As an Australian sovereign company, Sapien Cyber is interested in providing timely and valuable information to the cybersecurity community in Australia. We are providing a series of three articles to provide a roundup of some of the key insights on the current state if Industrial Control System (ICS) security in 2022 and beyond. In this article, we will discuss the current threat landscape and what we might expect in 2023.

Primary ICS Security Concerns are Shared Globally

Many Australian organisations utilising ICS as part of their core business functions share remarkably similar concerns in regard to securing those ICS networks, regardless of their sector. A recent survey of 800 global participants from a range of industry verticals utilising Operational Technologies (OT) has highlighted that the security challenges Australian industries are facing are globally ubiquitous.

The threat landscape for ICS and OT operators has continued to grow in sophistication and frequency over the last year. This observation is a key finding of the Australian Cyber Security Centre’s (ACSC) Annual Cyber Threat Report released on November 4, 2022. The report shows that during 2021–22, the targeting of critical infrastructure networks globally occurred at phenomenal rates compared to that which has been observed historically.

Given the increasing connectivity of ICS environments to IT networks in modern organisations, it is unsurprising to find that 90% of Australian organisations utilising OT in their operations have experienced some form of security incident in the last 12 months. Many of these incidents have had significant impacts on these businesses. 46% indicate that a large number of devices over several locations were impacted by the attack they experienced, while 8% reported that their experience resulted in a complete shutdown of all devices and locations. On average, it took Australian organisations 1.87 days to recover from these attacks.

A Land War in Europe Results in Global Cyber Operations

The ACSC report notes that several Russia-aligned cybercrime groups, including those that have successfully targeted Australian critical infrastructure, have publicly threatened to conduct operations against Ukraine’s allies. Several recent high-profile attacks against Australian businesses by Russian-affiliated groups attest to the reality of this threat. In September 2022, cybercriminals suspected to be working on behalf of a state-sponsored operation attacked telecommunications provider Optus, impacting 9.8 million customers. In October 2022, insurance giant also Medibank Private suffered a major breach resulting in the loss of customer information, including medical procedures, of up to 1 million customers. The Australian Federal Police have confirmed that they believe a Russian hacking group was responsible.

These two breaches alone have affected almost half of the Australian population. Although recent high-profile attacks have impacted an incredible number of everyday Australians, the ACSC has also reported that cyber-attacks against Australia’s critical infrastructure are also occurring at “phenomenal rates”. Russian military and cyber offensive tactics frequently target civilian populations, a frightening reality that critical infrastructure operators around the world need to keep in mind as the war in Ukraine continues into 2023.

A Blurring of Threat Sources

Although the uptick in the targeting of ICS and critical infrastructure cannot be entirely attributed to recent geostrategic instability, the results of the 2022 SANS ICS/OT report reveal that attack attribution and threat vectors are evolving from traditional silos. When participants of the SANS survey were asked what the top three threat vectors that were causing the greatest concern, 40% cited ransomware, extortion, or other financially motivated crimes as number one, 38.8% cited nation state activity, 32.1% cited non-state and non-ransomware actors, and 30.4% cited risk from partnerships, including hardware and software supply chains or joint ventures. These findings indicate that the thinking of security practitioners needs to abandon the siloing of threat source types that have previously been helpful; threat actors do not maintain such neat categories in the present day.

The distinction between financially motivated groups, nation state activity, non-state/non-ransomware actors, and supply chain risk was once a lot clearer than it is today. The current escalating threat environment makes it increasingly difficult, if not impossible, to separate nation state actors from criminal cybercrime groups commissioned by hostile nation states for purposes of plausible deniability. This outsourcing of tasks to cybercrime groups with extensive experience allows nation states to leverage a “very particular set of skills” without investing significant resources while reducing their risk exposure. This trend is also allowing cybercrime groups to act with relative impunity and provides them with a level of protection in their own countries to carry out their own profitable cybercrime operations. For example, nations such as Iran and China have been known to employ “contract hackers” such as Helix Kitten (APT34) and Double Dragon (APT41) to carry out offensive cyber-operations in addition to their cybercriminal day jobs.

It’s Not All Cloak-and-Dagger

The ACSC report quite correctly cautions against complacency in regard to other, less cloak-and-dagger types of attack vectors. When ICS and OT systems associated with critical infrastructure assets are targeted, even the most trivial exploits have the potential to result in a major impact. The ACSC warns that this type of scenario is particularly dangerous if threat actors move laterally from “internet-facing devices on corporate networks to the operational networks of critical infrastructure providers”. This is a threat vector of increasing concern for modern ICS for defenders and likely often viewed as low-hanging fruit by the motivated attacker. ICS security practitioners often lack control and oversight of corporate IT security measures, while conversely, IT teams often do not grasp the full potential impacts to ICS IT breaches. As a result, ICS security professionals are echoing the ACSC’s concerns of IT as a serious threat vector into OT systems.

The SANS survey participants ranked “compromise in IT allowing threats into the ICS/OT control networks” as the most significant threat vector with 40.8% of the response. Another ICS survey asked OT operators who had experienced some form of breach in the last year what were the most common attack vectors exploited. The largest category (42%) was cited as “web application attacks”, mirroring the SANS severity ranking. It appears that security practitioners understand the risk associated with this vector, but that attackers are finding it one of the simplest and most successful vectors into OT systems. This finding suggests that more work needs to be done in this area to ensure that IT and OT teams have a shared conception and view of integrated security that spans the entire organisation.

Different Roles But Shared Goals

Enterprise IT security and industrial OT security are very different. They have different missions, priorities, and methodologies. They have different systems, different protocols, and a myriad of technologies that are not comparable or compatible. This means that approaches to securing IT or OT networks and responding to security incidents are necessarily managed differently. Although the convergence of IT and OT is now the norm, there is a tendency to focus on the benefits of merging business processes, insights and controls while IT and OT security remains siloed. The new threat landscape requires these two areas of security to pool their expertise, resources, and data and defend their common interests as part of an overall security strategy. In 2023 and beyond, organisations where OT and IT security is siloed and working independently will find themselves at greater risk of serious repercussions from both well-resourced nation states and motivated cybercriminals alike.