SOCHI, Russia—Mouse: the one thing feared by elephants and the world’s largest companies today. Just one click could spell disaster—the Bangladesh bank money transfer fiasco and Wannacry virus—and major revenue losses.
“The gap or space, what I call ‘logical distance,’ between the click of a mouse and the corresponding action that ensues after the click is shortening. That’s worrying,” Patrick Miller, managing partner at Archer Energy Solutions, said in his presentation at the Cybersecurity Conference here last week.
Miller describes this “logical distance” thus: “when you click an icon and something in the field moves.”
He underscores the importance of protecting industries from attacks through digitally connected platforms and automated systems, the theme of the two-day conference organized by Kaspersky Lab ZED.
Industrial control systems (ICS) cybersecurity is important, he said on September 20, as more and more devices and systems are connected to a digital space or undergo automation.
Implementing connected systems and devices is top priority for industrial organizations this year and the next, according to a Kaspersky Lab study.
The market is there and growing, Miller said, citing the same study’s estimates of the global ICS cybersecurity market: at $1.8 billion today.
Automation
ICS generally refers to various types of control systems like an oil and gas pump: each node or action point receives data and subsequent action that is usually a command function. Larger systems are usually operated by “supervisory control and data acquisition,” or Scada, systems or “direct control systems” (DCS) and programmable logic controllers (PLCs).
An example is Omron Corp., which has undertaken full automation of its manufacturing, according to the Japanese firm’s general manager Satoshi Kajima.
Kajima cited as example Omron’s factory of crops, vegetables and fruits is controlled by PLCs.
The factory’s recipe on MRP (materials requirement planning) is installed into PLC, he said, adding that sensors, values and servos are connected to PLC.
“And as we made the industrial IOT [Internet of things] mandatory to improve overall equipment efficiency, there are risks: connections outside.”
Attacks
ACCORDING to Kaspersky Lab, more than 40 percent of all ICS computers protected by the Russian cybersecurity firm’s solutions were attacked by malicious software at least once during the first half of this year.
The most impacted countries turned out to be Vietnam, Algeria and Sri Lanka, while the safest region for industrial machines was Denmark.
“Cyberattacks on industrial computers are considered to be an extremely dangerous threat as they cause material losses and production downtime for a whole system,” a paper by Kaspersky Lab said. “Moreover, industrial enterprises knocked out of service can seriously undermine a region’s social welfare, ecology and macroeconomics.”
Statistics collected by Kaspersky Lab researchers show that this kind of threat is of growing concern.
In the first half of 2018, 41.2 percent of ICS computers were attacked at least once. Moreover, this is a continuation of a trend: in 2017, the figure increased from 36.61 percent in the first half of the year to 37.75 percent in the second half.
Top countries by the number of ICS computers attacked this year were: Vietnam, where 75.1 percent of ICS computers were attacked; Algeria, with 71.6 percent; and, Morocco with 65 percent. As for the least attacked industrial facilities, the top three countries turned out to be Denmark with 14 percent attacked computers in industrial enterprises; followed by Ireland with 14.4 percent; and Switzerland close behind, accounting for 15.9 percent.
Developing economies account for the highest numbers of ICS computers attacked, while developed regions have the lowest number of targeted ICS computers, the Kaspersky Lab study noted.
Asia
ANOTHER Kaspersky Lab study revealed that Southeast Asia led regions in experiencing malware attacks in the first half of the year.
The company’s ICS Cyber Emergency Response Team (CERT) data showed that worldwide, there was a 41.21-percent increase in the number of ICS computers attacked by malware compared to 36.61 percent in the same period last year.
Malware modifications hit 19,400, which is up 1,500 from the second quarter of 2017. During that period, there were 2,400 malware families detected by Kaspersky Lab. By the first quarter of the year, that number increased by 400 to 2,800 malware families.
