Train commuters in Denmark became the latest victims of a cyber attack on critical information infrastructure (CII) when they were unable to buy train tickets online and through ticketing kiosks in May 2018.
Although the attack had only disrupted people’s ability to buy tickets, the hackers could have moved laterally to target the rail company’s operational technology (OT) or industrial control systems (ICS), according to Amir Levintal, CEO of rail cyber security company Cylus.
“This incident highlights the acuteness of the cyber threat to national railways across the world,” says Levintal.
“As passenger safety is paramount, rail companies should have the ability to detect attacks in the early stages and to mitigate them before they become a threat, especially as more automated, wireless and connected technologies are constantly being integrated into rail infrastructure.”
The Danish attack could have happened to any metro company around the world – or CII operator, for that matter – given the lucrative ransom payments that can be extracted from such attacks, as well as widespread disruption that a nation state can inflict on an adversary’s economy and population.
“We have already seen sites in the Ukraine, US and Estonia – to name but a few – that have had critical infrastructure ICS attacks with the aim of disruption,” says Simon Piff, vice-president of security practice at IDC Asia-Pacific. “The public viewpoint from many western military sources is that this is simply the ‘enemy’ testing their cyber warfare skills, although in some cases it was the precursor for a more traditional military operation.
“We have also seen commercial businesses launch attacks on their competition in more traditional IT security threats, but the idea that this could move to an ICS is not beyond the imagination.”
A recent study conducted ahead of the Black Hat Asia conference in March 2018 shows that such fears are not unfounded, with most IT security leaders in Asia convinced that a major, successful cyber attack on CIIs in their country, or multiple countries in the region, is imminent.
Fear of attacks
Some 52% either “strongly agree” or “somewhat agree” that such an attack will happen in their own country in the next two years. An even bigger proportion (67%) believe that an attack affecting critical infrastructure across multiple Asian countries will happen in the same period.
These jitters may have to do with several recent attacks on CII operators in Asia and the Middle East.
One example is a campaign involving the use of Triton, a sophisticated malware tool designed to cause physical damage to ICS systems, which was recently discovered by FireEye researchers at a critical infrastructure facility in Saudi Arabia.
Another campaign, reported by researchers at Nyotron, was focused on stealing data from ICS targets in the Middle East for the purpose of conducting surveillance.
Given the current trend of more frequent attacks specifically targeting industrial networks, governments in Southeast Asia are starting to prioritise the protection of ICS systems, especially in areas that have a far-reaching impact, such as critical manufacturing, or infrastructure service companies such as oil refineries and chemical producers, says Chee Ban Ngai, global product marketing manager at Honeywell Industrial Cyber Security.
“In Singapore, the manufacturing sector accounts for 20-25% of GDP, with key industry clusters in electronics, chemicals, biomedical sciences, logistics and transport engineering,” says Ngai. “The country’s heavy reliance on the sector and real need for a robust cyber security strategy for ICS is most evident to us.”
Risks from IT and OT convergence
Part of the problem is that ICS systems and OT networks have been unmanaged, from a security and risk perspective, for many years, according to Saniye Alaybeyi, a research director at Gartner who specialises in the internet of things (IoT) and OT security.
OT suppliers are also generally less mature about cyber security and software management. Some do not send software patches or endorse third-party patches in a timely manner, and many have no operating system upgrade path or support strategy beyond end-of-life for some systems.
So, when they are connected to IT networks to facilitate remote management, control and integration with the business supply chain, OT networks risk being compromised, as was evident in the attack on Ukraine’s power grid, when employee credentials for remote access were harvested and used to log on to the grid’s ICS network.
“The issue with many ICS ecosystems is that much of the hardware is dated and was not built with today’s cyber landscape in mind,” says Lee Siu Min, director of security and services at Thales in Singapore. “Replacing the equipment is also a costly affair and, in most cases, an ineffective solution.”
The fact that IT and OT teams have different priorities does not help, either. Divya Prasad, a senior industry analyst at Frost & Sullivan Asia-Pacific, says IT teams are more focused on using password and network protection to secure key IT equipment, while OT teams want their systems to run without affecting production processes and uptime.
