Industrial control systems (ICS) underlie a vast number of different processes, from manufacturing to energy production to public transit. As these systems become more advanced and more connected, they have become targets for bad actors seeking to disrupt processes or destroy infrastructure. The Cipher Brief spoke to Angie Messer, an Innovation Service Officer for Cyber Futures at Booz Allen Hamilton and lead on a recent report about vulnerabilities in ICS. She says that destructive ICS attacks are only going to get worse, and that while nation-states are the most significant threat to ICS right now, the majority of the risk moving forward will come from cybercriminals and malicious insiders.
The Cipher Brief: How are attack vectors changing for attacks on ICS, if at all? What does this mean for industry?
Angie Messer: Overall, ICS incidents are clearly on the rise. The number of incidents reported to U.S. authorities rose by 17 percent in fiscal year 2015. Spear-phishing has been the primary method of attack, with the number of spear-phishing attacks increasing by over 106 percent from 2014-2015. Based on our analysis, there are also new tactics such as SCADA access-as-a-service and ransomware. These are all likely to emerge and expand.
Specialized devices used in the operational technology (OT) environment are another potential vector. This is something I think industry should really watch. For example, hardware-based supply chain attacks can be conducted used ubiquitous devices such as USB drives or a typical network infrastructure. Additionally, firmware updates that are in the ICS system also present an effective supply-chain attack vector.
TCB: It seems like the developments such as the expansion of ransomware and the creation of the Censys tool have vastly expanded the scope of the threat landscape for ICS. How do you see the threat landscape for ICS changing moving forward? What factors are having the greatest impact on this?
AM: Nation-state actors have been, and probably will continue to be, the greatest threat to ICS operators. However, cyber-criminals and insiders are likely to drive the majority of risk for ICS operators going forward, particularly in 2016 and 2017.
In 2015, several developments indicated that threat actors with, quite frankly, very limited expertise or resources – such as hacktivists – now have more tools at their disposal to identify targets with known vulnerabilities and conduct purposeful attacks once they have gained network access. Supply-chain attacks also represent a consistent and particularly dangerous threat to ICS operators. In addition to this, the ransomware motivated by an economic benefit is on the rise, because the cybercriminals are finding ways to make it a business.
TCB: You just mentioned the energy and water sectors, and in your report you said those seem to be the main targets for nation-state actors. How would you characterize the threat from nation states, and what might be motivating them? How may their targeting priorities in regards to ICS change in the future, if at all?
AM: Different nation-state actors have different objectives, but it is clear that nation-states are and will continue to be the single most significant threat to ICS operators. Let’s walk through a couple of these nation-state actors:
Russia has conducted the most destructive ICS attacks, but Russian targets have been contained to more their western periphery – for example, the Ukrainian power grid outage. Russia will continue to access ICS, though in the U.S. they are not likely to be damaging since that is not their intention.
North Korea, however, represents a threat of destructive attacks against the U.S. North Korea has demonstrated a willingness to conduct these destructive attacks against business critical IT systems, which raises the probability that it would similarly attempt to disrupt U.S. ICS if given the opportunity.
China is the most likely to target U.S. ICS but is unlikely to use their access to cause damage in the near term. China will likely continue to seek persistent access to U.S. ICS networks to do what they’ve been doing on other networks: conduct intellectual property theft and cyber espionage.
Iran is also likely to continue to back cyber-espionage operations against ICS networks in the U.S. But Iran is not likely to conduct destructive attacks given how minimal their access is and, quite frankly, significant the economic and military repercussions that would come with that kind of attack.
That’s kind of a profile of the nation-states that we’ve seen and what they’re motivations are.
TCB: Your report highlights two incidents that seem particularly alarming: one in which an attack on a pharmaceutical company resulted in defective medication and another that caused a collision with a semi-submersible oil rig. Is this type of attack, wherein the outcome of the cyberattack is physical damage to people or infrastructure, becoming more common – and if so, why? What motivates this type of attack, and what can be done to mitigate them?
AM: Unfortunately, these attacks are becoming more common. The number of incidents reported to U.S. authorities rose by 20 percent in fiscal year 2015, with 295 reported incidents. 2015 had the most reported incidents to date, and we see that trend now continuing. The systems and devices that drive our economy are no longer insulated from the outside world, because they are more than often now connected to each other and to us via internet connections.
Those that are in charge of security have an unprecedented number of unlocked doors and windows to really keep an eye on – more than have ever been conceived and more than we can monitor without the help of advanced detection software, automation, and new technology solutions. But in addition to the vulnerabilities being detected, there is the sheer number of new endpoints that these technologies are introducing.
Additionally, physically destructive attacks are definitely conceivable and indeed much more common, because hackers have become extraordinarily more skilled at working in the system unnoticed. For hackers, time is a luxury because time allows them more flexibility and creativity in both collecting information and attacking a target – which is why detection is so critical.
For those charged though with protecting critical infrastructure, this means focusing on detecting intrusions in almost near real time and mitigating immediately rather than trying to prevent attacks from happening at all. It’s just a matter of how accurately, how fast, and how optimally we can actually take action.
Operators also need to understand the regions in which they operate, and they have to make predictions. You really do need to think about, not just the response, but about who and what and why someone would attack your ICS in order to start implementing the right precautions that make that OT environment effective, efficient, and, most importantly, safe.
TCB: Is there anything else you would like to add about threats to ICS?
AM: This is not something that is way in the future. Operators and businesspeople need to be aware that these threats are here today, they’re only going to get worse, and we have to make sure that folks are aware of them. That’s really what the intention of our report is: to create more awareness, to be ready, to be prepared so they’re not caught off guard.