Refining & Petrochemicals Middle East
WHAT IS ICS AND HOW CAN COMPANIES SECURE IT?
Cyber warfare has many facets which collectively band together to launch unprecedented, complex attacks on industries and organisations of significant value. Industries like oil and gas, chemicals, petrochemicals, pharmaceuticals, metals, and mining are targets of such attacks because their functioning and growth majorly depend on ICS infrastructure. Damaging ICS infrastructure can have catastrophic effects on the well-being of an organisation, its environment and people in the form of explosions, power cuts, fires, and spills. The possibilities are high as these industries rapidly adopt digitisation and connectivity at high levels.
How this can be done? For this, you need to first know what ICS is. What is ICS?
ICS stands for industrial control system. Basically, it’s an umbrella term that comprises different information systems and technologies, such as supervisory control and data acquisition (SCADA), distributed control systems (DCS), programable logic controllers (PLC), and more - with one main goal: to provide management and control of industrial processes. ICSS are widely used in many industries - oil and gas, power grids, manufacturing, smart buildings and cities, and more.
What is the worst that could happen?
The worst-case scenario is about disruption of industrial processes. Depending on the criticality of an industrial object, it can result in loss of money (think about downtime at manufacturing facility) or even lead to realworld, physical damage. This happened in the US in 2021: The Colonial Pipeline ransomware attack, which forced operational technology (OT) systems at the provider offline for several days, leading to major fuel shortages up and down the US East Coast. It is still the largest critical attack of its kind.
Which industries should be particularly concerned about their information security, and why?
When we talk about ICS protection, we should say “cybersecurity” instead of “information security,” because in most cases, we mean the protection of cyber-physical processes or assets, not information.
All critical infrastructures are at risk, but especially electric power generation, transmitting and distribution, all kinds of utilities, and all streams of oil and gas. In addition to such sensitive infrastructures, “noncritical” industrial organizations are also suffering from cyberattacks enabled by high connectivity to external networks. According to the Kaspersky telemetry, almost 40% of all ICS computers were attacked by malicious software at least once during the second half of 2021. Overall, Kaspersky security solutions blocked over 20,000 malware variants during the second half of 2021. Although this figure did not change much compared to the
previous six months, a detailed analysis of detected malware shows that the proportion of ICS computers attacked with spyware, malicious scripts and miners grew.
Moreover, a recent Kaspersky survey also reported that industrial organisations have experienced significant staffing issues including those related to the lack of cybersecurity experts (19%), staff overloading (46%) and staff turnover (30%). The shortage of operational technology (OT) security professionals is one of the reasons threatening the cyber protection of ICS.
What are the types of attacks?
In general, ICS has two major attack vectors. Cybercriminals can access industrial infrastructure via boundary external networks (e.g., a corporate network with ERP that exchanges data with industrial networks for predictive maintenance) or they can try to infiltrate an ICS domain directly, using employee negligence. For example, an engineer can bring an infected USB stick or personal device right into an air-gapped network. It’s important to realise that these days very few truly air-gapped networks still exist, even in critical infrastructures. Industrial networks owe some of their increased connectivity to misconfigurations and to low employee awareness — staff can unintentionally bridge air gaps. Infrastructure modernisation plays a role as well: The so-called Industrial Internet of Things assumes external availability of industrial networks even at the level of field devices.
There are four possible incident enablers in an ICS environment:
• Generic malware that gets inside an industrial network and hits legacy Windows computers. For example, recent epidemics of Wannacry and Expetr ransomware incidentally damaged lots of industrial floors around the world.
• Targeted attacks such as Stuxnet, Havex, or Industroyer, malware platforms, and kill chains specifically designed to hit ICSS.
• The fraudulent actions of insiders that damage their industrial organisations without using any hacker techniques, just their ICS knowledge. This is quite often the case in the oil and gas sector.
• ICS software/hardware errors and misconfiguration.
What happens to the stolen data?
The sensitive data obtained from ICS computers often ends up in various marketplaces. Kaspersky experts identified more than 25 different marketplaces where the stolen credentials from these industrial campaigns were being sold. Analysis of those marketplaces showcased high demand for corporate account credentials, especially for Remote Desktop Accounts (RDP). Over 46% of all RDP accounts sold in analysed marketplaces are owned by companies in the US, while the rest originate from Asia, Europe, and Latin America. Almost 4% (almost 2,000 accounts) of all RDP accounts being sold belonged to industrial enterprises.
What are the solutions?
The first and crucial step is to raise cybersecurity awareness among employees. Cybersecurity and safety training is a must for any industrial company.
From a technology perspective, it’s important to recognise that conventional IT security solutions are not suitable for industrial networks. Conventional solutions are designed with a high tolerance for false positives, notable consumption of resources, and constant Internet connection as essential requirement. These aspects don’t fit into ICS specifics, which means that installing conventional endpoint protection to an ICS environment can actually be dangerous - it can lead to disruption of industrial process.
To keep your ICS systems and infrastructure protected from various threats, Kaspersky experts recommend:
• Regularly updating operating systems and any application software that are part of the enterprise’s industrial network. Apply security fixes and patches to ICS network equipment as soon as they are available.
• Conducting regular security audits of OT systems to identify and eliminate possible vulnerabilities.
• Using ICS network traffic monitoring, analysis and detection solutions for better protection from attacks that potentially threaten technological processes and main enterprise assets.
• Providing dedicated ICS security training for IT security teams and OT engineers. This is crucial to improve response to new and advanced malicious techniques.
• Providing the security team responsible for protecting industrial control systems with up-to-date threat intelligence. ICS Threat Intelligence Reporting service provides insights into current threats and attack vectors, as well as the most vulnerable elements in OT and industrial control systems and how to mitigate them.
• Using security solutions for OT endpoints and networks such as Kaspersky Industrial Cybersecurity to ensure comprehensive protection for all industry critical systems.
• Protect the IT infrastructure. Integrated Endpoint Security protects corporate endpoints and enables automated threat detection and response capabilities.