In 2005, the breach of Card Systems (a major payment card processor), which exposed 40+ million credit cards, was labeled “The Biggest Hack of All Time” – the breach made worldwide news and the cover of Newsweek with a multipage article highlighting the dangerous new reality of cyberthreats. Fast forward to just last week with the announcement of the Equifax breach impacting 143 million individuals’ personally identifiable information, credit histories and card details and it should be apparent that nothing has gotten better in the world of IT security in the past 12 years. To the contrary, our ability to counter and combat threats has been nothing short of a failure.
Why reference these IT network breaches if my focus is on the industrial control systems (ICS) or operational technology (OT) networks that power critical infrastructure and run our global economy? I point to them as stark reminders to anyone thinking that the security of these networks is either “on par” (a horrible standard at best) or better than those of their IT counterparts. This could not be further from the truth. IT networks have been where “the bloodshed” has been for so long now that they’ve rightfully commanded the lion’s share of investment in new solutions, people and processes. Conversely, despite all the conversations related to how we must prepare against nightmare outcomes from breaches in the OT domain – as there (until recently) has been a lack of major threat activity in this space – there has been a dearth of funding and advancement.
Just last week, Symantec released a report claiming that an advanced adversary has gained access to the OT networks of dozens of firms in the energy sector – giving them the ability, Symantec claims, to “turn off the lights” if they so wished. This follows the July disclosure of a major campaign targeting U.S. energy and nuclear facilities – which was likely conducted through lateral movement from IT to OT networks. Whether the same actors are involved is not certain at current – if they are, it proves that at least one nation-state is aggressively laying the groundwork/at least establishing the capability to disrupt critical infrastructure in the U.S. and around the world. If they are unrelated, it shows us that this capability is desirable to many. Either scenario should be alarming. These disclosures highlight a growing threat to critical infrastructure – one that has been the subject of much debate, forewarning, etc. – and should show us that the day is not likely far off when we see major disruption through cyberattack. These are situations to be taken with grave seriousness and they should give cause for immediate and rapid innovation in the sector.
However, they aren’t the only situations to concern ourselves with.
The WannaCry and Petya/NotPetya ransomware attacks which occurred earlier in the summer help us to see a different picture related to potential threats to ICS/OT networks. Both campaigns resulted in production disruption at major global firms – with Petya/NotPetya having the greatest impact and resulting in what we now know is at least $600+ million in losses. While neither are believed to have specifically targeted ICS networks, their spillover effect shows us that while we’ve been looking for “Cyber Pearl Harbor,” we may have overlooked a less disruptive but equally sinister threat motive: Economic warfare.
With little in the way of effort, ransomware can be created to specifically target ICS networks. We should be concerned that adversaries will take note of the recent impact and damage of WannaCry and Petya/NotPetya and copycat this type of activity. With an insignificant investment in time and money, significant and lasting damage can be done. Whether a nation-state – as some believe was the case in both of these instances – uses a ransomware campaign as a false flag to inflict economic damage against an adversary or a particular industry, or a crime actor uses ransomware to hold these companies hostage, we should see the writing on the wall that these threats are just around the corner.
From the boardroom to the security operations center, lip service can no longer be paid to ICS/critical infrastructure/OT cybersecurity. The long summer is coming to an end and it appears that winter may indeed be just around the corner.