The Radiflow Security Blog
The State of Industrial Cyber-Security in 2020 and Outlook for 2021
By Ilan Barda, CEO, Radiflow | December 22, 2020
Luckily, it’s almost over.
While the effects of the Covid-19 pandemic on industrial cybersecurity—including the need to quickly arrange for secure remote operation of production floors and industrial facilities worldwide, as well as the resetting of budgeting priorities due to the pandemic’s economic downturn effect—dominated the news, 2020 has seen its share of trends and incidents unrelated to the pandemic.
In this post I’d like to briefly review the state of industrial cyber-security in 2020 and try to extrapolate the trends and pain-points in 2021 and beyond.
(Or “Work from Home”, if you’ve been living under a rock this year)
Probably the nightmare of every industrial CISO this year, WFH required setting up various security tools and procedures for remote operation of industrial facilities. With no precedent to follow, industrial (SCADA/ICS) operators had to scramble to make tough decisions, from who can work from home to whom to purchase a business-dedicated laptop for (since private computers pose a myriad of security risks in of themselves).
From the start of the pandemic, Radiflow’s security experts have assisted CISOs and asset owners in drafting best-practice recommendations for setting up remote access to automation networks. Most of the recommendations were common-sense steps that organizations should have taken regardless of WFH: IT-OT segmentation, MFA Authentication for VPNs, periodic reviews of access policies, and most importantly, gaining visibility into the OT network and into the risk facing the network.
Outlook for 2021: We’ve seen many tech companies commit to allowing WFH well into 2021; the jury’s still out on whether the trend will stick, and how it would apply to industrial operations.
The SolarWinds supply-chain attack
Just when we thought this year’s news couldn’t get any worse, the SolarWinds attack gave supply chain attacks (which are not new, but have never been used in such a scale) their day in the sun, leaving CISOs and owners of industrial operations wondering “Am I next?” (Answer: yes, if you don’t protect yourself).
The attack involved penetrating the SolarWinds network and infected an official update version of the Orion IT network management software. As a result, over a period of several months, malware-weaponized Orion updates were downloaded around 18,000 times, thus infecting the customers’ internal networks. Once installed in the customer’s network the malware was able to communicate with its external control by masquerading SolarWinds’ own protocol and applying multiple detection-avoiding mechanisms, such as C&C servers in the victim’s country and others.
Another aspect of the attack was that its perpetrators were allegedly nation-state sponsored (more on that below).
So what can you do? Supply-chain attacks manifest in often-slight changes to network behavior (e.g. a device detected communicating with external IP address). Therefore, industrial networks need to be continuously monitored to detect any change in network patterns; risk assessments also need to be continuously updated to account for newly-published attack bulletins. All of this should be part of a structured backup and resilience plan.
Outlook for 2021: while the SolarWinds attack was allegedly perpetrated by nation-state sponsored hackers, it’s safe to say that unaffiliated actors will likely copycat this attack’s methods and TTPs, so that supply chain risk will increase, and any supply chain software (such as SolarWinds’ Orion) should be assumed to be compromised.
Ransomware attacks on industrial organizations
The June 2020 ransomware attack that halted Honda’s global operations may have made the headlines, but it is definitely part of a trend that started just a few years ago (Norsk-Hydro and many others).
As opposed to previous years’ malware attacks that attempted to take control over industrial machinery controllers, ransomware is all about the money; and as IT-intensive organizations (e.g. in the financial sector) got better in protecting their networks, hackers moved on to the lesser-protected OT sector such as manufacturing and healthcare. In many cases the attacks used the decades-old methods of spearphishing and steganography (hiding code inside an image or file).
This year’s crop of ransomware includes both familiar names as well as newcomer, all bearing colorful names like LockerGoga, MegaCortex, Ryuk, Maze, and Snake/Ekans (the latter was used in the Honda incident).
The most important takeaway regarding ransomware in ICS/SCADA/OT (which undoubtedly will increase in both volume and sophistication) is that RANSOMWARE ATTACKS CAN BE AVOIDED. OT organizations need to double up on increasing employees’ cyber awareness; and backup and contingency plans in case of ransomware need to be set in place. Furthermore, industrial enterprises have the option to use cloud-based (OT-MSSP) third-party monitoring to quickly and effectively ramp-up their capabilities in this area (more on that below).
