It is a safe bet that few industrial control systems (ICS) critical infrastructure organizations would rate their cybersecurity as excellent. If they know this, the hackers do too and that makes them an easy target. In the Ukrainian instance, the payload was delivered via spear phishing exploits and then looked for a certain running process common to SCADA systems. When it found it, it killed the process and overwrote it, effectively making the device useless.
There was nothing uncommon about the hackers’ payload delivery and therefore it was something that could have been prevented or, at a minimum, limited the likelihood of occurrence with extra training on the user environment. But ICS critical infrastructure does have unique challenges due to the very nature of the business:
* Siloed culture – Traditional IT groups and their Operational Technology (OT) counterparts are distinct silos. If they do not define clear roles and work together toward a common goal, the organization becomes its own worst enemy. OT teams who have little experience with IT are on a steep learning curve, and IT groups who have the experience with the technology generally do not understand the OT needs of the organization. This causes organizational friction and poor communication that malicious actors are more than happy to exploit
* New technology, no training – As legacy SCADA systems sunset and organizations refresh their technology, many groups who grew up in the analog world are finding themselves in a foreign digital and interconnected world. This convergence is creating an interoperability risk that opens the doors to adversaries. As employees with little IT background start operating IT based equipment, it takes time for them to understand the risk for devices that previously did not have corporate connectivity. Even worse, some of those devices are exposed to the internet, increasing this risk. This allows attackers to use traditional avenues to establish a presence in the SCADA environment. The combination of ICS technology convergence coupled with a culture not prepared to handle the issue will likely be a primary factor of an ICS breach.
* Misguided Vendors – Silicon Valley vendors generally do not understand the OT environment and, as a result, end up falling short on their needs. On the flip side, traditional ICS vendors see the technology market growing and, to grow business, start offering IT based solutions without fully understand today's cyber risk landscape. The risk is having OT groups who don’t fully understand the cyber risk landscape entering into contractual agreements with vendors who don’t fully understand them either. In the end, we are vulnerable because we deploy vulnerable systems.
So what’s the path forward As a former CISO in a critical infrastructure sector, here are a few things that can help:
1. Lead by example. Successfully evolving culture is dependent on your organization's leadership lifestyle choice. It’s no different than your personal health. You can eat right, exercise and do the hard work in the right areas and you will change your out come by living a low risk life. Or you can keep doing what you are doing, ignore the warning signs and roll the dice. The choice is yours to either be a change agent or not. IT and OT groups need to have a very professional and frank conversation about doing what needs to be done for the sake of lowering their risk.
2. Use an intelligence driven defense. Intelligence helps you make decisions and take action. You cannot defend yourself properly unless you know what your risks are. An intelligence driven defense must be a part of your enterprise risk program. It takes effort, but it’s possible to spin up a capability in months, not years. The key is to make yourself and your organization defendable to malicious actors, defendable in court, defendable to regulatory action and defendable to your brand, both personal and organizational.
3. Manage your Vendors. A conversation needs to be had between IT, OT and organizational counsel. Vendors tend to react to the market place, and if more ICS sectors begin placing sound cyber security contractual language in their solicitations, the vendors will move in the right direction. However, be prepared for the reality that your costs may go up because you are asking them to do more. Either your vendor needs to take action via a contract line item or you do so upon delivery. The bottom line is we are vulnerable, in part, because we deploy vulnerable systems. It’s time to start changing that outcome.
4. Compartmentalize. Yes, this is an area that takes a significant amount of effort but it must be done. Any breach will be significantly less damaging if you compartmentalize your vital infrastructure from your non vital and remove significant avenues of approach that actors are utilizing. In ICS, one suggestion is the implementation of data diodes for compartmentalization.
Intelligence can drive ICS critical infrastructure to make decision and take action, and it serves as the foundation of information that will change outcomes. In the case of the Ukrainian power grid attack, it could have prevented so many people from losing something so important.