The percent of ICS computers attacked by malware was highest in Southeast Asia at 61.6, with Africa, South Asia, Central Asia and East Asia following at 59.6 percent, 55.6 percent, 52.4 percent and 49.6 percent, respectively, Kaspersky Lab’s CERT data showed.
The Philippines had 51.4 percent of its ICS computers attacked by malware, lower than Vietnam’s 75.1 percent but higher than Thailand’s 42.1 percent.
ICS computers running on Windows were recorded to have the highest percentage of attacks at 51.2 percent, followed by browsers at 37.7 percent.
Access
ACCORDING to another Kaspersky Lab study, the largest number of threats comes from the Internet, which over the years has become the main source of infection for ICS: 27 percent of threats are received from the World Wide Web, while removable storage media are ranked second with 8.4 percent. Mail clients occupy third place in terms of volume—they represent 3.8 percent of threats.
“The percentage of cyberattacks on ICS computers is a concern,” Kaspersky Lab Security Researcher Kirill Kruglov said. “Our advice is to pay attention to systems’ security from the very beginning of their integration, when the systems’ elements are first connected to the Internet: neglecting security solutions at this stage could lead to dire consequences.”
Miller noted that industrial cybersecurity involves a unique set of endpoint devices, network protocols, people, goals and system management constraints. Hence, these are some of the concerns that industrialists need to address.
For Edward M. Marszal, however, the point is the design.
“Well-designed plants do not need cybersecurity to prevent catastrophic loss of containment,” Marszal, president and CEO of engineering consulting firm Kenexis Consulting Corp., said on September 20, the first day of the conference.
Likewise, he believes that any system is hackable, or can be hacked.
“If it resides in a microprocessor, it’s hackable.”
According to Marszal, there are two things that are not hackable: manual operations and humans. “The latter not yet as there are debates on identity theft and the like.”
A Rat
HOW does one hack into an ICS?
One way, according to Kaspersky Lab, is through legitimate remote administration tools (RATs).
“RATs are installed on 31.6 percent of ICS computers, but often remain unnoticed until the organization’s security team finds out that criminals have been using a RAT to install ransomware or cryptocurrency mining software, or to steal confidential information or even money,” the Russian cybersecurity firm said on September 20.
Kaspersky said RATs are legitimate software tools that allow third parties to access a computer remotely. They are often used legitimately by employees at industrial enterprises to save resources, but can also be used by malicious actors for stealthy privileged access to targeted computers.
RATs are incredibly widespread across all industries: nearly one-third of ICS computers protected by Kaspersky Lab products have RATs installed on them. Even more importantly, almost one RAT in five comes bundled with ICS software by default. This makes them less visible to system administrators and, consequently, more attractive to threat actors.
According to the firm, malicious users use RAT software to gain unauthorized access to the targeted network and infect the network with malware (malicious software) to conduct espionage, sabotage and make illegal financial profits through ransomware operations or by accessing financial assets via the networks attacked.
For Miguel Garcia-Menendez of independent Spanish think tank Instituto de Tendencias en Tecnologia e Innovación (Innovation and Technology Trends Institute), however, it all boils down to money.
Accession
ANOTHER Kaspersky Lab study noted that only 23 percent of companies the firm surveyed said they are compliant with mandatory industry or governmental guidance or regulations.
“In 2017, this result was at a similarly low level, so we see no real improvement in this area,” the cybersecurity firm said.
Compliance with voluntary industry or government guidance or regulations has seen a strong decline compared to last year, for which there are three reasons.
The first is that mandatory cybersecurity regulations, such as the network and information systems (NIS) directive, are given priority. And as they are expensive to implement, they are eating up all the budget and time of the companies surveyed.
The NIS directive is the first piece of European Union-wide legislation cybersecurity, an article on the EU website said.
Likewise, in times of internal and external skills shortages, voluntary tasks are the first to be skipped.
The third reason is that a lot of guidance and regulations evolve quickly and as such are difficult to follow in full, i.e., being compliant in 2017 does not necessarily mean being so in 2018 as well; no resources are available for additional actions.
