The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs. At the same time, ICS/OT is facing an expanding attack surface caused by continuing business digitization, an explosion of IoT and IIoT devices, the coming together of IT and OT networks, and the use of potentially insecure open source software libraries to bind it all together. For all its benefits, IT/OT convergence without proper security means threat actors can take down operations by exploiting an IT access point or a cloud vector. "This yields maximum financial or political gain for the attacker," continued Chassar, "Because businesses have more incentive to pay a ransom when their means of production are at stake, which can have a long-term impact on revenue and the supply chain." "Cyber attackers are increasingly weaponizing OT environments to attack hardware and software that control industrial processes and secure OT networks. Skilled workforce shortages and overlapping IT and OT environments can make cyber incident containment difficult." Supply chain attacks cannot be ignored, either on the IT side or directly against OT. "Supply chain attacks continue to evolve for both ICS hardware and software," comments Pascal Ackerman, senior security consultant for operational technology at GuidePoint Security. "Think implants for controls and automation equipment, attack chains that involve suppliers and service providers to ICS owners as an initial foothold or pivot point, and compromises on controls and automation vendors' file repositories with the purpose of adding implants in the provided software." Learn More at SecurityWeek's ICS Cyber Security ConferenceThe leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity. Icscybersecurityconference.com Geopolitics and the Russia/Ukraine war "One of the biggest concerns around the potential for large-scale attacks in the wake of the war in Ukraine is around ICS/OT," says Christopher Budd, senior manager of threat research at Sophos. "While we haven't yet seen attacks on a scale as feared, there have been documented attacks like this in Ukraine as part of the ongoing hostilities." "Besides the growth of hacktivist activity 'working' to internal and external political agendas," suggests Kaspersky, "We might also see more ransomware attacks on critical infrastructure due to the fact that it will become harder to prosecute such attacks." Specifically IoT/IIoT. "There are now more known vulnerabilities impacting IoT devices than IT devices," says Bud Broomhead, CEO at Viakoo, "And IoT devices are often the easiest for cybercriminals to access." IoT and IIoT is a massive and expanding part of the ICS/OT attack surface, providing an entry point, and enabling lateral movement. "Breached IoT devices are having devastating impacts," he continued, "Such as ransomware, data loss, changing the chemical balance in a municipal water supply, replacing real camera footage with deepfakes, or disrupting transportation systems." Wendy Frank, Deloitte's US cyber IoT leader, believes part of the threat comes from a lack of adequate security governance covering the implementation of IoT, IIoT, OT and ICS devices. As their number grows, so the expanded attack surface creates more security, data, and privacy risks. "Leading organizations," she says, "Will focus in the year ahead on connected-device cyber practices by establishing or updating related policies and procedures, updating inventories of their IoT-connected devices, monitoring and patching devices, honing both device procurement and disposal practices with security in mind, correlating IoT and IT networks, and monitoring connected devices more closely to further secure those endpoints, manage vulnerabilities, and respond to incidents." He expects to see: "Ransomware targeting the industrial environment - in contrast to ransomware on the IT side accidentally compromising the OT space - with attacks on virtualization stacks, data repositories, controls equipment like PLCs, and controls project repositories." Partly, this will be exacerbated by native code execution on PLCs, with the attacker adding arbitrary code to the PLC's OS, and paving the way for ransomware and rootkits running on the PLC. Winston is particularly concerned for those organizations without adequate segmentation between IT and OT, but notes that "Ransomware rarely uses novel methods - making the application of key elements of a defensible ICS/OT architecture particularly effective." Ian Pratt, global head of security for personal systems at HP Inc, sees an increase in session hijacking in 2023. "Increased use of features like Windows Defender Credential Guard are forcing attackers to pivot - either capturing users' passwords to enable lateral movement, or hi-jacking the remote session itself to access sensitive data and systems. The latter is particularly powerful." By targeting users with elevated rights, the attacks are more potent, harder to detect, and more difficult to remove. Session hijacking does not involve exploiting a fixable vulnerability - it is about abusing the legitimate functionality of remote session protocols, such as RDP, ICA and SSH. "If such an attack connects to OT and ICS running factories and industrial plants, there could also be a physical impact on operational availability and safety - potentially cutting off access to energy or water for entire areas." APTs targeting CNI through OT. "Attacks targeting critical national infrastructure tend to be the work of APT groups working on behalf of nation states with specific goals," comments Joseph Carson, chief security scientist and advisory CISO at Delinea. "These high-level adversaries are hard to defend against as they have the time and resources required to repeatedly test security measures and find gaps, whereas more opportunist criminals in search of profits will select soft targets," he continued. "Real economy sectors such as agriculture, logistics and transport, the alternative energy sector, and the energy sector as a whole, high-tech, pharmaceuticals and medical equipment producers are likely to see more attacks next year," they say. Attacks on the OT of critical industries have real world implications, which may worsen in 2023. "While hackers' activities will likely still be money-driven, we can expect to see human cost become more of a play in the following year." He is concerned that IT and OT security convergence is still not effective. "Attacks that have been close calls in the past will eventually have human costs." Liebig is also concerned about attacks on the energy grid. "As Ukraine stands its ground in its conflict with Russia, we're likely to not only see more attacks on Ukrainian energy infrastructure, but the US's infrastructure as well," he warns. "At the beginning of 2022, Homeland Security warned that domestic extremists had been developing plans to attack the US electric power infrastructure for years." As a result, he continued, "The combination of aforementioned factors makes the US's power grid more vulnerable to cyberattacks than it has been in a long time." "Many of the security basics are simply not present, such as leveraging roots of trust and trusted execution environment, strong cryptographic options, hardening, secure update and shipping with strong identity options and no default access, to name a few," he says. This results in customers setting up devices, but rarely coming back to manage the ongoing device lifecycle, let alone maintaining security aggressively as they should. "There are missed business opportunities for security services and secure management services as a service that are being left behind. Done correctly, there's not only lower risk for business, but there's money to be made and real value to provide." He adds, "2023 needs to be the year to reset ICS and OT standards for security." "From the practitioner side of ICS cybersecurity, 2023 will continue to see an overwhelming message of guidance, regulation, media, and FUD about topics such as ransomware, threat actors, and nation-states," he says. "The faster all of us can change this mindset; the more successful 2023 will be for defending critical infrastructure." There will consequently be continued movement from guidance to regulation. Jablanski offers a word of warning, more to do with party politics than geopolitics: "New direction and bolstered industry involvement will produce greater situational awareness, trust, and resolve across the critical infrastructure security community. As a warning, policymakers should avoid a partisan future for reducing cybersecurity risks to critical infrastructure."
This Cyber News was published on www.securityweek.com. Publication date: Wed, 01 Feb 2023 12:46:03 +0000