Digital transformation and the march toward Industry 5.0 have seen increased connectivity of devices to both the internet and to each other. This has allowed businesses and manufacturers to streamline operations and save money, but it has also increased the threat domain by offering up new attack vectors. This can be a major problem when it comes to protecting critical infrastructure, the essential operations and industries the country needs to run properly. Nation-states, criminal organizations and other threat actors are always looking for ways to undermine these essential industries, steal intellectual property, engage in espionage or otherwise sow chaos. In late January, industrial cybersecurity company Dragos held a virtual panel called the “Sprint to Secure Critical Infrastructure” to discuss the ever-changing threat landscape.
Robert M. Lee, CEO and co-founder of Dragos, opened up the event by talking about the evolution of industrial cybersecurity, breaking it down into four eras. The industrial infrastructure has always focused on safety and reliability, especially because people work and live in the very communities they serve. That dedication has contributed to a lot of security efforts over the years. But Industry 4.0 and rapid digitalization are adding more complexity, which makes the security question more difficult. In addition, most of the security budget — up to 95% — is still going to the information technology (IT) environment, with only about 5% of resources set aside to protect operational technology (OT).
Lee categorized what he saw as the multiple eras in industrial security operations.
The dawn of critical infrastructure cybersecurity
This first era began almost as soon as “cybersecurity” became a notion, with hackers testing the bounds of internet security. In this era, people were targeting the IT side of things. The attacks did happen in industrial environments — petrochemical, manufacturing, energy, etc. — but threat actors were still targeting the IT side of things. Much of this was basic espionage or curiosity.
The era of ICS curiosity
According to Lee, the landscape changed around 2008-09, when attackers started getting into industrial networks and targeting OT operations directly. They learned there was a lot of value in going after the manufacturing environment. These attacks sometimes were about industrial espionage or stealing intellectual property (IP) — and in manufacturing, sometimes IP is the manufacturing environment itself. There was also geopolitical value for nation-state actors.
Lee called this the era of industrial control system (ICS) curiosity, where state actors and others were trying to determine what they could do with these systems and what the real value was. The idea was just to get into the ICS and figure it out from there. This era saw malware like HAVEX, Dragonfly, and BlackEnergy 2 and 3. Other than Stuxnet, a computer worm that was used to attack Iranian nuclear facilities, most of the prominent cybersecurity breaches in this era were not necessarily attacks; they were mostly about espionage.
The ICS disruption phase
From 2015-21, things changed again, according to Lee. The number of attacks on operational systems increased, but most of them were either site or subindustry specific. These were very focused attacks that were human intensive, meaning they took manpower to leverage.
This era included attacks on the electric power sector in Ukraine, the TRISIS attacks, Industroyer 2 and many 2021 attacks on Ukraine, among others. This era increased risk because the malware was often destructive in nature, designed to harm or kill humans. Cyber criminals were generally using the information stolen in the previous era to wage new, more destructive attacks.
The only positive is that these attacks were so targeted that they were only going to work on the specific system that was under attack. They were neither scalable nor cross industry. From a defensive perspective, that means that cybersecurity professionals had some time to prepare. It was unlikely that the same tactics, techniques and procedures used on, say, a water/wastewater plant could immediately be turned around and used on the transportation sector.
The current era of critical infrastructure threat
This all changed in 2022, when the malware Pipedream was discovered, said Lee. Researchers from Dragos found the new malware and analyzed it before it was employed. He said Pipedream’s targets included critical infrastructure like electrical and natural gas companies in the U.S., which he called a “scary proposition.”
The sea change was that this was the first time defenders saw capabilities that were scalable, reusable and cross industry. The threat actors took advantage of things like more homogenous infrastructure and common software stacks. While these are good from a business perspective, they also introduce new risk.
Pipedream has the ability to go into many industries for espionage, disruption or destruction, and defenders don’t have as much time to respond anymore because the malware can be reused and scaled.
Here the good news, according to Lee: If you’ve been taking all the recommended cybersecurity steps over last decade, you’re probably on good footing. Pipedream is essentially a collection of greatest hits from other malware, so if you’ve prepared yourself for that, you likely have solid defenses against newer Pipedream-style malware.
But if you haven’t been paying attention to new developments and taking care of your industrial cyber safety, the divide just became astronomical. Lee said time is running out to prepare yourself against this new era of threats.