Evolving Industrial Cyber Threats Give Rise to New Security Best Practices

One thing history has taught us is that adversaries often signal their intentions and methods before they cause more widespread and destructive attacks. As defenders, if we pay close attention, we can see the risks and vulnerabilities on the horizon and prepare for and mitigate industrial cyber risk in advance. These insights can lead to the development of more sophisticated strategies for deterring cyber threats. Below are three best practices that CISOs and other security decision makers can implement to defend against evolving threats.

Securing the XIoT: Don't Let the Cloud Hamper Visibility

The Extended Internet of Things (XIoT), which includes operational technology (OT) networks, the Internet of Things (IoT), the Industrial IoT (IIoT), and Healthcare Internet of Things (HIoT) devices, is accelerating as these connected devices become essential in enterprise, industrial, and healthcare environments. Whether optimizing individual processes or entire factories and other critical infrastructure ecosystems, this expanding universe of devices is helping improve efficiency, reliability, responsiveness, quality, and delivery.

However, as companies introduce more XIoT devices, they also introduce risk to their environments. We've seen this building for some time. From NotPetya's impact, nearly five years ago, on a wide swath of critical infrastructure companies, to subsequent examples of attacks on connected cars, water facilities, oil and gas providers, the food and beverage sector, and medical devices.

The risk is now compounded by vulnerabilities of cloud-managed OT devices and management consoles in the cloud that often escape the attention of asset owners and security teams. Claroty's Team82 has already demonstrated that it's possible to exploit a vulnerable device such as a cloud-managed PLC and eventually take over the cloud-based host account. And a compromise of the management consoles is straightforward to understand: By exploiting a vulnerability in the cloud, an adversary has access to all the accounts and devices it manages.

Gartner refers to the combination of these networks and assets as cyber-physical systems (CPSs) and predicts that the financial impact of attacks on CPSs resulting in fatal casualties will reach over $50 billion by 2023. And that by 2024, 75% of CEOs will be personally liable for CPS incidents.

Claroty has been focused on extending the reach of our industry-leading platform to cover the XIoT. We continue to build on our deep capabilities, including full-spectrum visibility, risk and vulnerability management, threat detection, and secure remote access controls for industrial, healthcare, and enterprise environments. Our platform allows you to extend your governance model to include the breadth of devices and systems within and connected to your environment, and to assess and strengthen your overall security posture. Our solution with Crowdstrike, followed by our major step forward with our acquisition of Medigate shows our focus on providing leading solutions to mitigate the risk of the XIoT. Together, Claroty and Medigate are combining our deep domain expertise and specialized technologies into a single platform capable of extending across all types of CPS and connected devices to secure the XIoT.

To Help Secure the Fragile Supply Chain, Prioritize SBOMs

Well before the SolarWinds attack which brought supply chain attacks to the fore, the Target security breach demonstrated how attackers use weak links in third-party tools to compromise systems and steal valuable data. But the critical vulnerability in the open-source Log4j library distributed by the Apache Software Foundation, demonstrated the true fragility of the software supply chain. Vulnerabilities in pervasive applications like Java, create pathways for threat actors to compromise all types of cyber-physical systems (CPS) and connected assets. In an instant, exploitable vulnerabilities in an open-source component can put thousands of companies and users at risk.

Log4j is the logging utility used in a large number of applications used in OT networks across industries. So a vulnerability in a component such as Log4j exposes numerous industrial processes to risk. While Log4j was quickly patched, it put the spotlight on the software supply chain, and the importance of ensuring the secure use of open-source components within critical infrastructure.

Too often, organizations are blind to what makes up a popular piece of commercial software, and when a vulnerability in a component such as Log4j is disclosed, security teams scramble to determine their exposure and prioritize patch management processes. A U.S. government Executive Order last year that was executed in the second half of 2021 specifically called out enhancements to the security of the software supply chain. The order made it clear that commercial software lacked transparency and resilience to attack, and demanded additional controls to prevent exploitable vulnerabilities from being introduced into code.

If you are going to use third-party software components, it's crucial to carefully analyze the code to identify and understand any potential vulnerabilities present. By formally integrating security best practices into your software development process, vendors and developers can substantially reduce supply chain risk. One specific aspect of secure software development to uphold is the practice of keeping a Software Bill of Materials (SBOM), which is a detailed record of all components used to build a given piece of software. A report from the U.S. Dept. of Commerce and NTIA lays out what should be seen as the minimum requirements for an SBOM.

Adapt Playbooks for Ransomware "as a Distraction"

Ransomware is rampant and payment is prevalent. A recent Claroty survey revealed that a staggering 80% of respondents experienced an attack, with 47% reporting an impact to their OT/Industrial Control system (ICS) environment. More than 60% paid the ransom and just over half (52%) paid $500,000 USD or more. Ransomware attacks against critical infrastructure companies continue to evolve with a February 9, 2022 alert warning of "triple extortion" techniques. In such attacks cyber criminals threaten to 1) publicly release stolen sensitive information, 2) disrupt the victim's internet access, and/or 3) inform the victim's partners, shareholders, or suppliers about the incident if the ransom is not paid.

CISOs should expect the trend of evolving ransomware attacks to continue. As world events continue to unfold and geopolitical tensions rise, critical infrastructure companies must now consider whether ransomware is being used as a misdirection tactic. This was the case when destructive malware attacks were reported against government websites in Ukraine. Defenders spent needless time addressing what they believed to be a ransomware attack, only to discover it was even more damaging. Instead, the Ukrainian systems were infected with wiper malware that rendered hard drives on compromised machines useless. Such attacks could spill over into critical infrastructure and asset owners and operators need to remain vigilant and broaden their playbook to increase cyber resilience against this threat.

With the new paradigm of the XIoT and evolving adversary tactics, techniques, and procedures, it's important to keep abreast of trends and changes in the threat landscape. Fortunately, with timely, useful threat intelligence and proven tools and processes, CISOs and their teams can better assess risk and strengthen security posture.

Download Team82's latest Biannual ICS Risk & Vulnerability Report: 2H 2021 for a deeper dive into these trends and recommended security measures to mitigate risk and remediate.