Perfect prevention is not possible, especially given that critical infrastructure continues to be an evolving segment riddled with “brownfield.” As attack surfaces increase, the need to address physical threats and cyber threats will lead to the need for higher levels of adoption of emerging technologies to address an array of environments spanning across Critical Infrastructure (CI). The threat landscape continues to involve, with the U.S. National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) issuing an Alert (AA20-205A), recommending immediate actions to reduce exposure across OT assets and control systems in mid-2020. The warning states: “Over recent months, cyber-actors have demonstrated their continued willingness to conduct malicious cyber-activity against critical infrastructure by exploiting internet-accessible OT assets.”
The threat landscape includes but is not limited to:
- International & National Terrorism by Non-State Actors — Violent extremism is a threat to critical infrastructure providers. Cyber terrorists are intent on disrupting critical services or causing harm. While still under investigation, the bombing outside an AT&T facility in downtown Nashville on December 25, 2020, highlighted a cascade of technological failures.
- Nation-state-sponsored cyberattacks — These types of attacks have created a new market for bad actors and accelerated the monetization benefits of these attacks.
- Brownfield operational technology/information technology convergence acceleration, and a growing number of greenfield cyber-physical systems push OT security needs to evolve, and more IT security leaders to become involved, as threats and vulnerabilities increase
- IT/OT/IoT convergence — The convergence of IT and operational technology (OT) systems, combined with the increased use of the Internet of Things (IoT) in industrial environments, is challenging many security practices to define the best security architecture that aligns with transforming and modernizing environments. The air gap is eroded for operational technology owners
Tactics and Techniques Evolving
Critical infrastructure security risk leaders must observe tactics, techniques, and procedures to include:
- Spear phishing to obtain initial access to the organization’s IT network before pivoting to the OT network
- Deployment of commodity ransomware to encrypt data for impact on both networks
- Connecting to internet-accessible programmable logic controllers (PLCs) requiring no authentication for initial access
- Using commonly used ports and standard application layer protocols to communicate with controllers and download modified control logic
- Lack of controls related to modifying control logic and parameters on PLCs
- Memory attacks
- Cyber-physical attacks, due to their very nature of connecting the cyber and physical worlds, CI face threats unlike any IT enterprise systems, ranging from siegeware to GPS spoofing
Recommendations for Critical Infrastructure Security and Risk Managers must:
- Start planning for security controls that go beyond vulnerability and anomaly detection by adopting emerging technology that secures devices against attacks and increases cyber situational awareness.
- Accelerate IT/OT security stack convergence by inventorying what OT security solutions are used in their organizations and evaluating the growing list of stand-alone or multifunction platform-based options for interoperability with their IT security tools.
- Evaluate your security stack against changing threat vectors and risk, with an eye toward taking a cyber-physical approach. For vendors to watch, see Market Guide for Operational Technology Security and Emerging Technologies and Trends Impact Radar: Security in Manufacturing