"Targeted exploits with a bullseye on ICS environments will be the next big wave of attacks." - Andres Andreu, CTO of Bayshore Networks
Today’s manufacturing processes, for the most part, involve standardized, layered systems with in-depth production rules, guidelines and regulatory oversight. While connecting plant processes, networks and applications promises to drive significant economic benefits for manufacturers, this interconnection also creates new cyber threat attack surfaces, including the possibility of safety concerns, operational disruptions and downtime, and costly physical damage to equipment and products.
The majority of operational systems cannot support best practices from IT security. They can’t be patched routinely, they run outdated versions of operating systems and their host networks enable unfettered movement for malware and human attackers. In some cases, connections to the corporate network provide a pathway to OT via lateral movement. Different protocols and systems use enterprise networks and the plant’s operational technology, making them difficult to secure.
It’s a scary fact that 86% of attacks in manufacturing are targeted.* In 2019 we will face a new set of sophisticated attacks on manufacturing, and other critical infrastructure. The involvement of nation-states compounds this challenge because they bring better resources for hackers (i.e. money, people and skills). The elite hackers emerge: well-funded and highly skilled, making it almost impossible for all manufacturing companies to protect themselves. Hoping you are not targeted is not a proactive security measure. Attackers are also turning to Artificial Intelligence (AI) and Machine Learning (ML) to do some of the heavy analytical work for them. And don’t forget, the biggest threat to an institution may also (already) be inside the building. Studies show that 60% of cyber attacks still come from inside the company.
By far, the biggest threats to manufacturing are targeted attacks with a “bullseye” on ICS environments. Attackers take over critical systems in these environments and demand ransoms for the unlocking keys to return things back to normal. Targets usually pay the fees because they are less expensive than a prolonged outage. The next set of targets will include vital societal infrastructure services that have not yet truly been targeted by widespread ransomware attacks. Cyber criminals know that any attack that can cause downtime to these environments/services will get swift attention, and ransomware is probably the least effort in terms of targeting a specific entity.
What can we do to better protect manufacturing?
The attacks will come. We have to acknowledge that our industry is enormous. A clear understanding of issues is paramount. In the case where suspect activity is at hand we need professional forensics experts involved to provide invaluable insight into the details of suspected activity. The details will also, of course, feed into the ultimate decision of whether or not some suspect activity qualifies as a successful breach or attack. Over the years this expertise has proven itself to be beyond the normal capabilities of typical IT staff, and so it is a worthwhile investment.
Beyond forensics a company should also have a regular set of external eyes on their security posture. This will also prove to be money well spent over time. Once a deep understanding of these real issues is in place, it is possible to filter out noise and focus on security issues that matter.
Active OT Protection
Adding security to a production environment, while not violating the bounded latency constraints the environment needs to adhere to, is not easy. Modern day Ethernet networks operate within boundaries where the traffic flow of data is indeterminate. This means that intervening devices (i.e. security devices) can delay stream data, and generally speaking the delays are acceptable. IIoT/OT networks have no such luxury, yet need security functionality in order to properly protect their resources and productivity. There is a great and unique challenge in finding that middle ground.
The impact of active protective action, or the lack thereof, is rapidly growing. Visibility is still of value, but at some point active enforcement will need to take place to actually secure resources in manufacturing (and most other IIoT environments for that matter). When the usefulness of visibility declines, and actual enforcement of blocking rules take place on a network, we will see a positive impact. The challenge is; how much impact can an organization tolerate, such that there is actual protection, while not disrupting productivity? It’s a serious challenge, and one answer does not fit all models.
You may have seen the Shodan results for exposed ICS systems where the focus was purely on the ease of use aspect. Balance is possible, but it requires some give and take on both the OT/ICS and IT sides. The fact that some equipment was put in place 20 years ago does not mean the surrounding technology has to be stuck in time, two decades later. Things have to be done with expertise, planning and extensive testing to ensure these environments can safely operate within the confines of modern-day technology.
As we move forward, apply healthy paranoia. Verify at every step. “NO”, you cannot trust your partners to keep your data safe. This is not meant to be a negative dig on any partner, but there is no way you truly know if your partners will go as far as you will to secure your own resources. It is worthwhile to invest in objective 3rd party assessments performed by qualified experts. Make sure your partners have the same level of accountability in respect to the outcome of said assessment. Critical infrastructure protection requires active OT security.
Bayshore offers industrial OT security anchored around a common policy engine which provides bi-directional deep content inspection, intelligent content reassembly, context-based behavioral anomaly detection, and the enforcement of external third-party threat intelligence.
Recently, we announced “Beacon” policy-enforcing secure remote access for individual users and OT assets, provisioned per service and per user with Active Directory integration and 100% software-based one-day deployment.
Bayshore is the only OT security solution which can sit inline next to any OT asset and provide automated policy enforcement and protection. Bayshore can do live session capture and reconstruction to identify file transfers, full detail on message content/payload, contextual cues for attempted obfuscation, for a wide variety of native OT networking protocols, including in certain cases, support for encrypted transports.
Bayshore works as close to wire speed as is possible, and provides real-time filtering of known and acceptable OT protocol payloads, allowing instructions in range to proceed, while isolating anomalous messages and alerting operators to investigate root causes.
I urge you to take a look at our recent trial offer Beacon could indeed save your manufacturing company from becoming the next headline.
I look forward to your comments and questions.
Andres Andreu, CTO of Bayshore Networks
*Source: Verizon Data Breach Investigations Report