Phil Hassey, principal adviser at Ecosystm, a Singapore-based technology research firm, adds: “IT and OT have been divided for the past 30 years – and frankly, always will be – as the objectives, outcomes and methodologies of the two differ drastically, let alone the technology requirements.
“What is required is a mandate from the CEO to get the two parties to work together. Outcomes that lead to measured business benefits have to be executed upon. This should be an industry standard, but of course that is easier said than done.”
Industry experts generally agree that better alignment between IT and OT through a common security programme is the first step towards reducing risk in ICS networks. Although there is a perception that IT departments will add risk, Gartner’s Alaybeyi says they can help with tools and processes to manage that risk.
“Reducing risk will not always show immediate savings, but it will provide an insurance policy, mitigate risks and improve safety and reliability for OT,” she says. “Managed correctly, the business will benefit from fewer malware intrusions from viruses and cyber attacks, as well as unintentional exposures.”
Alaybeyi says overall cyber security can be enhanced by embedding IT security teams into OT teams to plan and implement OT security to mitigate the risks of exposing OT systems to vulnerabilities in IT architectures.
Visibility and risk assessment
Increasing the visibility of all functions in an ICS enables organisations to spot anomalies in their daily operations, identify cyber intrusions and quickly rectify any problem, says Thales’ Lee.
Although there are concerns that introducing IT-style cyber security approaches within an ICS network could disrupt a facility’s operations, Lee says that is not true because greater visibility not only improves security posture, but also productivity and uptime.
In fact, ICS operators should monitor all events and engineering activities related to the maintenance lifecycle of industrial controllers to see the full trail of actions taken by all employees, contractors and systems integrators that have access to the ICS network, says Frost & Sullivan’s Prasad.
Just as critical is the need to draw up and maintain an inventory of existing ICS assets as part of a risk assessment effort to prioritise risks and vulnerabilities that need attention, as well as allocating resources to counter threats. “Operators often do not have an up-to-date asset inventory,” says Stefan Woronka, Siemens’ director of product management for plant security services.
When the asset inventory is set up properly, a comparison between the inventory and the current list of vulnerabilities, although time-consuming, should be made. Once the vulnerabilities are identified, the next logical step is to analyse and rank them in a prioritised patch list.
To ease the process, Siemens has developed a security vulnerability information app that helps to match an existing asset inventory with published vulnerabilities. “We have created a database with more than 30,000 third-party components that we monitor,” says Woronka. “The app also offers a function for analysis of the vulnerabilities.”
Similarly, Honeywell offers industrial cyber security risk management software that helps ICS operators monitor and prioritise risks across facilities. The tool provides a consolidated single-dashboard view of multiple existing vulnerabilities and any imminent threat, helping operators to manage complex and multi-dimensional risks.
Segregation and whitelisting
But given that ICS hardware often outlives the operating systems that support it, what can ICS operators do to prevent their systems being compromised?
Thales’ Lee advises ICS operators to create segregated zones within the network to block attempts by threat actors to penetrate security layers. One-way data diodes, for example, can facilitate information-sharing from one zone to another without allowing threats from the top layer to spread downwards. Components that do not need internet connectivity can also be air-gapped in this way to further improve security.
Siemens’ Woronka suggests application whitelisting as another way to continue operating old ICS hardware – such as computer numerical control (CNC) controllers used to automate machine tools – by limiting its functionality to only what is necessary to keep it humming.
“These controllers are usually found in machine tools with an expected lifetime of up to 25 years,” he says. “Application whitelisting can help to protect tools, even when the operating system is no longer supported over this extended timeframe.”
For the most part, however, only newer systems will have higher levels of security and upgradability, says IDC’s Piff. “For those with older systems, and we mean about two years or more, it’s about detect, protect and probably disconnect to save these systems,” he says.
In reality, this is unlikely to prevent a breach if a threat actor is determined enough to compromise an ICS system. In this case, a quick incident response can make the difference between a full operations meltdown and a regulatory report.
“One should also bear in mind that resiliency plays a key part in ICS operations,” says Thales’ Lee. “The ability to resume operations via robust business continuity processes is key to restoring public confidence.”