“With increasing connectivity of operational technology (OT) and ICS (OT/ICS) environments to IT systems and the outside world, conventional malware and virus outbreaks are becoming more and more problematic in the OT/ICS area, too,” the Kaspersky Lab study said. It noted that 64 percent of companies experienced this in the last 12 months, slightly more than a year ago. The same is true for ransomware: 30 percent this year, Kaspersky Lab’s CERT data revealed.
Administration
AN important element in ICS is the role of regulators, according to Garcia-Menendez.
However, he muses regulators are myopic in the sense that a “national security strategy [NSS],” which may or may not include defense against cyberattacks, fails to consider global digitization.
“Stop calling your security strategy ‘national’ in a borderless [cyber]space.”
It’s just that in the Philippines, with the country’s NSS including providing “strong cyber infrastructure and cyber security” in its 12-point national security goals.
These goals are woven into national instruments “capable of mitigating the risks, upholding national sovereignty, preserving territorial integrity, backing foreign policy, supporting its development thrusts and protecting public safety and natural resources.”
The NSS document released in August this year cites the following instruments: political and legal, diplomatic, informational, intelligence, economic and technological, military and law enforcement, human capital development, legislation, funding and development of strategic industries. This last instrument includes information and communications technology (ICT).
The Philippines’s NSS lists 19 strategic industries that the Duterte administration considered as having important sectors that require protection and brought under the aegis of national defense and security.
The ICT sector is listed as the 10th strategic industry that requires such, as it is “regarded as the industry of industries for [being] widespread, diverse and embedded in nearly every aspect of the people’s economic, social and political life.”
Acceptance
THE country’s NSS noted that the Filipinos’ “increased dependence on online connectivity has also made the public, including the government and business sectors, more vulnerable to various forms of web-based crimes.”
The government has recognized that the “protection of critical infrastructure from cyber attacks and information manipulation has become an urgent imperative.”
Still, the government also had the candor to admit that its “inability to harness the potentials and thwart the threats from cyberspace could imperil the country’s vital interests, critical infrastructure and installations,” among others.
Hence, the government vowed to protect the business and supply chains via the implementation of a program under a National Cybersecurity Plan. It also seeks to strengthen the capabilities of its own CERT “to assess our vulnerabilities and to improve the country’s protection profiles in cyberspace.”
However, there is a dearth in the number of practicing cybersecurity professionals in the country.
The Duterte administration’s NSS, hence, vows to address this by enhancing and expanding the State’s “pool of ICT experts, especially in the law enforcement and security sectors.”
The NSS only cited “collaborative efforts” with the business sector.
Actions
FOR Marszal, any “cybersecurity design should be based on the risk of process.”
“Most cybersecurity risks analysis fails to consider the process but rather focuses on ICS equipment,” he said.
Marszal noted risks are higher because of two things: there are poorly defined accident scenarios and lack of consideration of inherent safety.
Hence, he recommends the use of cybersecurity process hazards analysis (PHA) that Marszal claims can identify process scenarios of cybersecurity concerns.
Likewise, he said some functions should not be designed to be hackable or placed in a hackable system, e.g., analog.
There should be a combination of hackable and nonhackable equipment and elements, Marszal explained, adding that he is not advocating a return to full manual operation or regressing from automation.
“If you have circuits that have shutdown functions, maybe they should not be automated,” he said. “Systems that are important should not go cyber.”
Marszal also recommends designing tamper-proof circuits or installing discrete “components with FPGA [field programmable field array, an integrated circuit designed to be configured by a customer or a designer after manufacturing].”
Miller also cautions against using technology to solve all problems.
“Industrial cloud will happen; so will emergent intelligence. We can’t solve all problems with technology,” he said. “Maybe the goal is not necessarily security but keeping the system going running and resilient.”
Image credits: TATIANA BELOVA | DREAMSTIME.COM