The increasing frequency and sophistication of successful Operational Technology (OT) cyber-attacks serve as a wake-up call to all asset operators, controls engineers, IT network operations and cybersecurity teams, IT and OT alike. Year 2022 set the precedence for acceleration in capabilities for new modular industrial control systems (ICS) malware called PIPEDREAM, which has wider impacted multiple cross platforms and impacts native functionality in common industrial protocols (CIP) across vast Industrial OEM devices.
Feeble defense in depth in today’s cyber ecosphere gives adversaries unfair advantages to easily purpurate an attack. Ensuring critical life safety, environmental and interruptions to processes and operations are irrepressible to today’s cyber threats. And to proactively secure mission critical OT cybersecurity and what organizations need to consider as they plan their 2023-24 to prepare cyber strategies and beyond.
Threats Against Critical Infrastructure expanding Cyber-Attack Surface (IT/OT convergence, Smart Initiatives, remote operations, IoT, Supply Chain). Circumstances are apt for an impeccable tsunami for Industrial Control Systems (ICS), OT, iIoT and IoT systems which are longer proprietary or isolated or air gapped networks. Interconnected control systems are more opening with IT/OT convergence as they co-mingle with IT boundary business networks and cross contamination of traffic from LAN, WAN, Internet, Wi-Fi, Control networks and CIP protocols. Ransomware attacks on critical infrastructures nearly doubled in 2022.
There are several factors that have led to the massive expansion of the global cyber-attack surface. These trends include digital transformation moving towards the early stages of the 4.0 Industrial Revolution that is emphasized by digital communications and the interlocking of machine and human.
OT ecosystems generally lack the IT cybersecurity hygiene such as antivirus, EDR, SIEM, SOAR, SSO including AAA services. (Authentication, Authorization and Auditing) Asset owners to stem effective way of protecting tactics, techniques, and procedures that are purpose built for OT and provide security controls that truly understand OT Cyber security principles with priority on Availability, Integrity and Confidentiality which is literally reverse order for IT Security controls therefore forcing IT Security controls into OT ecosystem is grossly misunderstood.
Ransomware has been around for almost two decades and cultivated in popularity due to more ease of profiter financial rewards to threat actors. The ransomware became a weapon of choice due to COVID-19 persuaded digital remote workforce had created more targets for extortion.
The inclination in 2023-24 is that criminal threat actors are becoming more sophisticated in their phishing exploits with use of machine learning and more coordinated sharing on the dark webs. Evolution of cryptocurrencies made matter worst to easily hide the digital currency from financial traceability of any wrong doings. With the advent of cryptocurrencies in ransomware, it became a profit motive for a lot of the criminal enterprises.
Governmental and Regulations are advancing as cyber breaches are the digital pandemic like Covid-19 advancing rapid shift towards more remote operations. This transferal intricates a combination of innovative technology and process’s introduction further putting OT operation at risk, and it is not clear that these changes have taken advantage of the clear guidance on secure design and risk assessment from the ISA/IEC 62443, NERC CIP, NIST 800-53, ISO 270001, ISA/IEC 62443, TSA Pipeline, DHS CFATS, or ISA S99 series of standards. All these specifications points to NIST standardize Cyber Security Framework (CSF). Asset operators and Cyber Security needs to start shaping their desired target state by dissecting what’s most critical assets that needs maximum protection.
To help revolutionize threats, critical infrastructure asset operators should apply a comprehensive risk framework to implement to address vulnerabilities to IT/OT convergence including “security by design”, defense in depth, and zero trust to counter cyber threats.