In my previous column, I outlined a series of high-level, prescriptive steps for organizations to follow to better the security posture of their Industrial Control Systems (ICS) networks. Hopefully, you found that helpful to moving the needle forward and are putting some of those steps in place. I promised in that column that we’d address a series of technical recommendations as the next in our series. We have to hold those thoughts for the January edition. Rest assured, that piece will come along into the New Year (I’m giving you something to look forward to!)
Here, I wanted to address some of my thoughts about what the New Year will hold for Industrial Control Systems/Critical Infrastructure cybersecurity. It is “Security Prediction Season” after all and I’d be remiss not to offer my thoughts. Below I’ve outlined a few things I think that will definitely manifest – some are bad, some offer more promise for placing us on a path to combatting an adversarial scourge which is growing in this absolutely critical area.
Nation-States will Conduct More Probing of Critical Infrastructure:
I think that Pandora is out of her box as it relates to nation-state threat activity against critical infrastructure. Nations around the globe have recognized that there is no longer a “bright red-line” preventing them from including cyber action against critical infrastructure as a replacement, precursor to, or component of conflict. The lack of any response to 2014 threat activity probing U.S critical infrastructure and targets in Europe, and the ’15 and ’16 disruptive attacks conducted against the Ukraine, empowered repeat activity on the part of multiple nation states in 2017 and will do so into the future.
● July ’17 disclosure of (believed to be) Russian probing of the IT networks of U.S. Energy and Nuclear facilities
● September ’17 release of Symantec’s Dragonfly 2.0 report detailing access on the part of adversaries (again believed to be Russian – not yet completely linked to July disclosure) to the ICS networks of targets in U.S. Energy
● October ’17 release of a FireEye report detailing (believed to be) North Korean spear-phishing attempts at U.S. Energy firms
● October ’17 TLP White release from ICS-CERT detailing attacks against Energy, Nuclear, Transportation and Critical Manufacturing sectors
The good news from 2017 was that nothing happened in terms of disruption (at least as of the time of this writing – we are after all still on track for the “2017 anniversary” attacks that may come in Ukraine) – I am not as hopeful for the same outcome in 2018. Do I think there is a likelihood of Russia disrupting U.S. or European energy in 2018? No – but rogue states such as North Korea do not play the same geopolitical chess game that the Russians do. They are motivated, are exponentially increasing their capabilities, and their barrier to action is far lower. I’m also very concerned of regional conflict – such as that heating up between Saudi Arabia and Iran leading to some form of action.
Ransomware will Again Spill Over- it MAY be Targeted and Disruption will Rear its Head Again:
The most significant cyber events in 2017 related to ICS networks came in the form of collateral damage. We warned in April of ’17 that ransomware was coming for the shop-floor. In May and June, we saw those warnings turn into reality. Fortunately, neither of these ransomware campaigns were specifically targeted at ICS networks. Unfortunately, that didn’t matter. The fact that both of these campaigns were able to reach ICS networks proves a point we’ve been making for quite some time – IT and ICS networks are not widely segregated and air-gapped as many believe – and bridging from IT to ICS is, in many cases but not all, a relatively pedestrian exercise.
Major firms around the globe – FedEx, Mondalez, Maersk, Reckitt Benckiser, Merck, Honda – saw disruption from these campaigns. The financial fallout is currently tallied at just under $900 million in losses.
I anticipate two things in this area:
1. We will see another spill-over along with major disruption and financial loss
2. We will see threat actors – likely nation states but possibly criminals – craft ransomware campaigns specifically targeted ICS networks in an effort to conduct economic warfare/extort the world’s leading brands out of millions
Boards Will Demand Insights and Finally Empower Action
On the back of the reported losses from NotPetya, we have already seen what looks to be the beginning of a major sea-change with respect to the level of concern Boards of Directors are placing on securing ICS networks.
We know of multiple cases in which Boards have immediately empowered CISOs to take action and have given them the direction “You have whatever you need to solve problems in this area.”
More mature companies (with respect to ICS security strategies) are jumping directly to action – others are getting their ducks in a row with a stark increase in the number of ICS security assessments. Security assessments for ICS systems are on a stark incline and I fully anticipate these trends to continue into the New Year at a feverish pace and anticipate this pace to grow with or without any further attacks. Seeing the previous item above, we anticipate more losses in the future – but on the positive end, anticipate real and rapid change is coming to ICS security.
The Ugly Truth Behind Readiness Will be Revealed
Given increased focus on ICS security readiness, I anticipate an audible collective gasp as organizations come to the stark realization that they are nowhere near as ready to combat threats to their ICS networks as they once believed. There will be a collective realization that they don’t have a clear understanding of what assets they even own, that hygiene is harder to upkeep in ICS than in IT, that air-gapping is a unicorn and it doesn’t exist, that they don’t have the skills needed within their personnel, that their teams aren’t talking to one another and that they aren’t currently monitoring these networks the way they should – and thus not only cannot respond accordingly, but don’t even know when they need to respond. On the positive, looking at the item above, when they come to this realization – it looks like something will actually be done about it.
Am I a soothsayer? No – but I have been in this space long enough to confidently make these statements about the year ahead. I’m keeping my fingers crossed that the bad will not manifest the way I predict – and that the good will manifest faster than we are even seeing.
There is no more important mission in cybersecurity – in my mind – than securing the Industrial Control Systems networks that power our world and our lives. I leave you with hopes for a happy and healthy holiday season – and for the empowerment you need to fight the good fight into 2018.