Digital transformation has revolutionized critical infrastructure industries like manufacturing, enabling them to harness new technologies such as the cloud and the Internet of Things to do things better, faster and smarter. And like with any newly blazed trails, this transformation has come with new risks.
Industrial control systems (ICS) — used in sectors such as manufacturing and energy — traditionally relied on architecture segmentation, “air-gapping” and other passive defenses. But with the number of internet-facing embedded devices and control systems growing in the last decade, those passive defenses no longer work. At the same time, the attacks targeting those systems are on the rise. Under these circumstances, a major attack could result in severe damage, including loss of human life.
An expanded view of critical infrastructure
In a 2019 ICS (industrial control systems) survey, 51 percent of more than 300 respondents perceived the level of operational technology (OT) and ICS risk to be severe, critical or high. The top threat identified was devices and “things” that are being added to the network and can’t protect themselves.
Not only are industrial control systems being connected to the internet and the cloud for the first time, but every new device creates an entry point for a bad actor to exploit. And with this new ecosystem now being interconnected and interdependent, supply-chain security and infrastructure security are new priorities that these sectors haven’t had to grapple with in the past.
Emily Miller, direction of national security and critical infrastructure programs at software-security company Mocana, recently told Infosec on its Cyber Work podcast that securing industrial control systems is a matter of saving lives. But she takes a broader view of the definition of critical infrastructure, including agriculture.
“What happens if your food sources are potentially impacted … not only from the cascading consequences of water and power [being affected], but also the cascading consequences of component elements that no one at the national level has even recognized as a critical infrastructure,” she says.
Yet like other critical infrastructure industries, she points out that agriculture has been innovating — using many embedded devices and other technologies that create not only physical risks but also data tampering risks for components that end up in the food manufacturing process.
You can have “a physical introduction of a contaminant — but what if you’re having somebody introducing a data element that is telling you something is true, when something is actually not true,” she says.
New technology, new security concerns
Many critical infrastructure businesses are using cloud-based and mobile technology that have data going through a long communication chain before it gets used for decision-making by a human. A device may first collect the data in the field, then talk to another device in the cloud and then the data will get filtered back to another platform and so forth. A threat actor thus has many opportunities to manipulate the results, from tampering with the device itself to intercepting the data in transit.
“Where in the data chain have you validated that the data from the original data point and data source is accurate, that the originating device was not in some way corrupted or manipulated, or that the data in transit was not somehow corrupted or manipulated,” says Emily Miller, who previously worked with the Department of Homeland Security, Department of Health and Human Services and ICS-CERT.
Embedded devices are only one source of security challenges for ICS. Many companies are using so-called legacy technology that has vulnerabilities easily exploited by hackers. For example, CyberX Labs analyzed more than 850 industrial control networks across multiple industries and found that 53 percent had outdated systems like Windows XP.
“Retrofitting legacy devices are a huge thing the industry has to deal with,” Miller says.
As the critical infrastructure sector is dealing with these issues, it’s also increasingly the target of attacks. A 2018 Forrester study commissioned by Fortinet found that of more than 400 organizations using ICS or SCADA, 56 percent had a breach in the previous year.
And increasingly, more attacks on critical infrastructure are being attributed to nation states. In the 2019 SANS survey, 28 percent of organizations believed they were attacked by nation-states or state-sponsored actors, compared to zero two years before.
Taking a systematic approach to infrastructure security
Miller noted that different industries have different risk priorities. At the end of the day, though, many of those risks are interconnected.
Take an embedded healthcare device like a pacemaker, which may have a security vulnerability. That device is connected to a monitoring system, which is connected to the internet, which may be connected to a nursing home network. Even while a compromised device puts a patient at risk, there’s also an additional risk picture to consider.
“When you go up the stream, it broadens the attack surface. Sure, the pacemaker’s scary [as a security risk] but there’s a whole lot more impact that you can have [because of the interconnection],” Miller says.
She noted that interdependency also impacts risk mitigation. In the case of a pacemaker, for example, it’s riskier to update the device that’s implanted in a patient versus updating the monitoring system that’s turned on only part of the time.
Miller sees the industry continuing to grapple with the issue of legacy devices in the next five years. She also believes there’ll be continuing conflict between IT and OT, driven by digital transformation, especially as technology like artificial intelligence and cloud-driven big data analytics continue to move to the mainstream.
“We’re really gonna have to deal with how we create trusted systems,” she says. “The devices and the whole ecosystem, the network, the government — how does all that work together and how do we enable business and continue to make money, but also make sure we’re doing it in a safe and secure way.”
- SANS 2019 State of OT/ICS Cybersecurity Survey, SANS
- 2019 Global ICS & IIoT Risk Report, CyberX Labs
- Savings Lives with ICS and Critical Infrastructure Systems, Cyber Work with Infosec
- Independent Study Pinpoints Significant SCADA/ICS Security Risks, Fortinet