Sapien Cyber is an Australian sovereign company that is invested in keeping the Australian cybersecurity community in the loop. In this second in a series of three articles providing a roundup of some of the key insights on the current state if Industrial Control System (ICS) security in 2022 and beyond, we will further discuss current trends in the threats to ICS and critical infrastructure. We will also look at how organisations are investing their resources in industrial security uplift to combat the growing tide of ICS attacks.

Excuse Me, Is This Your Thumb Drive?

For those familiar with Operational Technology (OT) security and the concept of air gapped systems, you may recall the Stuxnet incident of 2010, often regarded as the first modern example of a major attack against ICS. In the incident, the Stuxnet malware was introduced via removable media (specifically USB memory sticks) to infiltrate an air gapped target that was not otherwise connected to the outside world. With the increasing tendency for modern ICS systems to have several points of connectivity for remote access, you may think that the use of removable media as an attack vector is an antiquated footnote in cybersecurity history. But you would be wrong.

Some readers may be surprised to find that 36.7% of respondents to the recent SANS ICS/OT Cybersecurity survey for 2022 pointed to threats through removable media as the second most significant threat vector of concern. The bigger surprise, however, comes from a another 2022 survey of ICS operators who reported removable media as the second most common vector in actual attacks in the last year.

According to Honeywell, in 2022 up to 52% of threats to ICS environments have been specifically designed to exploit removable media, a doubling the 19% reported in 2020. Honeywell’s Industrial Cybersecurity USB Threat Report 2022, based on malware detected and blocked by Honeywell technology, found that Trojan malware was the dominant threat, comprising 76% of the removable media malware detected. Remote access and control malware comprised 51% of threats, indicating that threat actors are increasingly targeting USB removable media as an initial attack vector.

This represents an evolution of the use of removable media to attack ICS environments. The goal is no longer to infect air gapped systems, but to more easily circumvent network security to gain direct access deep within the ICS environment. This modern twist on the threat vector has the potential to allow attackers to establish remote connectivity and download malicious payloads, exfiltrate data, or establish command and control. The dramatic increase in the use of USB-based trojan malware in the last two years suggests that removable media may be a significant issue into 2023 and beyond. The use of this attack vector to target ICS via circumvention of well-established network defences should be high on the radar of ICS security practitioners in the future. With adversaries becoming increasingly more inventive in their attempts to infiltrate and exploit ICS environments, investment in ICS security is projected to rise significantly, from USD 16.7 billion in 2022 to USD 23.7 billion by 2027. The question is, how are organisations performing so far in their security uplift goals?

We’re Going to Need a Bigger Boat

With attacks against critical infrastructure increasing at phenomenal rates in the past year, it is unsurprising that 96% of respondents of one recent ICS survey expressed a need to invest more in their OT security. While 72% reported that their organisations are in the process of completing security uplift projects, less than a third reported them as being completed.

Larger organisations with more than 5,000 employees (and presumably greater resources) were more likely to have already completed their industrial security uplift projects, whereas the majority of smaller companies reported that they were continuing to work toward their security uplift goals. When these findings are paired with the results of the SANS survey, the barriers to ICS security uplift become clear.

The SANS respondents revealed that their biggest ICS security challenges are rooted in the fact that many organisations have great difficulty integrating legacy and aging OT technology with modern IT systems. The general focus of most security technologies for IT environments makes them ill-suited or even disruptive to the OT environment. There also continues to be a general lack of understanding among many IT staff of OT operational requirements, as well as a general lack of available labour resources to implement security plans, if they exist at all.

Significant Barriers in a Time of Great Need

In their survey, SANS found that one of the key barriers organisations faced in implementing an appropriate industrial security solution was the lack of solution scalability to meet the challenges of a distributed environment. Additionally, the level of security coverage provided by the solution and the associated requirement to employ more than one vendor was also reported as a significant obstacle. Legacy infrastructure, cost, lack of expertise, and long project timelines also proved to be significant barriers to implementing appropriate security measures.

There is no easy answer to these barriers and no fix-all solution that will swiftly provide the levels of security coverage required in the modern threat environment. However evolving security plans that maintain focus on current threat vectors and effectively communicating the risk to the executive suite are key. In addition, outsourcing tasks to external security specialists where skills, tools, and resources are lacking in-house is a strategy that will pay dividends; 76% of organisations who have completed all or some of their industrial security uplift have consulted with external security specialists for assistance in deploying solutions. The proof in the pudding is that these organisations were also less likely to have experienced an impactful security incident in the last year.

One Size Does Not Need to Fit All

The body of knowledge concerning IT security is mature and well established, but this body of knowledge cannot be effectively transplanted into ICS security, either in strategies or technologies. While many ICS practitioners understand this, many IT professionals do not, often creating a rift and sense of distrust between enterprise IT security and OT security. Misapplying IT strategies and solutions into the OT environment can have impacts ranging from the problematic to the devastating. However, effectively communicating this understanding to IT security practitioners continues to be a barrier to success for many organisations.

Change in this area will require businesses to invest in appropriate training and education of key staff on OT security. Businesses also need to realise that although there are key differences between the environments, a converged technical view of threat indicators from both the IT and OT environments is possible. Creating a complete network view of threat indicators allows for the tracking and mitigation of threats in an overarching and holistic way. Although there is a large number of organisations that are increasingly recognising the need and indicating their intention to invest more in their OT security, it is the investment of money and manpower in the right areas that will be key to an organisation’s success in OT security uplift.

Many businesses fail to realise that security uplift is an ongoing process. It is a process that needs to continually change in response to a changing threat environment and the modern threat environment for both IT and OT is changing more rapidly than ever before. Organisations need to stop treating security uplift as a project that, once done, will solve all security issues for the foreseeable future. Any industrial security uplift that can be achieved should be targeted at the greatest risk and vulnerabilities a company faces.

Organisations intending to invest in their ICS security beyond 2022 would do well to remember that small, targeted incremental changes can have a big impact. The evolving nature of the threat environment demands a flexible and agile security response. Measured progress that keeps pace with the continually changing tactics and techniques of an ever-evolving adversary is progress that will adapt and thrive in a world of increasing risks.