Next year will present new and increasing industrial cyber security challenges for facilities operators. However, there’s good news also. New developments will help minimize those threats.
On the bad front, expect more sophisticated ransomware; increased threats due to the Industrial Internet of Things (IIoT); and a serious lack of cyber security skills. For ugly, think ‘red button’ incidents.
However, good trends will continue to create greater security awareness and better solutions.
New Ransomware will Focus on Industrial Control Systems
In 2017, ransomware variants such as WannaCry, NotPetya and Bad Rabbit created serious disruptions in all industries. This trend will likely continue in 2018, highlighted by the introduction of a new type of ransomware specifically designed to attack industrial networks.
I base this prediction on work done last year by the Georgia Institute of Technology. The researchers designed LogicLocker, a cross-vendor ransomware worm that can hit automation controllers. It bypasses the devices’ “weak authentication mechanisms”, locks out legitimate users, and plants a logic bomb to “dangerously operate physical outputs”.
IIoT Will Pose Greater Security Challenges
The pressure to modernize, increase productivity, and boost operational efficiency is driving the adoption of connected technologies, notably IIoT. However, better connectivity has erased the traditional air gap that protected the industrial network from the IT network. Many IIoT technologies lack protections to ensure devices cannot be exploited by hackers. As a result, these devices might expose industrial control systems (ICS) to a wide array of cyber threats and exploitation attempts.
Lack of Skilled Industrial Cyber Security Professionals Will Deepen
The lack of skilled ICS cyber security professionals is a well documented problem. 2018 will be no exception.
While most organizations are fully aware of the need to secure and protect their ICS networks, they struggle to define their ICS cyber security strategies and place skilled professionals in key roles.
The successful deployment of industrial cyber security projects relies on combining talent and resources from both IT and OT. To make these projects succeed, business-level oversight and leadership are vital.
The Possibility of a ‘Red Button’ Incident
The turbulent relationship between the United States and North Korea has gripped the attention of millions of people around the world. The rhetoric has escalated to a very scary pitch, with each side threatening the other with lethal force.
While much of the media focus has been on North Korea’s development and testing of nuclear weapons, little attention has been paid to the country’s development of a cyber army.
Another major player in these dark arts is Russia, which attacked Ukraine’s power grid in 2015, cutting off electricity to nearly a quarter of a million people. Security experts believe Russia was using Ukraine as a testing ground to develop techniques that could be used to launch cyber attacks against other nations.
In 2017, UK Prime Minister Theresa May accused Russia of attacking Britain’s national grid and telecom companies.
Such scenarios could lead to state-sponsored adversaries creating a ‘Red Button’ capability, whereby they infiltrate an industrial network and silently install malware that is capable of shutting down processes and critical infrastructures with the push of a button.
Greater Awareness of OT Security Gaps
In 2017, there was an uptick in organizations implementing ICS security solutions and integrating them with existing tools such as Security Information and Identity Management Systems (SIEM), and Incident Management Systems.
In 2018, this trend will likely continue given that ICS networks are generating more and more security alerts, which expose to both IT and executive management the security gaps they need to address.
Building Automation will Show up on Security Radars
For years, cyber security for corporate buildings was not a concern even though they house data centers and key services. This lack of interest is changing rapidly, as organizations become more aware of the threats posed to their building management systems (BMS) and building automation systems (BAS)..
BMS/BAS control a wide range of functions and services, including HVAC, lighting, water and wastewater management, fire suppression systems, close circuit television (CCTV), and access control. Typically, BMS/BAS systems are not connected to the corporate network and lack basic security.
More Implementation of Cyber Security Frameworks
While not always required by law, industrial security frameworks have been gaining popularity over the past few years. We expect this trend to continue in 2018 as organizations seek optimal ways to gain visibility into industrial network activity.
Among the most important frameworks are: the NIST Cybersecurity Framework, and the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards.
More Secure ICS Devices
Next year, we expect ICS technology vendors to roll out a new breed of products that will support encryption and other embedded security controls.
While integrated protection capabilities should improve security, the reality is that most organizations will take years to replace all their legacy technologies. Even then, the best approach will remain deploying a defense-in-depth strategy that addresses internal and external security threats to all critical devices.