Industrial cyber security in APAC is still lagging behind enterprises, but having some basic hygiene and a plan in place is “light years” better than nothing, according to director of incident response at operational technology cyber security firm Dragos Lesley Carhart.
Carhart recommends industrial technology operators large or small in APAC realise they could all be targets, including from state actors looking to steal information or position themselves for a future geopolitical event, and to put in place and test incident response plans.
Industrial cyber security maturity still lagging behind enterprises
Operators of industrial technology have about a medium level of security maturity in a country like Australia. Operators are often aware of what needs to be done from a strategic standpoint and have started to build in more maturity but still have a number of gaps to fill, Carhart said.
“They may have started to build a plan but not tested the plan yet to ensure every part of it works. There’s a temptation to build a plan and assume capabilities in cyber security, in critical infrastructure, in OT industrial environments, without having really fully tested them yourself.”
Dragos has seen organisations implementing incident response plans and security monitoring; this puts them “light years ahead” of those with no plan and no retainers or team for cyber security, but Carhart said they need to test assumptions to do tactical things behind strategy.
TechRepublic Premium: Download An Incident Response Policy Now
“There’s often stop blocks where they may say, ‘We assumed we had an asset inventory and it’s not up to date’, or ‘we assumed we had logging and it’s not comprehensive’, or ‘we assumed we had backups we could restore from in our industrial environment’, she elaborated.
“It is quite mature in the enterprise environment — they have great staffing, mature programs, plans for cyber security — but when you move over to OT, it’s a different landscape at a different level of maturity, and that stuff just doesn’t exist with the same level of practical use.”
Three top challenges impacting industrial technology security
There are a number of challenges that are preventing operators of industry technology environments from catching up with enterprises when it comes to cyber security.
Communication between industrial process engineering and cyber security
There has been “decades of misunderstanding” between process engineering teams and those responsible for cyber security in the industrial technology space, Carhart said. Much of this “human problem” comes down to misunderstandings “of priorities and terminology.”
SEE: How cyber security burnout is creating risk for APAC organisations
“We’ve tried to impose enterprise cyber security controls on process environments, and you just can’t do that due to things like vendor presence and the age and sensitivity of the equipment. It can be hard to get movement in implementing modern security controls.”
Technical challenges due to operational technology equipment
Much of the industrial technology market utilises legacy vendor controlled equipment. Carhart said that, due to the heavy Original Equipment Manufacturer presence in industrial technology environments, this can restrict what organisations can do in cyber security.
Sensitivity of operational technology processes and equipment
Organisations operating industrial technology “may only have one maintenance outage a year when they can work on equipment”, according to Carhart, and they are dealing with equipment that often stays in use for long periods of time, often with lifespans up to 20 years.
“You certainly can’t implement modern, agent-based security controls. None of the security tools you see at security conferences for enterprise environments, like XDR or EDR tools, none of those function well in process environments because of all those things,” Carhart said.
Three top cyber threats facing industrial technology in 2024
There are three main threats facing operators of operational technology. Each bucket accounts for about a third each of the threats Dragos sees facing industries in developed nations.
Commodity malware and ransomware
Industrial organisations are prime targets for commodity malware and ransomware. They make “juicy targets for criminals,” Carhart said, because they are more likely to be vulnerable to an attack and, as they are doing critical things, there is a likelihood people will pay a ransom.
Carhart said malware and ransomware impact industrial environments because of the lack of security tooling and maturity. While they may not necessarily directly impact process equipment, it can disrupt things like the screens the operators use to see if things are running safely.
Recent data from Dragos’ OT 2023 Cybersecurity Year in Review found 13 ransomware incidents impacted the country’s industrial organisations. A LockBit 3.0 attack on DP World, though ransomware was not deployed, led to a shutdown of land-side port operations for three days, and “brought into focus the possibility of cascading effects and impacts of ransomware on industrial operations, supply chains, and consumers,” according to a Dragos statement.
Insider threats
Insider threats are often not malicious or intentional, but can still have “huge impacts,” Carhart said. In some cases, workers may improperly deploy security measures, be hampered due to poor human relationships internally, or misunderstand how to do their job correctly.
Examples include circumvention of IT security controls, like a system being connected directly to a cellular or dual internet connection or somebody bringing in a USB drive. These threats can impact sensitive processing equipment and can go unnoticed for months or years.
Advanced criminal threat groups or state actors
The third category of threat is from advanced, state-style adversary groups. They engage in:
- Industrial espionage: This activity is seen especially in industries like manufacturing and food production, where actors break in to learn how processes are done and then steal them.
