This is the third and final article in Sapien Cyber’s roundup of the current state of Industrial Control System (ICS) security in 2022 and what we might expect for the future. In this article, we will cover the growing use of ransomware-as-a-service against industrial and critical infrastructure targets, the trends in ICS patch management, and what can be expected of Zero Trust Security Architecture for industrial security.

You Might Need to See Someone About That RaaS

According to the Australian Cyber Security Centre’s (ACSC) Annual Threat Report, there were 95 cyber security incidents affecting Australia’s critical infrastructure in the 2021- 2022 financial year. This equates to roughly 8% of the incidents that the ACSC responded to. Since the infamous Colonial Pipeline ransomware attack in the United States in May 2021, there has been increased use of ransomware-as-a-service (RaaS) to attack critical infrastructure sectors, with several Australian organisations falling victim. According to IBM’s Cost of a Data Breach 2022 report, 12% of critical infrastructure breaches globally were ransomware attacks.

According to TrendMicro, the use of RaaS grew by 63.2% in the first quarter 2022 compared with the first quarter of 2021, a trend that has held steady for the remainder of 2022. The cost of ransomware and other attacks on critical infrastructure industries was also considerably higher than the average data breach globally in 2022, with a difference of almost 23%. The ACSC Annual Threat Report points to the RaaS known as Blackcat (also referred to as ALPHV or Noberus) as a particularly prevalent threat, noting use of the service to target critical infrastructure, finance, construction, and even local government. As a trend, this seems likely to continue for all sectors. It may be inferred that critical infrastructure, and by extension, ICS networks are being specifically targeted. However, the increase of ransomware in these sectors may also be a consequence of the ever more user-friendly nature of RaaS. In practice, however, the difference may be splitting hairs.

We Can Patch That For You

In security 101, you may recall that reducing the attack surfaces of networks limits the opportunities that attackers can leverage. Patch management refers to the applying of software updates, especially those that remove exploitable security vulnerabilities. Unfortunately, due to the risks to mission-critical assets, ICS vulnerability patching is often performed in reaction to an incident, rather than as a proactive measure for the prevention of attacks.

According to the US Cybersecurity and Infrastructure Security Agency (CISA), industrial control system patch management is inconsistent at best and non-existent at worst. The 2022 SANS ICS/OT Cybersecurity survey found that security patching in ICS environments occurs on an average of every 1.25 months. More interesting is that around two-thirds ICS operators rely on third-party providers or device manufacturers to perform patching.

In IT environments, the risks associated with patching are more tolerable than in ICS networks. For example, an email server going offline for a few hours may be inconvenient but would not usually be considered a critical issue. However, ICS environments house mission critical infrastructure where downtime can severely impact productivity and costs can quickly run into millions of dollars. As we have seen, ICS owners and operators are increasingly managing the risks associated with ICS patching by employing experienced third-party providers, and this outsourcing appears to be bearing fruit. According to the 2022 SANS ICS/OT Cybersecurity survey, organisations that employed a third party to handle patching had a significantly lower incidence of security events that resulted in complete shutdown compared with organisations who opted to manage updates internally as a manual process. More efficient and effective patch management is not the only thing that is changing in ICS security, however. The inevitable shift to remote work has led to both increased productivity, but also a scramble for new approaches to security. Can ICS security be dragged, kicking and screaming, to embrace ZTNA?

ZTNA: Buzzword or Paradigm Shift?

One of the more alarming results of the 2022 SANS ICS/OT Cybersecurity survey was the finding that only 18% of companies restrict network access and enforce Multi-Factor Authentication for remote access into OT networks. Additionally, over half (57%) of respondents reported that external users who have full network access are able to apply configuration changes and updates, enough to keep even the most stoic supervisor up at night.

The uptake of more secure models for remote work, such as Zero Trust Network Access (ZTNA), is slow in the OT space, and this tardiness is costing critical infrastructure organisations. IBM reports that in 2022, critical infrastructure organisations that had not yet adopted ZTNA suffered almost 25% more breaches and incurred almost 25% more in data breach costs than organisations who had. However, the report does not make clear if these breaches were of enterprise or industrial systems.

