Industrial control systems are essential to the smooth operation of various national critical infrastructure. While once segmented from the web, these systems are now becoming increasingly more networked and remotely accessible as organizations transform to meet the digital age. This development potentially exposes industrial control systems to digital threats.
One of the most serious threats confronting industrial control systems today is the Internet of Things (IoT). Organizations and users are becoming more and more dependent on Internet-connected devices, so much so that there’s not enough time to secure them. Such hype has enabled the creation of threats like VPNFilter, a type of botnet which targets routers, network access storage (NAS) devices and other IoT products.
In May 2018, researchers observed that VPNFilter had infected half a million IoT products in what Ukrainian officials believed were Russia’s preparations for a digital attack. Less than two months later, Ukrainian law enforcement thwarted an attempted VPNFiler attack by Russian agents against a chlorine station.
The IoT threat facing industrial control systems is expected to get worse. In late 2016, Gartner estimated that there would be 8.4 billion connected things worldwide in 2017. The global research company said there could be approximately 20.5 billion web-enabled devices by 2020. An increase of this magnitude would give attackers plenty of new opportunities to leverage vulnerable IoT devices against industrial control systems.
Concern over flawed IoT devices is justified. Attackers can misuse those assets to target industrial environments, disrupt critical infrastructure and jeopardize public safety. Those threats notwithstanding, many professionals don’t feel that the digital threats confronting industrial control systems are significant. Others are overconfident in their abilities to spot a threat.
For instance, Tripwire found in its 2016 Breach Detection Study that 60 percent of energy professionals were unsure how long it would take automated tools to discover configuration changes in their organizations’ endpoints or for vulnerability scanning systems to generate an alert. Even so, 70 percent of participants affirmed it should take only minutes for those same solutions to detect an alteration.
Industrial professionals would be wise to not underestimate threats against industrial control systems. That’s because the costs of disruption can be significant to the business. In response to a 2016 ransomware attack, Michigan’s Board of Water & Light ended up paying approximately $2 million dollars for digital security experts and a law firm to assist it in its recovery and prevent similar attacks from occurring in the future.
Even worse, a 2012 malware attack cost Saudi Aramco – the world’s biggest oil company – approximately $1 billion, as the company needed to replace 35,000 computers damaged by the attack. It also hired at least six firms and dozens of experts to help with the recovery, reported Reuters.
Tim Erlin, VP of Product Management & Strategy at Tripwire, feel these incidents demonstrate the importance of organizations protecting their industrial environments now rather than later:
If your business has an industrial control system footprint now is the time to evaluate how you’re securing that environment. Industrial companies have accepted the reality that digital threats can have tangible consequences. This perception is perhaps heightened by recent attacks that were specifically designed to affect physical operations and have proven capable of doing so. It is vital that organizations properly secure their critical infrastructure by investing in robust cybersecurity strategies that involve proper foundations of critical security controls and layers of defense. Failure to do so will result in a major breach that will cause catastrophic failure, which is a significant concern among security professionals as a critical disaster could result in significant loss of life.