Author: Andres Andreu, CTO Bayshore Networks
Did you know that 86% of attacks in manufacturing are targeted and that 47% of cyber breaches involve theft of intellectual property from manufacturing companies?
Attackers are now turning to Artificial Intelligence (AI) and Machine Learning (ML) to do some of this heavy analytical work for them. As they work with skilled engineers in the realm of AI this will become an area of great concern, given the power of what they will have to unleash at their targets. Critical Infrastructure Protection requires a new active OT security approach.
In 2019 we will face a new set of sophisticated attacks on manufacturing and other critical infrastructure. The involvement of nation-states compounds this challenge because they bring better resources for hackers (i.e. money, people, skills, etc.). The elite hackers emerge: well-funded and highly skilled, making this almost impossible for all manufacturing companies to protect themselves. Hoping you are not targeted is not a proactive security measure.
Evolution of the attacks
Hackers evolve too. Metamorphic and polymorphic malware used to be impressive pieces of craftily written software. Malware is still impressive, if one looks under the hood. New malware has raised the stakes by evolving into entities that are very difficult to detect. This has changed a lot of aspects in the cyber security race, especially the role and effectiveness of endpoint security. This genre of software is still around, and they are still a big threat. Though they are still file based, and endpoint products have responsively evolved to varying degrees, we are now seeing the evolution into in-memory based malware that is mostly file-less (i.e. no file system storage is used) and that really makes endpoint security ever-more challenging.
The “native attacks” are specific to the IIoT space. Historically the majority have been enterprise level attacks. But, the true proliferation of native attacks in the IIoT space has yet to hit the industry because attacking entities are still learning the communications protocols of the IIoT and ICS space. But, once they are up to speed, sophisticated attacks will surface that may seem elusive to protection.
IoT devices are everywhere now and it is the “Wild West” of the unexplored spaces. Mirai was a serious wake up call to the collective power of millions of small low power devices working in unison towards a disruptive goal. But Mirai was only possible because of what we consider to be “irresponsible device deployments.” As technology becomes easier to deploy, these problems are going to grow since people with no concept of security can now just as easily deploy some cool new gear and the stuff just works out of the box – unfortunately, with basic default profiles that introduce weak security postures. These devices may just work but the ease of deployment coupled with the lack of knowledge out there compounds the security challenges we are facing.
The threat inside
The biggest threat to an institution may already be inside the building. Studies show that 60% of Cyberattacks are from inside the company. Does your organization allow for the physical disabling of USB ports on desktops? Does your organization rely purely on users using laptops they take home as well? These types of questions and their answers really start molding what you should do (i.e. strong network segmentation, etc.) to secure your organization.
The threat outside
Targeted attacks with “bullseye” on public utilities and ICS environments are part of the next big wave of attacks. Targets usually pay the ransoms in question because they need to keep things running. The next set of targets will include vital societal infrastructure services that have not yet truly been targeted by widespread ransomware attacks. Cyber criminals know that any attack that can cause downtime to these environments/services will get swift attention and ransomware probably involves the least effort in terms of targeting a specific entity. We should expect to see an overall decline in ransomware attacks in 2019, but we will see an increase in more focused attacks towards utilities and the ICS space in general.
What can we do to protect manufacturing?
The attacks will come. We have to set aside ego and acknowledge that our industry is enormous. A clear understanding of issues is paramount. We have to start transcending the realm of buzz words and truly understand the issue affecting us. We need professional forensics experts involved to provide invaluable insight into the details of suspected activity. The details will also of course feed into the ultimate decision of whether or not some suspect activity qualifies as a successful breach or attack. Over the years this expertise has proven itself to be beyond the normal capabilities of typical IT staff and so it is a worthwhile investment.
Beyond the forensics a company should also have a regular set of external eyes on their security posture. This will also prove to be money well spent over time. Once a deep understanding of these real issues is in place it is possible to filter out noise and focus on issues really impacting one and the environments that they are responsible for.
Active OT protection
Adding security to a production environment, while not violating the bounded latency constraints the environment needs to adhere to, is not easy. Modern day networks (i.e. Ethernet networks) operate within boundaries where the traffic flow of data is indeterminate. This means that intervening devices (i.e. security devices) can delay stream data and generally speaking the delays are acceptable. IIoT/OT networks have no such luxury yet need security functionality in order to protect their resources and productivity properly. There is a great and unique challenge in finding that middle ground.
The impact of active protective action or the lack thereof. Visibility is still of value, but at some point active enforcement will need to take place to actually secure resources in Manufacturing (and most other IIoT environments for that matter). When the usefulness of visibility declines and actual enforcement of blocking rules takes place on a network, we will see a positive impact. The challenge is: how much impact can an organization tolerate so that there is actual protection while not disrupting productivity? It’s a serious challenge and one answer does not fit all models.
Finding that elusive balance between modern day ease-of-use (i.e. making an operator’s life easier or making remote maintenance possible) and having a strong, decent security posture is yet another unique challenge for manufacturing and IIoT. We have all seen the Shodan results for exposed ICS systems where the focus was purely on the ease of use aspect. Balance is possible but it requires some give and take on both the OT/ICS and IT sides.
The fact that some equipment was put in place 20 years ago does not mean the surrounding technology has to be stuck in time, two decades ago. But things have to be done with expertise, planning and tons of testing so that these environments can safely operate within in the confines of modern-day technology.
One key strategy is to scrutinize everything, since a strong security posture is both breadth and depth based, following a simple trust but verify model that covers the range of physical to cyber security. The example often used is that of the night cleaning crew. Scrutiny in this space could range from background checks to video surveillance during the night-time cleaning activity. If one steps back and thinks about it, these people have free rein to most of your equipment during their cleaning activities because they perform a very necessary function. There have been instances where crafty adversaries have ensconced themselves into a respective cleaning crew and performed their initial activities that way.
Your business is only as strong as your weakest partner. Can you trust that your partners are keeping your data safe from attackers? As we move forward, apply healthy paranoia. “NO”, you cannot trust your partners to keep your data safe. This is not meant to be a negative dig on any partner but there is no way you truly know if your partners will go as far as you will to secure your own resources.
Request and pursue end to end joint sessions where all ingress and egress points are identified along with normal and edge cases. Identify where your partner sits in respect to your expected security posture.
- Invest in a 3rd party assessment of the overall joint solution(s) where an objective perspective is applied to all ingress & egress points along with use cases.
- Make sure your partner(s) have the same level of accountability in respect to the outcome of said assessment.
Don’t let your manufacturing company become the next headline.
Andres Andreu, CISSP-ISSAP is the CTO of Bayshore Networks, the leader in active OT industrial cybersecurity protection by creating, monitoring and enforcing safety policies. Andres has over 20 years of public/private sector hands-on dynamic security/software architecture and engineering experience, including extensive backgrounds in SCADA/ICS, web services security/integration, federated ID technology, and electronic surveillance & countermeasures. Andres is the author of Wiley’s Professional Pen Testing for Web Applications, Technical Editor of Webster’s New World Hacker Dictionary, and the software author of a number of open source projects, including gargoyle (Active Protection for Linux), yextend, I7secassay, WSFuzzer, and SSHA attack.