibility they need into the vulnerabilities of critical infrastructure supply chains. By using these existing capabilities, we can get answers to important questions in minutes instead of months or years. Models of industry-government coordination moving forward must extend far beyond one-way information sharing or passive discussion forums and really integrate industry expertise and insight with Government efforts.
A successful example of this in the U.S. is the 2021 Industrial Control Systems Cybersecurity Initiative, or 100-Day Sprint for the electricity sub-sector. The effort was collaborative across the Biden Administration, including the Department of Energy and the Cybersecurity and Infrastructure Security Agency, and industry. The government agencies coordinated on priorities and, in turn, the industry CEO-run Electricity Subsector Coordinating Council led a group to rapidly enhance visibility across industrial networks to detect cyberthreats by deploying commercial technologies, including one developed by my company Dragos called Neighborhood Keeper. This free, anonymized information-sharing network grants access to real-time visibility of threats to industrial infrastructure as they emerge. Made available to all Dragos Platform customers, most of the electric utilities servicing almost three quarters of the U.S. population have opted in. Where threats to critical infrastructure also represent threats to the nation, Neighborhood Keeper enhances the overall threat picture for all participants, including government partners.
Achieving Security Outcomes with Regulation
When it comes to regulation, experience shows that what works best is for governments to communicate to industry why they are setting requirements and what the desired security outcomes should be (e. g. continuous monitoring of critical OT networks and the implementation of threat detection solutions), but to give asset owners and operators room to decide how to implement security measures in line with those requirements. They are the best experts on their own systems and can most accurately determine how to implement for true security outcomes and without causing any unintentional disruption from generic or uninformed requirements.
For example, Singapore’s OT Cybersecurity Masterplan outlines key focus areas to improve national OT cybersecurity. As a part of one of these focus areas, people and processes, the Cyber Security Agency of Singapore (CSA) was responsible for augmenting the Cybersecurity Code of Practice with a set of mandatory measures expanded to OT systems. These measures provide outcomes and related cybersecurity controls for asset owners and operators, focusing on things like network segmentation, patch management, detection and continuous monitoring. The measures are modeled on guidelines CSA co-developed with the local ICS community.
This approach also has the added benefit of preventing regulations from becoming simply check-the-box exercises with little security value. Instead, it provides an opportunity to actually make critical assets and infrastructure more secure. When regulatory requirements are specific, but not overly prescriptive, it allows for the subject matter experts who design and operate critical assets to choose and use the tools and processes that best secure their particular systems and networks.
A Global Collective Defense Effort
The national cybersecurity strategies from both Singapore and the U.S. also highlight the importance of international coalitions and partnerships to counter cyber threats. The consequences of cybercrime are not geographically restricted, requiring a global approach to countering threats and managing vulnerabilities. Both supply chains and economies are interconnected globally as well. So, any time a new security standard or regulation is adopted in any country or region, there is a ripple effect globally as industry reacts. If done in a coordinated way, and informed by existing industry expertise and capabilities, this can create positive momentum for real security outcomes. The cyber threat landscape is changing, but when we work together as a community to protect and defend critical infrastructure we can meet the challenge.