Time to mature critical infrastructure defenses

In recent years, IoT devices have become a common entry point to the entire network and are often overlooked in comparison to widely deployed IT platforms and operating systems. IoT devices regularly run simplified operating systems with security features removed due to power and cost constraints. While OT systems such as SCADA and ICS equipment could rely on gaps between Wi-Fi, the Internet, and the larger IT cloud network, this is no longer the case. Security defenses need to be strengthened accordingly.

Strengthening cyber defenses in OT and IoT environments requires a multi-faceted approach that often includes complementary technologies, well-defined oversight and processes, and necessary security hygiene. Too regularly, overstretched security teams allow human error to compromise even the most advanced defenses with weak passwords, misconfigured networks, and devices, or social engineering. Many ransomware attacks begin with a naïve user clicking a malicious email link on a well-defended network.

Network segmentation is another key component of a cyber defense strategy designed to prevent the spread of malware to critical applications and OT processes. Several technologies are useful for segmenting networks, such as VLANs and firewalls, depending on the environment and policy requirements. In OT networks, the Purdue Model is a way to create network zones that align with process elements and system functions. However, we often find organizations with completely flat networks (minimal segmentation), where systems easily compromised with mission-critical applications and processes have little or no isolation.

Although these strategies are well known, supply chain attacks continue to disrupt thousands of organizations, depending on how widely a common software component is used and how easily a vulnerability can be exploited. 

The first widely publicized attack on the supply chain occurred more than a year ago when a SolarWinds vulnerability compromised dozens of critical network operations across industries and the federal government. Since then, we’ve seen more attention in this area, along with growing concerns and real vulnerabilities and exploits in open source code.

When vulnerabilities are announced in open source software, which can be used by many applications, the damage can be as extensive or more extensive than single-vendor software. It depends on how widely used the library component is. 

Such was the case with the December disclosure of the Log4Shell vulnerability. Log4Shell was found in the Apache Log4j (pronounced log-forge) open-source logging library, widely used in commercial applications and large online platforms. Due to the simplicity of this exploit, attackers were able to launch attacks quickly ahead of patching and remediation efforts around the world. One of the largest ransomware groups was able to use the exploit within a week, executing an attack against VMware vCenter deployments.

Nozomi Networks Labs’ latest OT/IoT security report investigates cyber attack trends, vulnerabilities and countermeasures from occurrences in the second half of 2022.

According to the study, there was a 21% increase in the number of vulnerabilities reported, compared to the first half of 2021, reaching a total of 651 CVEs. But there was a reduction in the number of suppliers and products affected by them, compared with the second half of 2020.

In 2022 attacks are expected to move into Europe and elsewhere as threat actors move to easier targets in countries where there is less threat of government retaliation. While we will continue to see large multi-million dollar ransom rewards, there will likely be a higher volume of smaller rewards using various extortion tactics as threat actors find ways to increase the likelihood of a payout while remaining under the public radar. Nozomi Networks analysts also expect to see breaches of smaller ICS targets, including those in the food industry, as they have smaller security budgets but face the same challenges as larger ICS installations.

The expectation is that while threat actors will continue to evolve their tactics, victims will also change their responses. Governments and private companies will likely take more offensive actions as more organizations to fight back. Law enforcement will strengthen their efforts to recover bitcoin and increase rewards for information leading to the arrest of cybercriminals. On the private side, expect to see more organizations taking matters into their own hands, hiring cyber detectives and white hat hackers to find and take down cyber invaders.

While there is no doubt that cyber threats will continue to grow and evolve, analysts are betting on the actions of defenders maturing. 

“The threat scenarios we’ve discussed for years – and even those we haven’t – have become real. At the same time, IT and OT organizations have continued to come together and grow stronger. So has their perspective and approach to cybersecurity. Today, industrial and critical infrastructure cybersecurity is a top priority that, in more and more cases, is demanding – and receiving – the resources necessary for success,” argues Edgard Capdevielle, CEO of Nozomi Networks. 

Another Nozomi study revealed that most organizations are finally taking the necessary steps to mature their security postures by improving their monitoring and threat intelligence capabilities.

What do ICS operators need to focus on?

While most organizations have monitoring programs in place, this other research found that they are still looking primarily at the IT aspects of their OT environments. They also need to correlate their OT cybersecurity and telemetry, as well as process data to really understand the potential impacts on security and operations.There is also a need to focus on the fundamentals. Many participants in this study did not have a formal asset identification and inventory program. Without this fundamental step, other security investments may be invalid, misplaced, or with real over/under needs.