The prevailing wisdom is that attack totals dropped because hackers grew more sophisticated and strategic in their targeting, not because they lost interest. When identifying a target for their efforts, hackers are looking for an organization with a broad attack surface, little to no leverage to withstand interruptions in service, and the resources to pay a large ransom without permanently crippling their business. Squarely at the nexus of each of these qualifiers are industrial companies responsible for creating and administering infrastructures citizens rely on.
The Cybersecurity Challenges of Industry 4.0
The Industrial Internet of Things (IIoT) market is predicted to reach $110 billion by 2025 with millions if not billions of devices added per year. Countless legacy devices are being brought onto IT networks as part of the continued IT/OT convergence as well. Connecting all these devices has made administrating the complex matrices of industrial infrastructure a lot more efficient and effective, but it has vastly expanded the potential attack surface for bad actors. Operational technology (OT) networks were previously isolated but are now more accessible from outer networks and subsequently more vulnerable to cyberattacks.
Moreover, most security controls designed for the IT environment are inapplicable to OT environments. Production lines, process integrity, business continuity, revenues, and asset values – all are put at risk by inadequate cybersecurity solutions for connected OT devices.
So too are human lives. According to Gartner¸ by 2025 cyber attackers will be able to weaponize OT environments to harm or kill humans but this timeline is accelerating quickly. How might this happen? An example of this kind of harrowing attack already exists. In 2017, a zero-day privilege-escalation hack into Schneider Electric’s safety-controller firmware took place that allowed hackers to gain control of the emergency shutdown system in a targeted attack against two major clients, among them a major petrochemical plant. According to investigators, this hack was not meant to destroy data or shut down the plant – it was meant “to sabotage the firm’s operations and trigger an explosion.” This is what geopolitical conflict may look like in the future as state-backed actors embrace cybercrime against industrial targets as a cleaner and more cost-efficient method to create chaos.
It’s Time to Treat Trust as a Weakness – Hackers Already Are
Hackers are diversifying their attack vectors to evade the defences of organizations still reliant on outdated perimeter-based security postures. In cybersecurity, trust is a weakness, so any security posture that assumes legitimacy without authentication is vulnerable. The traditional idea of the outside hacker being the one to breach a system is outdated, as supply chain hacks present an equally viable attack vector these days. Insider attacks are a major threat as well–whether malicious or by mistake. A Ponemon Institute study published in 2021 found that insider cybersecurity incidents have risen 47% since 2018 and the average overall remuneration cost of an insider-caused breach also increased, up 31% to $11.5 million. Awareness and attentiveness play significant roles in deterring hacks from these vectors, as many attacks are the result of an opportunistic hacker compromising a supply chain actor or a credentialed insider forgetting to log out.
Business Continuity Requires Both Performance and Protection
As mentioned above, industrial manufacturers are rolling out millions of IIoT devices each year, each of which is connected to their networks. Manufacturers are obligated to make sure these devices are secure, lest a breach derail business continuity either through an interruption of service, stoppage of production lines, or leak of customer data. The challenge in this task is in finding security solutions that protect new and legacy devices without compromising performance or functionality.
Billions of dollars are spent annually on device/machine protection. However, yesterday’s effective protection measures will not be good enough tomorrow. Fortunately, zero-trust, zero-impact security solutions are emerging. One such example involves a zero-trust device-level solution that blocks all persistent changes of critical data unless fully authenticated by an external authorization entity, which effectively protects it from outsiders as well as insiders, supply chain sources, and even human errors. This type of passive protection uses near-zero resources and has no performance hit or functionality impact.
Regulation is Coming, but Not Fast Enough
Governments have started to recognize the potential national security risks posed by vulnerable industrial companies and have announced legislation on the topic. Officials in the EU have initiated legislation designed to force technology providers to improve their security, while the U.S. government established a review board to analyze the mistakes from past major cyberattacks on industry and critical infrastructure, so stakeholders are better prepared moving forward. Still, most security regulation on industrial manufacturers, energy companies, utilities, and other critical infrastructure organizations remains voluntary. As the movement on the matter has been slow, the onus falls on the industrial manufacturers themselves.
The magnitude, scope, and nature of the cyberattacks in 2021 clearly indicate that current industry approaches are insufficient, and 2022 is expected to provide further proof that a new cyber security paradigm shift is needed. Industrial companies must anticipate attacks this year to be varied in style and source, and it won’t always be clear who is ultimately behind them. We recommend these companies implement multi-layer security protection from the IT network to the device level, design programs to drive employee awareness of cyber hygiene best practices and build an attack response protocol. With intense threats on the horizon, hacks into industrial companies must now be treated as a matter of not if, but when.
Written by Sagi Berco, VP R&D at NanoLock Security