2021 saw a sharp rise in the number of attacks on industrial control systems (ICS) that run some of the world’s most critical infrastructure. In the first six months alone, there was a 41% surge in reported ICS vulnerabilities. Meanwhile, the capabilities and sophistication of cyber adversaries continue to increase.
As such, chief security officers (CSOs) and others responsible for safeguarding their organization’s people and assets must ensure they understand the potential risks ICS pose, and how to best identify and mitigate them.
ICS are systems that automate and control industrial processes, as well as support critical infrastructure such as energy, transportation, health, manufacturing, food and water. Originally, these systems were offline. They were developed before the Internet became commonplace, deployed in isolated networks and run on proprietary protocols with custom software to limit the exposure to cyber threats.
Today, millions of ICS are connected to the Internet—from water treatment and gas plants to trains and traffic light systems—to allow process monitoring, system maintenance and production data control to be done remotely. While this new paradigm helps boost efficiency and usability, it also makes ICS a high-value target for cyber attacks. Compromised ICS can lead to high-stakes ramifications in the safety, security and well-being of the public.
In February 2021, a hacker gained access to the control system of a water treatment plant in Oldsmar, Florida in an attempt to poison the water supply. All computers at the water plant shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection, according to an official cybersecurity advisory. Threat actors were able to infiltrate precisely through this remote access software—a point of weakness many cyber criminals take advantage of when trying to breach an ICS, because these legacy devices were not designed with remote management in mind.
Fortunately, the attack was quickly caught and reverted by a human operator at the facility before it could contaminate the city of Oldsmar’s drinking water, which had the potential to cause mass illness or even death. This incident highlights how vulnerable our critical infrastructures are to today’s complex cyber threats, which can disrupt operations or even deny vital services to society.
When your ICS is compromised, your organization faces the following potential risks, including but not limited to:
While there are clear advantages to Internet-connected infrastructure, the evolution and digitalization of ICS—along with the dramatic shift to remote work due to the COVID-19 pandemic—have introduced real-time risks to the organizations managing them.
Another challenge is that organizations don’t often have a complete and up-to-date inventory of their Internet-connected ICS. This visibility is a must-have and is the most basic starting point for securing ICS.
Because there is not a tremendous amount of regulation around this issue, organizations have often been left to monitor risks and devise response plans on their own. The good news is that, in recent years, the U.S. government has come to acknowledge ICS cybersecurity as a growing concern. For example, the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) regularly issues advisories about vulnerabilities that need to be patched in ICS.
In April 2021, the Biden Administration also launched an Industrial Control Systems Cybersecurity Initiative, which was further expanded that July to accelerate ongoing cybersecurity efforts in critical infrastructure sectors. The initiative encourages industry leaders to address the important technologies needed to monitor ICS, detect malicious activity and facilitate response actions to cyber threats.
That said, the pace at which physical assets and infrastructures become Internet-connected is quickly surpassing our ability to promptly create and issue advisories. The more connected ICS become, the more opportunities there are for cyber criminals to exploit them and their increasingly valuable data.
Until we have more advanced technology and up-to-date regulation around how to best secure Internet-connected ICS, it will remain an enormous challenge to completely shield all ICS from cyber risks. But that doesn’t mean your organizations are left unarmed.
You can’t effectively address threats you can’t see or know about. This is why real-time alerting solutions like Dataminr Pulse play a central role in improving your threat visibility, by providing the earliest indications of risks or high-impact events, so that your security teams can make better-informed decisions to ensure the safe operations of your ICS.
When the Florida water plant hack occurred, Dataminr alerted customers to the scale of the attack, the affected software and the exposed municipal-level IP addresses that were at critical risk of exploitation—allowing customers to quickly and proactively secure their systems. Media in the area also relied on our hyperlocal alerts to report on the incident hours before government agencies issued their own warnings.
When there’s not an active risk, security leaders can also develop their understanding of the threat ecosystem through our alerts on new ICS security-related regulations and advisories, as well as the most popular exploit tools being used by threat actors and the ICS vulnerabilities they’re targeting.
Learn more about Dataminr Pulse and how it helps organizations like yours safeguard their industrial control systems by detecting the earliest indications of high-impact events, threats and other business critical information.
Jonathan Peyster is Associate Director, Research and Development at Dataminr. He holds graduate degrees from the Johns Hopkins School of Advanced International Studies and Tsinghua University.