How 20 Years of Cyber Security Incidents Inform Future Strategy

Defining cyber security

Cyber security has traditionally been defined as, “the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information”.

This definition works very well in enterprise Information Technology (IT) environments, but differing environments such as those of industrial nature or provide critical infrastructure (e.g., oil and gas, utilities, energy, electricity), cyber security takes on a different meaning and application of principles.

In fact, the definition of cyber security could be translated more appropriately for industrial purposes to, “the art of protecting networks, devices, operational processes, and people from unauthorized access or criminal use and the practice of ensuring safe, continual, and productive operations where cyber-physical systems are deployed.”

Cyber threat hackers and actors

Beyond the definition of cyber security, traditional actors that engage in hacking or the exploitation of vulnerabilities (flaws) in software and systems for unintended purposes are sensationalized by the media, marked as legions of uniformed military personnel or masked and hooded individuals.  While there is some truth in the imagery of these actors, distinguishing good from bad and independent from organized/affiliated are two separate questions.

For the purposes of this article, a hacker will be synonymous with an individual who’s intention of performing an activity was not intended for a system’s makers, or owners (regardless of motivations or morality).

Despite motivations or affiliations, hackers use any number of techniques to exploit vulnerabilities in software, systems, or the combination of both. This can happen at multiple layers such as the network layer, system resources, configuration, user-interface, applications themselves, or supply chain.

The impacts range from unauthorized access, denial of service/usage, cyber-physical destruction, execution of non-trusted code, disclosure of secrets, invalidation of data integrity, and logic bypasses.

Cyber attacks: Malware as an example

NotPetya and WannaCry, two infamous pieces of malicious software (malware) became a mainstream attack used by common criminals and those appearing to be affiliated with various nation states.

These pieces of ransomware render files unrecoverable through encryption unless a specific key is entered during a specific time frame for an amount of Bitcoin cryptocurrency. But in some instances, recovering files, even if ransom is paid, is not possible.

These malware attacks differ in usage type from information erasure and ransom of data or system control, as well as in their integration with other attack payloads. But the NotPetya and WannaCry attacks and their derivatives have three things in common: disruption, ransom, and destruction.

Originally, the malware attacks were focused on insecure systems and targets for ransom, but also on enterprise and traditional IT environments.  Though their origins were IT, attackers found themselves focusing on large corporations that require Operational Technology (OT) for revenue generation, targets of opportunity, and even state governments.

Digital improvements and cyber threats

With the proliferation of connectivity via the Internet, information and knowledge flows freely for anyone who dares to find it on the regular Internet or within the bowels of the Darkweb.

Knowledge and skills are freely obtainable with a marginal barrier to entry, especially when attacks are easily weaponized as a one-click solution. This has led to an increase in supply of potential attacks or exploits that are used to compromise systems.

Even access to compromised systems, hacking-as-a-service, and credential dumps for sale for the right price.  Cyber security, both in its basic and the most advanced forms, has never been so important as it is today, and yet the barrier of entry to cause cyber-harm has never been so low.  Will the demand exceed the supply? Or will trends change?  Will it have a devastating effect on industrial systems and critical infrastructure?

In the world of industrial control systems (ICS), supervisory control and data acquisition (SCADA), programable logic controllers (PLC), distributed control systems (DCS), safety instrumentation systems (SIS) and sensors or relays, many systems are interconnected.

Traditionally, these systems were non-networked, isolated, and “air gapped”.  Not only has networking connected systems and enabled functionality far beyond original designs, but they also rely on software and operating systems.

These systems also rely on human operators to ensure visibility and the safe operation of a process or plant’s control systems. Regardless of human intervention and monitoring, these industrial control systems are negatively affected through poor cyber security practices.  After all, they use many of the same components, programming languages, and supporting infrastructure as their IT siblings do, but often for a differing purpose in OT environments.

Regarding general cyber security, industrial systems were not considered primary targets, but due to the limited numbers of reported cyberattacks, it was thought that cyber security was more applicable to IT and enterprise systems.  The culture of attacks and their related research numbers grew to the thousands, including nearly uncountable variations of malware.

Following the 9/11 terrorism attack, industrial cyber security expert Eric Byres went on record to discuss the lack of progress of industrial cyber security efforts and the vulnerability of organizations within North America.

IT vs. OT in cyber security

Even though much of the IT cyber security techniques, best practices, tools, and strategies overlap with OT, attacks within IT are often broken into three categories: Confidentiality, Integrity, and Availability.  These three terms refer to what is called the CIA triad and are tightly coupled to data, which is very different than the priorities generally observed in OT.

