Cyber-espionage and exploitation from nation-state-sanctioned actors have only become more prevalent in recent years, with recent examples including the SolarWinds attack, which was attributed to nation-state actors with alleged Russian ties.
There are suspicions that sensitive information has been stolen from victims of the SolarWinds attack, such as Black Start, the Federal Energy Regulatory Commission’s plan to restore power after a grid blackout.
Attacks on critical infrastructure have grown in popularity since 2010, with the first nation-state cyber-physical attack on the Natanz Nuclear Enrichment Facility (aka Stuxnet). The attack changed critical process parameters such as the RPM of the centrifuges and hid these changes from the system operators, causing random centrifuge failures and significantly delaying the uranium enrichment process by the Iranians. This was followed by the blackouts that were caused as a result of the attacks on the Ukrainian Grid in 2015 and 2016.
Critical infrastructure is now a prime target in the context of global cyber warfare. Operational technology (OT), the backbone of industrial automation, has become less segmented due to equipment being addressable from the internet or by receiving services from the internet, such as software updates.
With the introduction of remote access and remote vendor support comes a much larger attack surface for the OT group, which traditionally didn’t handle IT security and advanced threats. While the Stuxnet attack destroyed centrifuges and may have delayed Iran’s nuclear program, other compromises can cause serious environmental impacts, injuries, and even loss of life. While no ICS cyberattack to date has caused bodily injury, the Trisis attack campaign has the potential to do so by compromising SIS safety systems that are used to prevent fires and explosions.
Challenges facing security teams
Securing this space is no easy task. With the growth of IP-based communications into OT, the lines between OT and IT have become more and more blurred over who is in charge of securing these systems. Additionally, networks that were once disconnected (such as gas-fired power plants) are now connected for smart grid management.
As industrial control systems (ICS) are increasingly digitized, their attack surface grows, becoming more significant targets for malicious attacks. While the IT environment has foundationally evolved to have security as a cornerstone of management, OT has only recently started down that path. Much like the early days of internet protocols, developers of industrial protocols did not create protocol standards with security in mind, and many vendors developed proprietary protocols.
Fast forward to today, and we have a plethora of protocols with varying degrees of robustness and security in modern production environments. Many asset owners are hampered in their security efforts by not having the ability to effectively monitor or have the appropriate security tools to respond to incidents. The OT equipment itself can also be sensitive to active queries, causing it to fail when sent unexpected data, more data than it can handle at once, or using more active connections than allowed, making active monitoring somewhat risky.
Adding in the ever-growing PC servers and workstations to ICS networks, and you have a complex attack surface that encompasses traditional enterprise services and cyber-physical systems. The solutions often require an approach that can address security across both environments and can distinguish which systems are sensitive to active monitoring.
Bridging the gap with Rapid7 and SCADAFence
We can overcome these challenges by providing a unified system that monitors and assesses both environments. Security analysts need to understand what is happening within OT systems and how attackers breached those systems through the traditional IT infrastructure. Operators also need to be conscious of all the equipment within their production environments, including both OT assets and IT assets. With the integration of the SCADAfence product suite into Rapid7’s InsightVM, customers can get in-depth information around their OT assets and single out those devices that are sensitive to traditional layer-3 scanning techniques.
Through establishing a risk profile of all devices across the IT and OT infrastructure, operators and analysts can optimize risk prioritization and remediation efforts. Not only can IT and OT assets be enumerated and assessed, but Internet of Things (IoT) devices can as well.
With the integration of SCADAfence, automation customers can achieve full coverage across both the IT and OT environments by leveraging the Rapid7 Insight product portfolio, leading to risk reduction for the entire organization.