The next wave of powerful cyber attacks goes far beyond ransomware, like the group in Cuba that hit 49 critical infrastructure organizations. Ransomware is giving way to the even higher stakes of killware for critical infrastructure. Hits on the industrial IoT devices that are deployed in critical infrastructures, especially nation-state attacks, are becoming less about money and more about control and causing as much damage as possible.
Bleeding revenue due to traditional ransomware is far from ideal, but with critical infrastructure attacks like Colonial Pipeline, JBS Foods, and the smart gas stations in Iran, lives are on the line and concepts like ransomware as a service and exploit as a service make those attacks even more dangerous.
Gartner predicts that by 2025, attackers will weaponize operational technology (OT) to harm or kill humans. Lawsuits already attribute two deaths to cyber attacks in critical infrastructure, though those who died likely weren’t targeted.
Some attacks, like the one on a water treatment plant in Oldsmar, Florida, are quickly thwarted. The attacker briefly pumped up sodium hydroxide, the main ingredient in liquid drain cleaners, from 100 parts per million to 11,100 parts per million into the water supply. That control was undone almost immediately and the public was never at risk in this case, but it’s a cheap lesson at just how behind critical infrastructure can be in its cybersecurity posture.
According to Fortinet’s 2021 State of Operational Technology and Cybersecurity Report, 90% of organizations experienced at least one intrusion in the past year and 63% had three or more intrusions.
Here are a few tips so that your organization can avoid being the next target.
1. Get full visibility into your network
You don’t know what to protect if you don’t have a full picture of what’s on your network. Many organizations think they do but aren’t accounting for everything. Industrial Internet of Things (IoT) devices are attractive targets, but most of the companies that utilize them aren’t aware of what’s inside them.
If you don’t know how many doors your house has, you can’t be sure you’ve locked them all. The same applies to securing your network. The first step is a comprehensive audit.
2. Patch your vulnerabilities
Once you know what’s on your network, the next step is to find out how safe those resources or devices are. If there are vulnerabilities and security risks that leave doors open, be sure to patch those devices so that you can be as secure as possible. In some cases, you may not be able to patch, but our next step is a good way to at least keep that vulnerability isolated.
3. Segment your network
Finding vulnerabilities can be a difficult task, so many attackers have gone after credentials and permissions instead. If your network is flat, any open door gives an attacker free reign. Once an attacker is in, they can move laterally and access other resources. During the height of the pandemic, remote access attacks skyrocketed as so many people were forced to work outside the office.
If you segment your network, the attacker is limited to one room rather than the entire house. Few credentials should be able to unlock every segment, which will help restrict attackers even more. While security measures like multi-factor authentication have increased to change the perimeter, segmenting your network is still a smart play in case of an attack.
4. Take cybersecurity education seriously
Human error, like clicking a link in a phishing scam, is a huge threat to cybersecurity. According to the Fortinet study, 42% of respondents experienced insider breaches, up from 18% last year.
Run breach and attack simulations (BAS) to get a realistic sense of your biggest risks and educate employees on better protocols. BAS is among the list of top security and risk trends that Gartner is watching.
5. Test your backups
It’s not enough to have backups. You need to test them to make sure they actually give your organization a proper starting point if an attack requires you to restore systems and device configurations.
There was once importance placed on “air-gapped” backups, meaning they weren’t connected directly to the internet, but that’s just a myth in today’s landscape. There is always a way to breach and infect backups by making an on-premise connection to the system, so nothing is truly “air-gapped.”
The future of critical infrastructure
Critical infrastructure was already behind other sectors in security measures because, unlike private companies that were more likely to invest, public utilities largely treated security as an afterthought. With attackers’ motives changing to now broadly control victims’ networks and industrial IoT devices and wreak havoc from there, ICS is starting to look like an easy and impactful target.
There are regulations aimed at helping the cause, but regulations are like seat belts: They won’t prevent a car crash, they only offer protection when one occurs. Taking proactive measures like the ones listed above goes beyond regulations and will put you in much better standing against threats to the Industrial IoT devices organizations rely on every day.