2018 Predictions_Blog Image

We just closed another year in the ICS security industry, one filled with advanced (and exciting) product developments. We also saw an increased market awareness, with growing a emphasis on protecting industrial infrastructure.

After reflecting on 2017, we shift our focus to the year ahead. Below are some of Bayshore’s key predictions for 2018, brought to you by our experienced product management team.

ICS Attacks Will Extend Beyond the Electrical Grid

In December 2017, Triton malware infection targeted a Safety Instrumented System (SIS) — one of a few examples of ICS malware not focused exclusively on power distribution and transmission. In 2018, we will see nation states and other sophisticated actors broadening their horizons beyond the electrical grid, to include environments such as factories or building management systems.

Initial Infection of an ICS Network Via Physical Access

Interesting infection vectors have emerged in the limited sample set of publicly documented ICS infections. In 2010, Stuxnet was used to bridge air gapped networks and in 2014, we saw the Havex1 malware target software distribution channels. With the increasing connectivity of ICS networks and the move towards the Industrial Internet of Things (IIoT), we see new opportunities for attackers to gain physical access to ICS networks. Building management systems, wind farms2, oil pipelines, water treatment facilities, and mining span large geographical territories – presenting challenges to physical security.

In some scenarios, physical security may be the primary defense for a network. Therefore, an attacker who takes advantage of weaknesses in physical security may be able to gain access to the OT network. Beyond that, technologies such as Raspberry PI’s continue to provide feature-rich, open platforms in increasingly small form factors. This gives attackers the ability to cheaply and stealthily connect into and— via wireless command and control channels— remotely exploiting ICS networks.

ICS Malware Sophistication Will Increase

With the exception of Stuxnet, ICS malware is steadily growing. Attacks involving generally-applicable malware3 targeting OT as well as IT environments, quickly evolved in sophistication. Recently, ICS malware has evolved to include modules capable of speaking native OT protocols4, making them stealthier and more dangerous. Meanwhile, asset owners are deploying technologies to increase the security of the (typically, Windows-based) HMI and EWS systems on their networks.

In 2018, attackers will continue to evolve their malware payloads and target controller endpoints (PLC’s/IED’s/etc.) themselves. Controller-based payloads include: tailored/modified program logic, firmware updates, and (Linux-based) command and control (i.e., rootkits). By deploying code to a controller directly, an attacker can maintain a more covert foothold on the network with direct access to the industrial process.

Final Note

In conclusion, we look forward to another exciting year of growth in ICS security. Bayshore will follow all of the trends and predictions, so we can bring you the solutions that protect your industrial infrastructure.

[1]https://www.pcworld.com/article/2367240/new-havex-malware-variants-target-industrial-control-system-and-scada-users.html
[2]https://www.blackhat.com/us-17/briefings/schedule/#adventures-in-attacking-wind-farm-control-networks-6394
[3]https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/faq-blackenergy
[4]https://www.us-cert.gov/ncas/alerts/TA17-163A