Outlook for 2021: Ransomware will become more OT-specific, and will target not only IT networks that may impact the production but also industrial devices directly.
OT cyberattacks funded or fully operated by nation states
Incidents of one nation cyber-attacking another’s critical infrastructure facilities have been on the rise. Notable cases include the SolarWinds attack (allegedly); multiple attacks on Azerbaijan’s renewable energy sector attributed to Russian actors; multiple attacks on Israel’s main water supply system attributed to Iranian-based hackers; and a (possibly retaliatory) attack that disabled an Iranian seaport. It should be noted that due to political sensitivities, we can assume that those attacks made public were just the tip of the iceberg.
My personal takeaway from these incidents has less to do with who has perpetrated the attacks on behalf of whom, but rather annoyance with the fact that so many countries’ national infrastructures are still grossly inadequately secured. I’ll reiterate: In many cases THESE COSTLY ATTACKS COULD HAVE BEEN AVOIDED, or at least their effects could have been minimized. The tools, expertise and procedures are readily available.
Outlook for 2021: this is just the appetizer course.
The rise of OT-MSSPs (Managed Security Service Providers)
For many industrial operators, setting up an in-house OT-dedicated cybersecurity system is both cost- and personnel-prohibitive, as expert security personnel are in high demand.
This is where cloud-based Managed Security Services Providers come in handy. By hiring an OT-MSSP industrial operators can get a level of security and ongoing network activity monitoring that’s on par with that with that of IT networks; moreover, we’ve witnessed enterprises that preferred hiring an MSSP rather than dealing with network monitoring in-house.
Radiflow’s security framework was uniquely designed for OT-MSSP operation, with the CIARA risk assessment & management solution for monitoring network risk, as well as flexible deployment models for the iSID threat detection and monitoring platform. Radiflow has already teamed up with several MSSPs with its extensive solution suite, which has enabled them to roll-out a wide range OT services, from detection, monitoring and alerting to asset management, risk assessment and compliance planning, all based on need and regulations.
Outlook for 2021: Steady growth and increasing acceptance.
Adoption of OT network risk-based decision-making and governing standards (e.g. IEC62443)
Understanding OT network risk is a key factor in devising an effective cybersecurity plan. However, the complexity and the scale of modern, Industry 4.0 ICS networks render risk evaluation by traditional risk assessment procedures practically impossible. You simply can no longer “eyeball” risk.
Moreover, ad-hoc or annual risk reviews are no longer sufficient. Adequate protection requires continuous risk monitoring that instantly accounts for each and every change on the network, throughout the OT cybersecurity life-cycle.
For these reasons, OT organizations are warming up to the need for accurate risk assessments that inform the operator as to the efficacy of their security system vis-à-vis the risk the network faces. At the same time, governing standards (notably IEC 62443) have provided guidelines and a framework for risk management. The use of the well-defined IEC62443 guidelines is a welcomed development, as long as OT operators focus on using the standard as a guideline for network security, and not merely for achieving compliance.
Radiflow has taken risk assessment and management one step further by applying advance machine learning algorithms toward calculating the interplay between thousands of data points covering each networked device’s specific threats and vulnerabilities, known threat actors in the sector and region, and other data from many more sources. Radiflow’s CIARA Business-Driven Industrial Risk Analytics platform provides a comprehensive mitigation roadmap (fully ISA/IEC 62443-compliant), prioritized by each mitigation control’s contribution to overall risk reduction, thus maximizing the impact of cybersecurity expenditure.
Outlook for 2021: expect growing awareness toward understanding network risk and the importance of accurate ongoing risk assessments as a first step toward devising a cyber threat-mitigation plan.
In a time riddled with anxieties and unknowns, one thing is for sure: cyber-threats to industrial organizations will continue to increase, in both volume and sophistication. We’ve reached a point where cyberattack are not a question of if but rather of when and what could be done to prevent that attack or minimize its harm.
If you own or manage an OT-based operation, the time to take action and prepare your network is now. We’re here to help.