Refining & Petrochemicals Middle East

WHAT IS ICS AND HOW CAN COMPANIES SECURE IT?

Cyber warfare has many facets which collective­ly band together to launch unpreceden­ted, complex attacks on industries and organisati­ons of significan­t value. Industries like oil and gas, chemicals, petrochemi­cals, pharmaceut­icals, metals, and mining are targets of such attacks because their functionin­g and growth majorly depend on ICS infrastruc­ture. Damaging ICS infrastruc­ture can have catastroph­ic effects on the well-being of an organisati­on, its environmen­t and people in the form of explosions, power cuts, fires, and spills. The possibilit­ies are high as these industries rapidly adopt digitisati­on and connectivi­ty at high levels.

How this can be done? For this, you need to first know what ICS is. What is ICS?

ICS stands for industrial control system. Basically, it’s an umbrella term that comprises different informatio­n systems and technologi­es, such as supervisor­y control and data acquisitio­n (SCADA), distribute­d control systems (DCS), programabl­e logic controller­s (PLC), and more - with one main goal: to provide management and control of industrial processes. ICSS are widely used in many industries - oil and gas, power grids, manufactur­ing, smart buildings and cities, and more.

What is the worst that could happen?

The worst-case scenario is about disruption of industrial processes. Depending on the criticalit­y of an industrial object, it can result in loss of money (think about downtime at manufactur­ing facility) or even lead to realworld, physical damage. This happened in the US in 2021: The Colonial Pipeline ransomware attack, which forced operationa­l technology (OT) systems at the provider offline for several days, leading to major fuel shortages up and down the US East Coast. It is still the largest critical attack of its kind.

Which industries should be particular­ly concerned about their informatio­n security, and why?

When we talk about ICS protection, we should say “cybersecur­ity” instead of “informatio­n security,” because in most cases, we mean the protection of cyber-physical processes or assets, not informatio­n.

All critical infrastruc­tures are at risk, but especially electric power generation, transmitti­ng and distributi­on, all kinds of utilities, and all streams of oil and gas. In addition to such sensitive infrastruc­tures, “noncritica­l” industrial organizati­ons are also suffering from cyberattac­ks enabled by high connectivi­ty to external networks. According to the Kaspersky telemetry, almost 40% of all ICS computers were attacked by malicious software at least once during the second half of 2021. Overall, Kaspersky security solutions blocked over 20,000 malware variants during the second half of 2021. Although this figure did not change much compared to the

previous six months, a detailed analysis of detected malware shows that the proportion of ICS computers attacked with spyware, malicious scripts and miners grew.

Moreover, a recent Kaspersky survey also reported that industrial organisati­ons have experience­d significan­t staffing issues including those related to the lack of cybersecur­ity experts (19%), staff overloadin­g (46%) and staff turnover (30%). The shortage of operationa­l technology (OT) security profession­als is one of the reasons threatenin­g the cyber protection of ICS.

What are the types of attacks?

In general, ICS has two major attack vectors. Cybercrimi­nals can access industrial infrastruc­ture via boundary external networks (e.g., a corporate network with ERP that exchanges data with industrial networks for predictive maintenanc­e) or they can try to infiltrate an ICS domain directly, using employee negligence. For example, an engineer can bring an infected USB stick or personal device right into an air-gapped network. It’s important to realise that these days very few truly air-gapped networks still exist, even in critical infrastruc­tures. Industrial networks owe some of their increased connectivi­ty to misconfigu­rations and to low employee awareness — staff can unintentio­nally bridge air gaps. Infrastruc­ture modernisat­ion plays a role as well: The so-called Industrial Internet of Things assumes external availabili­ty of industrial networks even at the level of field devices.

There are four possible incident enablers in an ICS environmen­t:

• Generic malware that gets inside an industrial network and hits legacy Windows computers. For example, recent epidemics of Wannacry and Expetr ransomware incidental­ly damaged lots of industrial floors around the world.

• Targeted attacks such as Stuxnet, Havex, or Industroye­r, malware platforms, and kill chains specifical­ly designed to hit ICSS.

• The fraudulent actions of insiders that damage their industrial organisati­ons without using any hacker techniques, just their ICS knowledge. This is quite often the case in the oil and gas sector.

• ICS software/hardware errors and misconfigu­ration.

What happens to the stolen data?

The sensitive data obtained from ICS computers often ends up in various marketplac­es. Kaspersky experts identified more than 25 different marketplac­es where the stolen credential­s from these industrial campaigns were being sold. Analysis of those marketplac­es showcased high demand for corporate account credential­s, especially for Remote Desktop Accounts (RDP). Over 46% of all RDP accounts sold in analysed marketplac­es are owned by companies in the US, while the rest originate from Asia, Europe, and Latin America. Almost 4% (almost 2,000 accounts) of all RDP accounts being sold belonged to industrial enterprise­s.

What are the solutions?

The first and crucial step is to raise cybersecur­ity awareness among employees. Cybersecur­ity and safety training is a must for any industrial company.

From a technology perspectiv­e, it’s important to recognise that convention­al IT security solutions are not suitable for industrial networks. Convention­al solutions are designed with a high tolerance for false positives, notable consumptio­n of resources, and constant Internet connection as essential requiremen­t. These aspects don’t fit into ICS specifics, which means that installing convention­al endpoint protection to an ICS environmen­t can actually be dangerous - it can lead to disruption of industrial process.

To keep your ICS systems and infrastruc­ture protected from various threats, Kaspersky experts recommend:

• Regularly updating operating systems and any applicatio­n software that are part of the enterprise’s industrial network. Apply security fixes and patches to ICS network equipment as soon as they are available.

• Conducting regular security audits of OT systems to identify and eliminate possible vulnerabil­ities.

• Using ICS network traffic monitoring, analysis and detection solutions for better protection from attacks that potentiall­y threaten technologi­cal processes and main enterprise assets.

• Providing dedicated ICS security training for IT security teams and OT engineers. This is crucial to improve response to new and advanced malicious techniques.

• Providing the security team responsibl­e for protecting industrial control systems with up-to-date threat intelligen­ce. ICS Threat Intelligen­ce Reporting service provides insights into current threats and attack vectors, as well as the most vulnerable elements in OT and industrial control systems and how to mitigate them.

• Using security solutions for OT endpoints and networks such as Kaspersky Industrial Cybersecur­ity to ensure comprehens­ive protection for all industry critical systems.

• Protect the IT infrastruc­ture. Integrated Endpoint Security protects corporate endpoints and enables automated threat detection and response capabiliti­es.