Industrial facility and critical infrastructure operations focus on the premise of safety-reliability-productivity (SRP) and are traditionally engineered towards minimizing component or process failures.  As these systems evolved, the pace and progress of securing them has several constraints not seen in IT or enterprise environments:

IT vs. OT

• Device, software, and system lifetimes exceed fifteen to twenty years
• Systems are designed with different objectives, such as safety, longevity, reliability and functionality, but not for security cyber-wise.
• Proprietary software, hardware, components, and network protocols are seen. Interoperability between vendors is a challenge for the unacquainted, especially when many legacy systems exist, or their vendors have been acquired.
• Software, and component updates can be tricky if not managed correctly and timed to periods where the risk of disruption is minimal. Tools are constructed appropriately to make this task easier for OT environments, but not all software or hardware systems can be patched or updated due to compatibility, issues, and/or platform abandonment.
• Operational procedures do not allow for Patch Tuesdays or rebooting a misbehaving system due to site scheduling. For example, you can only patch software during periods of downtime or allow maintenance where visibility is not particularly required.  Vulnerability management is even more difficult if a specialized third-party application is incompatible with a Windows fix. Following Windows 7/2008, patches are rolled up into a single bundle and therefore would all need to be blacklisted, ensuring further exposure risk.
• The focus on instrumentation, safe operation, productivity, uptime, and trust in process control data are the primary drivers for operators in OT. This is different than in IT because there is a larger focus on the security and confidentiality of data, such as client records or banking information. While they are both important, they are equally different in context.
• Legacy systems exist, and no feasible remediation paths may exist. These devices are largely insecure by design, and vulnerabilities may not be publicly known or reported, leaving asset owners unaware of potential cyber security risks.
• Compliance and legislation often dominate many organizations’ priorities and budget allocations, which can sometimes be a good thing. In some industries, the costs of recertification can outweigh security updates, so they are both neglected, and/or require layers of compensating controls.
• Skill and resource shortages in IT are even more prevalent in OT. This is further compounded by organizations relying on tribal knowledge of legacy systems. Rare engineering skills were previously commonplace in that technology’s era.
• Severing access and changing credentials is challenging in industrial environments due to the design of systems and the nature of their operations, such as “break-glass” conditions. Some cyber security systems require a period where visibility and operation is lost while credentials are changed and a system is restarted.

Some of these differences between IT and OT security have varied applicability to asset owners and the sites they are responsible for.

History of cyber threats

If a timeline of common threats is examined, those marked with a Microsoft Windows logo were driven through Windows infrastructure (e.g., a commodity OS), but also encompass a number of other threat vectors such as human exploit delivery, insider threat, malware, and misconfiguration. IT-focused malware caused impacts on OT assets in some instances and were used to disrupt OT operations with minimal repurposing.

Figure 1: Timeline of threats in OT highlighting major incidents

In 2000, during one of the first industrial cyber security incidents noted publicly, a third-party, privileged insider gained unauthorized system access and maliciously interacted with systems, causing a large spill of untreated sewer liquids to enter a river in Maroochy Shire, Australia. Regardless of motivations, the attacker was caught, charged, and sentenced. But the damage was done, and this was an early warning to asset owners.

In 2003, Slammer worm malware caused an unintended loss of visibility at the David-Besse nuclear plant. One of Iran’s nuclear facilities was attacked using zero-day exploits and human delivery of the attack via a USB storage device as an infamous first where it is presumed it was nation-state sponsored. It resulted in cyber-physical destruction of centrifuges used for nuclear fuel processing.

Following Ukraine’s outage of power as a result of a cyberattack, other attacks ranging from the first known instance of vulnerabilities being exploited on an Emergency Shutdown Device (ESD) in Saudi Arabia, to the multiple instances of ransomware or wiper ware attacks occurred internationally and in global organizations.

Many of these attacks required specialized knowledge of these organizations, and of industrial devices, but as noted in a recent article by Mandiant, most attacks are executed through endpoints and commodity systems. Of the fourteen cybersecurity incidents noted in Figure 1, eight are publicly noted as having some dependency on Windows infrastructure as part of the successful attack.

More than half of the attacks were dependent upon commodity IT systems providing OT functionality and applications. It seems OT’s challenges and OT cybersecurity are not being addressed.

Given their vulnerability, extended deployment times, and importance, these systems will also be targeted largely for economic reasons; just as naval pirates targeted low-risk targets for reward, and also for strategic reasons once they had become affiliated with nation-states (e.g.,  Pirate groups given legal status by France under King Francis I to cause a negative effect on Spain and Portugal’s prosperity in Atlantic and Caribbean territories).

So, what is going wrong when securing commodity systems?  Why are these systems being attacked? Will an increase in attacks be seen? And if an increase is imminent, can anything be done to minimize cyber risk?

Download The State of OT Cyber Security e-book to find out!