What the Explosive Growth in ICS-Infrastructure Targeting Means for Security Leaders

February 20, 2020
| |
3 min read

The recently published IBM X-Force Threat Intelligence Index 2020 pointed out that over 8.5 billion records were compromised in 2019, a figure that’s more than 200 percent greater than the number of records lost in 2018. It also determined that scanning and exploitation of vulnerabilities have increased from just 8 percent of attacks in 2018 to nearly one-third, closing in on phishing as the most common attack vector.

So far, this seems to be business as usual with no real surprises for security professionals. But there is one point in the report that stands out: the dramatic increase in targeted attacks on industrial control systems (ICS).

Industrial Control Systems Systematically Targeted in 2019

Industrial control systems and similar operational technology (OT) are computing devices that control physical assets. For example, pipelines valves, milling machines, conveyor belts and even train, ship or airplane systems.

IBM X-Force data indicates that events in which threat actors targeted ICS and OT assets increased over 2,000 percent since 2018. In fact, the number of events targeting OT assets in 2019 was greater than the activity volume observed in the past three years combined. Most of the events observed used a combination of known vulnerabilities within supervisory control and data acquisition (SCADA) and ICS hardware components, as well as brute-force login tactics such as password-spraying attacks.

Converging Legacy Tech Attracts Attacks on Infrastructure

The convergence of IT and OT systems means the logical and physical connection between “classical” IT systems and computer controllers that operate physical assets. This connection has become important for automating processes, optimizing delivery chains and centralizing the control of complex processes. But, according to the report, this bridge between IT infrastructure and OT, such as programmable logic controllers (PLCs) and ICS, continued to present a risk to organizations that relied on such hybrid infrastructures in 2019.

This convergence allows IT breaches to target OT devices controlling physical assets, which can greatly increase the cost of recovery. One example of the potential impact of such an attack was a breach in early 2019 at a global manufacturing company. A ransomware infection starting from an IT system moved laterally into OT infrastructure and brought plant operations to a halt. The attack impacted not only the company’s own operations but also caused a ripple across global markets.

Security assessments performed by IBM X-Force through 2019 highlighted the vulnerability of OT systems, which often use legacy software and hardware. The continued use of old, unsupported production systems containing well-known vulnerabilities means that even if OT systems are not internet-facing, they may still be easy prey. In cases of lateral movement, after an attacker gains the first foothold, these systems can be accessed from inside the network and harmed by relatively simple exploitation techniques.

It’s no surprise that X-Force expects attacks against OT and ICS targets to continue to increase in 2020, as various threat actors plot and launch new campaigns against industrial networks across the globe. With more than 200 new ICS-related CVEs released in 2019, IBM X-Force’s vulnerability database shows that threats to ICS will likely continue to grow in 2020, according to the report.

Address the Risk of Converged IT/OT Environments With a New Approach

The first step in addressing the problem is to raise awareness of the presence of embedded systems in an organization and their associated risks. The biggest hurdle to addressing these risks is not managing the devices, but determining who is responsible for them and developing a maintenance and management plan accordingly.

In most organizations, the responsibility for the IT and OT world is separated — different people with different specializations and mindsets taking care of each world. Unfortunately, this means that duties straddling this organizational boundary, including monitoring for cyberthreats, are at risk of being overlooked. As IT and OT environments converge, industrial control systems security will need to be incorporated as seamlessly as possible into the big-picture security strategy.

Continuous Monitoring of ICS Environments Is Critical

If we set up a workplace computer with a state-of-the-art operating system, we estimate a lifespan of three years and expect that updates and fixes are delivered frequently. ICS and OT devices differ greatly from standard computers in that their life cycles can span 10, 15 or even 30 years, meaning they often rely on legacy operating systems with low resistance against common attack techniques.

Additionally, performing software updates on ICS and OT devices can be difficult, if not impossible. With that limitation on preventive measures, the detection of unusual or suspicious activities on such devices becomes even more important. Due to the proprietary nature of ICS and OT devices, active monitoring and detection is often the first line of defense. The resilience of these devices against cyberattacks will improve in the future, but this will likely take years considering their lifespan.

Mastering the threats against ICS and OT environments will become an increasingly critical topic on chief information security officers’ (CISO) agendas, and the solution to these threats lies not necessarily in new tools, but rather in a fresh mindset and new organizational approaches. Although the threat landscape will shift constantly, security will continue to be defined by the trinity of people, processes and technology.

Download the X-Force Threat Intelligence Index 2020
Reto Zeidler
Associate Partner Security Services, IBM

Reto Zeidler is is an associate partner for IBM Security Services and is an expert in strategy and security intelligence and operations. Since 1998, he has w...
read more

Think On Demand banner
Think banner ad
Your browser doesn’t support HTML5 audio
Press play to continue listening
00:00 00:00