The threat of a ransomware attack hangs like a storm cloud over everything from private industry to critical national infrastructure. And for good reason. Blackfog’s state of ransomware 2021 blog, which tracks ransomware attacks around the globe, had already logged 120 attacks just between January and May of this year; up from 75 during that same stretch in 2020. But, unfortunately, there’s a lot more to worry about than just ransomware. Improved technology, ease of access and the global pandemic have introduced an entirely new threat landscape, especially on operational technology (OT) networks.
According to Rick Peters, chief information security officer (CISO) of operational technology North America at Fortinet, there has been a 400% increase in attacks on OT in just the last year. This should not be surprising as times of uncertainty generally create confusion and innovation. In 2020, most businesses were forced to quickly pivot to work from home as a result of the COVID-19 pandemic. This created huge challenges for information technology (IT) departments as they tried to provide safe and easy access to networks from any work environment, but OT didn’t get a free pass.
“They were equally charged to figure out how to connect, how to spread and be able to accomplish business when not everything’s done on prem,” Peters said. “That, of course, creates opportunities. What we were witnessing heading into 2020 is still true — lots of attempts to disrupt OT across all of the aspects. So it’s not just focused on manufacturing or energy and utilities or transportation; you’re seeing it everywhere. It’s pervasive. And it’s pervasive because it’s profitable.”
That profit motivation has forced those charged with protecting OT to think about a proportional investment because they’ve already digitally transformed. The onus is on company leaders to protect their enterprise and infrastructure from bad actors trying to hijack their data — for either extortion or other nefarious purposes — in this new threat landscape. While ransomware has been top of mind thanks to major attacks like the ones on the Colonial Pipeline and JBS, it’s also essential to protect intellectual property (IP) from theft.
“What you’re really seeing [with] the majority of these efforts, if you peel them back and start to really study them, is industrial espionage,” Peters said. “What they’re really after is that information, that intellectual capital, which is proprietary, likely. It’s your secret sauce. It’s what you bake in. It’s your tradecraft. That’s really the value that they’re going to go after. If you’re in the health care industry, which is obviously connected, they’re after privacy data. That all has great value. And, of course, we have to be able to pivot and understand what’s going on and be able to detect it and neutralize it at the speed of business.”
Whether cyber criminals are attempting to profit from ransomware or intellectual property (IP) theft, what they’re looking for is access. According to Peters, who spent 33 years working for the National Security Agency before moving to Fortinet, access is always the first step.
“I think SolarWinds was a great example of that,” he said. “You had a lot of discretion on the part of an adversary gaining access using a party that was delivering a service. So the service was the payload. What a wonderful way to get on a wide variety of targets. Whether you were the primary target or collateral, it’s a widespread attack that gained lots of access. Once I’m on target, then I’m going to use higher-grade tools to gain access, or further access, or penetration.
“It’s getting on target and then using exploits that will allow me to achieve and move within the environment. I would say my natural instinct once I’m on point is to move quickly. If you’re not containing me, I’m gone. I’ve moved on to where my ultimate destination is to achieve probably a comprehensive or a multi-thread campaign. I may keep you busy over here focusing on a problem that looks like ransomware, but I may be busy off stealing your tradecraft. That’s kind of what we have to think about today.”
In this dangerous new threat landscape, readiness is the key. The goal should be earliest recognition, earliest detection and earliest neutralization. And that cycle all needs to happen at the speed of business so companies can minimize their loss in productivity.
But it’s not just external threats organizations need to worry about; there’s also the insider attack. While internal IP theft has always been a concern in business, the shift to work from home has likely increased its prevalence. To help offset this, one common trend today, Peters said, is the move toward at-speed behavior analysis so companies can detect anomalous behaviors using AI techniques and the power of actionable intelligence.
Employees working from the comfort of their own homes don’t have anyone looking over their shoulder, which makes them more likely to engage in behaviors they wouldn’t typically do in a traditional office environment. While those behaviors are not always intended to be malicious, they can still be damaging. They could be as simple as downloading apps or programs from an untrusted source.
“Because they’re comfortable in their home space, they may commit an act — not knowingly — but one that allows the adversary to gain a hold of that point as an access point. From that point, it’s game on,” Peters said. “We have to think about all the dimensions of what’s going on, but, moreover, think about what’s the cost of our inability to defend? I would pull one thread on this; it’s not just a technology problem. We have to educate our people. We have to understand our process engineering, how we’re refining that, and apply technology. You have to think about all three dimensions in protecting our infrastructure.”
For much of the last decade, there has been an exponential increase in innovation and technology, in both the IT and OT realms. The industrial internet of things has expanded the threat landscape and created many new business challenges from a cybersecurity perspective. OT environments that were traditionally considered safe and air-gapped are now attached to company networks, thanks to digital transformation. This innovation is not the exception; it’s very much the rule.
“We’ve got to understand the capacity and the increased interest in data is not going to go away,” Peters said. “Data is that commodity of interest. That appetite has already been wetted. And in the business world, that data allows me to make smarter decisions faster, be able to pivot quickly and increase my operational efficiency.”
Companies need to be able to support those initiatives by investing in a way that ensures the integrity of that environment. And whatever solutions they choose need to have the capacity to scale.
“In this world that’s growing so fast, if the solution or the approach you take doesn’t scale, you hit a wall. You hit a ceiling very quickly, and that will be frustrating,” Peters said. “You want to be heading down a path that’s going to give you decades of insurance because that’s kind of the way the OT system owners think.”
Thankfully, there is a wealth of information out there for people looking for help hardening their cyber defenses. Many companies, including Fortinet, are even sharing information about cybersecurity best practices at no cost.
“In order to achieve cyber resilience, we all need to work together,” Peters said. “It’s a team sport. … The beauty of it is that it transcends and gets into this idea of sharing — sharing ideas, sharing options, having a respect and building trust across those teams, so partnerships really become a coalition of the willing.”
In Part 1 of our interview with Rick Peters, he discussed the move toward edge computing and what that means for the integrity of systems and the threat landscape. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.