- Building reconnaissance and access: State actors getting a foothold in industries and infrastructure so they can do something when it’s “geopolitically appropriate in the future.”
“State adversary groups — and some criminal groups — have started building large databases of information about how environments are configured, so if there’s a reason to do something malicious in future, they know how to do it, and they have access to do it,” Carhart said.
All industrial organisations are targets, regardless of their size
Industrial operators are often surprised when they face a real world cyber incident; Carhart said they are often ticking check boxes for the sake of audits or for the sake of regulation. In cases like these, they will have never practiced or drilled or had a plan what to do when an attack hits.
Carhart warned anyone can be caught out by an attack. “I can’t count the number of cases where people were like, ‘we didn’t think it was going to happen to us, we weren’t supposed to be targets, so we never really drilled our plan,” she said.
Industrial organisations can be attractive targets for different reasons
Dragos’ experience in the field indicates small organisations are often targeted because they are easy targets for criminal actors, who can make a little bit of money from a lot of organisations easily. “They’re also targeted by states because they make a good test against bigger companies, or may be an avenue into a bigger company,” Carhart added.
Bigger companies may think they are protected by big cyber security teams and budgets. “But having a big architecture to cover can make it very challenging to do comprehensive cyber surgery, because you might not know pieces of your network exist. And planning across a lot of different industrial facilities can be very hard, as well as monitoring,” Carhart concluded.
Dragos’ advice for coping with an industrial cyber security incident
The biggest thing industrial technology and critical infrastructure operators can do to prepare for a cyber incident, and the associated incident response, is to have “some kind of plan written down,” says Carhart. This is because security incidents “never happen at an opportune time.”
“It’s always like 5pm on a Friday or 2am on Christmas,” she said. “First of all, that’s because everything’s usually shut down in the process environment, or it’s a skeleton group, and people have time to actually look at things and notice things are going on,” she explained.
“And secondly, it’s because bad people know when nobody’s watching. So you need to have a plan written down; it becomes a crisis really fast, everybody’s panicked, and you’ve got senior executives breathing down your neck, which is tremendously difficult in a small organisation.”
Organisations should know what to do or who to call
Dragos recommends organisations clearly document how they will handle an incident response; this can include calling on help from a government support organisation, partners like cybersecurity firms, or peers, where there are mutual aid arrangements in place.
TechRepublic Premium: Strengthen security responses with our security response policy
“It could be, ‘we know who we’re going to get help from, who can give us cheap or free help’, and that’s fine. It could be, ‘we’re staffed and mature internally, and we have our own incident response team for OT and this is how they’re going to function and how they’re going to interrelate with our process engineers’. Or it could be, ‘we have a commercial retainer with a company’ like Dragos or one of our competitors. Either way, you need to have a plan,” she said.
5 steps for achieving industrial cyber security hygiene
Dragos’ CEO Robert M. Lee was the co-author of a 2022 whitepaper called The Five ICS Cybersecurity Critical Controls. It outlines how industrial organisations can create an Industrial Control System or operational technology security program to mitigate many cyber risks.
While basic security hygiene, Carhart said Dragos would see a lot less cases if they were implemented in infrastructure environments. “These recommendations make a big difference in defense, in depth and ability to detect an actor before they do something malicious”.
The five recommendations contained in the whitepaper are:
ICS incident response
Organisations are advised to have an ICS-specific incident response plan to account for the complexities and operational necessities of their operational environment. They should also conduct exercises to reinforce risk scenarios and use cases tailored to their environment.
Defensible architecture
Defensible architectures are preferred to reduce risk while facilitating the efforts of human defenders. This includes architectures supporting elements like visibility, log collection, asset identification, segmentation of systems and “industrial DMZs” or buffer zones.
ICS network visibility monitoring
Lee and co-author Tim Conway suggest that continuous network security monitoring of the ICS environment should be a priority, if possible using protocol-aware toolsets and system of systems interaction analysis capabilities that can inform operations of the potential risks to control.
Secure remote access
It is recommended that organistions identify and inventory all remote access points and allowed destination environments. They should also implement on-demand access and MFA if possible, and jump host environments to provide control and monitor points within secure segments.
Risk-based vulnerability management
The ICS control system should include an understanding of cyber digital controls in place and device operating conditions. This can aid risk-based vulnerability management decisions when patching for the vulnerability, mitigating the impact or monitoring for possible exploitation.