Why security challenges aren’t just about money

By Dean Parsons, SANS Certified Instructor, and CEO and Principal Consultant of ICS Defense Force

Johannesburg, 07 Nov 2023
ICS/OT attacks frequently set their sights on vital infrastructure.
ICS/OT attacks frequently set their sights on vital infrastructure.

There is an old saying: “Some individuals aren't motivated by tangible rewards like money. They are beyond persuasion, intimidation or reasoning. Some simply desire chaos and disruption.” These words capture the essence when addressing the objectives of industrial control system (ICS)/operational technology (OT) attacks in the region. Unlike mainstream cyber attacks, ICS/OT attacks often lack a direct financial incentive. Instead, their primary aim is to interrupt operations or cause material harm.

Driven by the intricate dynamics of rising geopolitical strains, digital business advancements, IT-OT convergence and IOT adoption, these attacks frequently set their sights on vital infrastructure.

The frequency and scale of ICS attacks have surged in recent years, facilitated by readily available ICS-specific frameworks that malicious groups globally can employ to jeopardise control system environments and endanger human lives and engineering functions, irrespective of the ICS domain. Given the recurrent targeting of critical infrastructure, it is imperative for entities to devise strategies to mitigate the repercussions on individuals, societies and large-scale enterprises.

In December 2022, two renowned enterprises faced the onslaught of the TrickBot Infrastructure ICS/OT cyber attack. TrickBot, a versatile instrument, allows its operators to extract e-mails and credentials, further propelling malware into the victim’s network. This incident underscores the mounting cyber threats, underscoring the need for proficient defenders with engineering expertise to monitor ICS networks vigilantly. A compromised ICS/OT security apparatus can jeopardise public health, environmental safety and national security.

Components for robust ICS/OT security

A contemporary SANS Institute white paper titled: “The Five ICS Cybersecurity Critical Controls” accentuates the equilibrium required for optimal ICS/OT security. The study highlights an overarching inclination towards preventive measures in cyber security circles. Despite their prominence, they often lack detection and rapid response mechanisms. Consequently, a substantial number of organisations allocate a meagre portion of their resources to detect, tackle and recuperate from breaches.

Amid the upsurge in ICS-centric assaults, entities must brace themselves for imminent threats. Blindly transferring IT security protocols to ICS and OT can lead to adverse outcomes. Unlike traditional IT, which primarily concerns data storage or transmission, ICS emphasises data that manipulates physical entities. This interaction with tangible elements sets ICS apart from conventional IT, necessitating distinct system architecture, support, defence and incident management.

Considering the disparities in risk exposure, purpose, controls, architecture and ramifications, ICS environments across all domains must prioritise ICS-tailored measures over generic IT security protocols. Emphasising ICS-specific network visibility with ICS-aware detection mechanisms is pivotal for optimal network surveillance. This also warrants a profound understanding of the tools and networks to facilitate ICS-specific threat prevention, detection and industrial incident resolution.

Implementing an ICS/OT security paradigm that amalgamates the following five cardinal controls is instrumental:

ICS incident response: An operationally informed response plan prioritises system integrity and swift recovery. These exercises accentuate risk scenarios and offer solutions tailored to the security milieu, emphasising action based on potential operational impacts.

Defensible architecture: Efficient ICS architecture bolsters visibility, log management, asset recognition, segmentation and communication regulation, bridging the technological-human divide.

ICS network visibility monitoring: Given the intricate nature of ICS attacks, continuous network monitoring with protocol-aware tools is indispensable.

Remote access security: In an era dominated by cloud-based work structures, malefactors increasingly exploit remote access to breach OT networks.

Risk-based vulnerability management: Enables organisations to identify and prioritise the most critical ICS vulnerabilities.

Towards a secure tomorrow

The establishment of a strategy anchored in these five ICS-specific controls aims for a future shielded from those desiring chaos. Such a security program safeguards the critical infrastructure across sectors, moulded to their distinctive risk profiles and engineering security needs. A collective enterprise-wide effort, buttressed by agile controls and streamlined processes, demonstrates the resolve to counter the escalating ICS threats. By championing a security-centric strategy that prioritises the safety of the engineering process, entities can proactively bolster their defences against hostile adversaries, ensuring the well-being of their people, society and business operations. For more information about SANS, please see here.