Cyber Attacks on Critical Infrastructure and Industrial Control Systems
Gartner estimates that by 2025, cyber attackers will have weaponized a critical infrastructure cyber-physical system (CPS) to successfully harm or kill humans. In high-stakes sectors like water treatment, oil and gas delivery, and power distribution, an outage or delay in services due to cyber attacks on critical infrastructure can have a rippling effect. Looking at drinking water production or wastewater treatments as an example, an attack could result directly in citizens not having safe drinking water and sanitation, but it could also force the closure of hospitals and shutdown schools and government facilities.
Living in this reality, the recent meeting of the Plymouth County Water Works Association that I attended discussed the role of the industrial automation industry in maintaining a safe and secure environment. Leading the discussion was Lieutenant Brian Gavioli of the Massachusetts State Police Mass Cybersecurity Program. Lt. Gavioli is responsible for the coordination of cyber threat intelligence, information sharing, and cyber incident response at the Commonwealth Fusion Center, which has a specialized unit assigned to critical infrastructure.
As an industrial automation solutions provider, the information Lt. Gavioli shared re-emphasized the importance of increasing cyber security best practices with our customers, as well as in our own business. Some of the key takeaways follow.
Top 4 Attack Vectors for Critical Infrastructure
With digital transformation a priority for many manufacturers and other sectors, industrial automation solution providers need to strike a balance between providing the desired architecture and operational efficiency with security measures. When designing and implementing industrial control systems, one of the goals must be to minimize the risk of the following most common attack vectors:
- Remote Service Providers: The more people have access to a system, the more vulnerable the system is. (Identity management is one measure to help ensure only those that require access have it.)
- Public Facing Applications: Any software exposed to the Internet, especially if out of date or unpatched, is vulnerable to modern malware.
- Public Facing Devices: Any hardware exposed to the Internet represents an entry point to the network.
Social Engineering and Industrial Controls Systems Cyber Security
Another point that Lt. Gavioli discussed was how attackers leverage social engineering to gain an understanding of what protocols companies use and where the vulnerability resides. Through the practice of social engineering, attackers mine publicly available information to gain knowledge of your control systems.
Take for example LinkedIn. Attackers use LinkedIn Jobs or public contract boards to understand what protocols companies use. If you post a job advertising an open position for a controls engineer with Allen Bradley experience, this post tells the attacker that your operations use Allen Bradley and then that’s the system that they know they can target.
When municipalities put jobs out for public bid, attackers can also take advantage of the obligation that the posting must include hardware and software requirements, again gaining insights into internal systems. Lastly, there is the more commonly known phishing, where malicious individuals or organizations attempt to solicit personal information by posing as a real, trustworthy sources on social networks.
4 Must-Do Steps to Protect Against Cyber Attacks on Critical Infrastructure
Some of the most prominent and effective solutions when it comes to industrial control systems and protecting against cyber-attacks include:
- Create an Industrial Control System-specific Incident Response Plan (IRP). Document the procedure and practice the response plan periodically.
- Document your assets and determine a normal baseline for ongoing Visibility & Thread Detection so that you will be able to detect abnormal behavior.
- Use Multi-Factor Authentication (such as RSA or a third-party application) instead of SMS as it can be more easily socially engineered.
- Avoid automatic patching as it is not realistic for industrial control systems. In cases where your automation vendors haven’t addressed OS patches, the automatic patching could shut down your systems completely.
Cyber Attacks on Industrial Control Systems – Taking the Next Step
To evaluate your risk tolerance for a cybersecurity event, contact us to discuss your current protection plan and how an on-site assessment of your OT infrastructure could reveal additional strategies to protect your industrial control systems. You can also visit these resources to learn more: