Understanding how cyber-attacks occur
It’s been nearly impossible to miss all the news about the uptick in cyber-attacks on the manufacturing and processing industries over the past few years. This recent uptick is not a surprising development, however, even though most manufacturers have faced fewer attacks compared to more consumer-oriented businesses.
One reason for the lag in attacks on industry was due to many hackers’ lack of familiarity with the industrial control systems (ICS) used in both the discrete manufacturing and processing industries. As a result, most business-focused cyber-attacks centered on breaches of enterprise IT systems, with which most hackers were already very familiar.
But when you consider the high profile and revenues of many industrial companies, coupled with the potential for significant business and community disruption made possible by attacking a company’s ICS, the incentive for hackers to become more familiar with ICSs was evident. Essentially, it was only a matter of time before industry became widely considered a target-rich environment for cyber criminals.
While plenty of advice exists for industrial companies around how to secure their ICSs, it’s also important for businesses to be aware of the principal types of cyber threats they’re most likely to face.
Prominent sources of attack
Craig Young, principal security researcher at Tripwire, a supplier of industrial cybersecurity, points to three sources of cyber-attacks that industrial companies should be most aware of due to their potential to cause major disruption:
A disgruntled insider: “The most critical threats often come from within an organisation,” says Young. “This is especially true in ICS environments where employees have access to plant controls and deep knowledge of operational processes.” Young cites the Oldsmar, Fla., water treatment plant attack as an example of what is widely considered to have been a breach conducted by an employee. This attack is considered to be an inside job because the hacker(s) used “a legitimate company TeamViewer account, combined with apparent knowledge of the company’s human-machine interface,” said Young.
To limit the threat of insider attacks, Young suggests enforcing access controls and limiting administrator access. He adds that practicing strong password hygiene—like requiring multi-factor authentication, forced password expiration, and forbidding password sharing—are also beneficial.
A ransomware gang: Young says ransomware is commonly introduced to an ICS network in one of three ways: a phishing attack that targets employees; compromising an industry website that users may frequently download from; or by targeting VPN portals or other externally exposed IT infrastructure.
“The best way to protect against a ransomware attack is to employ security best practices, including vulnerability management,” says Young. “Attackers often scan the internet for targets rather than identifying a specific target and evaluating its network space. Therefore, network administrators need to be aware of vulnerabilities in externally exposed systems such as VPN portals and mail gateways.”
He also noted that it’s important to strengthen internal security by limiting VPN access and restricting access between unrelated servers. And, as with the remedies suggested to prevent insider attacks, limited permissions are key in this instance as well.
“Users should not have access to a system unless there is a specific business need,” stresses Young.
Advanced persistent threat: Because several high-profile ICS disruptions have been attributed to malicious hackers working for foreign military or intelligence agencies—such as the Triton and NotPetya attacks—it is “hard to understate the potential impact of a wartime ICS cyber incident,” says Young. “In addition to impacting the physical safety of plant workers and local communities, attacks can lead to long-term failures, including disruption of electricity, water, fuel, and other municipal services.”
In addition to the best practice security controls noted above, Young recommends accessing resources like ATT&CK and D3FEND—organisations that help industrial companies learn about known adversaries and how they operate. “This is critical for making informed decisions on how to not only reduce the risk of intrusion but also impede an attacker’s lateral movement while increasing the defender’s chances for detection,” says Young.