Critical infrastructure industries also have a much lower prevalence of zero trust security approaches than the global average, and the majority allow external users full network access to OT environments, a situation which is inarguably problematic. The reality is, however, that Zero Trust Network Access (ZTNA) is fast becoming the preferred method to provide secure remote access, with 41% of organisations in 2022 reporting having deployed ZTNA, up from the 39% reported in 2021.

ZTNA utilises granular permissions that are based on user ID, device ID and type, device health state, and geographic location. Unlike traditional authentication methods, ZTNA is not one-time authentication to provide access, but rather continuously applied authentication based on a range of variables, with permissions being continually verified. Let us be cautious here, however. It is always prudent in cybersecurity to examine the latest trends and buzzwords with a modicum of suspicion.

Trust The People, Not the Packets

Like many other security paradigm shifts that have come with grand promises, ZTNA should be examined closely to understand what it really is and what it is not. This is particularly relevant to ICS practitioners who, on the whole, tend to be somewhat more risk averse and sceptical than their IT counterparts in regard to industry marketing. Heath Mullins, senior analyst at Forrester, exemplifies this healthy approach when he said that ZTNA is “the most abused and the most misunderstood term in security today.”

At its core, ZTNA preaches that “trust”, or more specifically, implicit trust as a feature of traditional network architecture, is problematic in the modern threat environment. In the ZTNA zeitgeist, the inherent risk is a user who can provide something they know, have, and (sometimes) are, and via those virtues, gain access to the castle. However, it is not really the users that are mistrusted; rather it is the impersonation of the user that is the fundamental risk. In this way, zero trust may be better thought of as a mistrust of the packets, rather than the people.

With a better understanding of what zero trust is, let us turn our attention to what zero trust is not. ZTNA is not a technology. There is no single piece of kit that can buy you zero trust. And it is certainly not a reflection of management’s regard of its employees. In exploring the appropriateness of ZTNA for any type of network, one must be cautious of vendors who make take liberties with the terminology. It is also prudent to recognise that a new and effective paradigm that has promise in an evolving threat landscape is not a new cloak which may be cast over everything that was previously effective.

John Kindervag, the creator of the Zero Trust Model of Cybersecurity, has eloquently put it in these words: “Digital trust and human trust are two separate things. Zero trust only applies to digital systems. People are not necessarily untrustworthy, but at the same time they are not packets. Zero trust only applies to the zeros and ones that traverse our various digital systems.”

ICS Has Trust Issues

Despite the advantages of ZTNA to modern OT network access, the uptake and deployment of the architecture in ICS has been very slow thus far. IBM’s Cost of a Data Breach 2022 report notes that 79% of critical infrastructure industries have not adopted Zero Trust security models, while SANS reports that only 1% of the OT space are currently using ZTNA for either internal or external users. There may be several reasons for this.

There are constraints that may make the deployment of ZTNA across an entire ICS network untenable. Much like many other IT principles and practices, ZTNA approaches that work in enterprise security simply do not translate to industrial security. For example, the very nature of many ICS devices, some of which do not even have basic authentication capabilities, make securely verifying their identity impossible, while other ICS devices lack logging capabilities.

In addition to these issues, there are the usual suspects that prevent the timely deployment of security upgrades to ICS environments; downtime is expensive and legacy systems have decades-long lifetimes meaning any upgrades need to be well considered and justified based on risk. These complexities are likely to mean that the adoption of ZTNA in industrial security will be slow and largely driven by regulation rather than risk. However, despite being in its infancy for ICS networks, it seems likely that ZTNA will eventually become more widespread as confidence in its deployment in the OT space grows.

As the risk landscape continues to evolve over the next few years, we can, with some degree of confidence, understand what is motivating our adversaries and what methods are working for them. Armed with this knowledge, we can make tried and true practices that reduce attack surfaces more streamlined and effective. We can also examine the security practices of the IT community, learn what is effective, and understand how it can be leveraged to better secure ICS environments.