According to Gartner, by 2025 cyberattackers will be able to weaponize operational technology (OT) environments to harm or kill humans, but this timeline is accelerating quickly. How might this happen?
An example of this kind of harrowing attack already exists. In 2018, a zero-day privilege-escalation hack into Schneider Electric’s safety-controller firmware took place that allowed hackers to gain control of the emergency shutdown system in a targeted attack against two clients, among them a major petrochemical plant. According to investigators, this hack was not meant to destroy data or shut down the plant — it was meant “to sabotage the firm’s operations and trigger an explosion.” This is what geopolitical conflict may look like in the future as state-backed actors embrace cybercrime against industrial targets as a cleaner and more cost-efficient method to create chaos.
It’s easy to understand why if you think about incentive structures. When identifying a target for their efforts, hackers are looking for an organization with a broad attack surface, little to no leverage to withstand interruptions in service or operation, the resources to survive an attack, and a high level of importance to their local and regional communities. Squarely at the nexus of each of these qualifiers are industrial companies responsible for creating and administrating the infrastructures citizens rely on.
The rapidly growing industrial attack surface
Industrial targets are not only vulnerable, but constantly expanding their attack surfaces. The industrial internet of things (IIoT) market is predicted to reach $110 billion by 2025, with millions if not billions of devices added per year. Countless legacy devices are being brought onto IT networks as part of the continued IT/OT convergence, as well. Connecting all these devices has made administrating the complex matrices of industrial infrastructure a lot more efficient and effective, but it has vastly expanded the potential attack surface for bad actors.
OT networks were previously isolated but are now more accessible and subsequently enlarge the potential entry points in the attack path. Furthermore, the majority of security controls designed for the IT environment are inapplicable to OT environments. Production lines, process integrity, business continuity, revenues and asset values — all are put at risk by inadequate cybersecurity protocols for connected OT devices.
Regulation is coming, but not fast enough
Governments have started to recognize the potential national security risks posed by vulnerable industrial infrastructure and have announced legislation on the topic. Officials in the EU have initiated legislation designed to force technology providers to improve their security, including ISA99. The American government established a review board to analyze the mistakes from past major cyberattacks on industry and critical infrastructure so stakeholders are better prepared moving forward. Still, most security regulation on industrial manufacturers, energy companies, utilities and other critical infrastructure organizations has moved slowly. As a result, the onus falls on the industrial manufacturers themselves.
Manufacturers must make sure these devices are secure, lest a breach derail business continuity either through an interruption of service, stoppage of production lines or release of customer data. The challenge in this task is in finding security solutions with no impact on performance or functionality that protect against all kinds of attack vectors, especially increasingly common insider and supply chain hacks.
Trust no one is not a cliché
There has been a sea change in the cybersecurity world, with hackers diversifying their attack vectors to evade the defenses of organizations still reliant on outdated perimeter-based security postures. In cybersecurity, trust is a weakness, so any security posture that assumes legitimacy without authentication is vulnerable. Would you trust a disgruntled former employee who knows the password to configure your devices? You shouldn’t.
The traditional idea of the outside hacker being the only risk to breach a system is outdated, as supply chain hacks present an equally viable attack vector these days. Insider attacks are a major threat, as well. These result both from disgruntled or compromised employees, or simply from stolen credentials. Human error counts in this category, too, and it actually accounts for a majority of the incidents. Data from 2022 shows that insider cybersecurity incidents have risen sharply since 2018, and the average overall remuneration cost of an insider-caused breach also increased, up 31% to $11.5 million. Awareness and attentiveness play significant roles in deterring hacks from these vectors, as many attacks are the result of an opportunistic hacker compromising a supply chain actor or a credentialed insider forgetting to log out.
The magnitude, scope and nature of the cyberattacks in 2021 clearly indicate that current industry approaches are insufficient, and 2022 is already providing further proof that a new cybersecurity paradigm shift is needed. Industrial companies must anticipate attacks this year to be varied in style and source, and it won’t always be clear who is ultimately behind them. We recommend these companies implement multilayer security protection from the IT network to the device level, design programs to drive employee awareness of cyber hygiene best practices and build an attack response protocol. With intense threats on the horizon, hacks into industrial companies must now be treated as a matter of not if, but when.