Preparing the way to combat the threat of cyberattacks

Process control and automation technologies are increasingly under threat from sophisticated and well-funded criminal groups. Many of these groups use sophisticated techniques to disrupt or sabotage an organisation’s operations.

The increasing interconnectivity of corporate networks and industrial control systems (ICSs) increases an organisation’s level of risk to a variety of threats. Traditionally cybercriminals have looked to penetrate systems, gather information and leave undetected. However, a new wave of cyberattacks has taken shape with the aim to target and take control of infrastructure and process control systems.

While increasingly automated processes lead to significantly improved efficiency, these processes create new entry points into an organisation’s ICS infrastructure that previously didn’t exist. This trend is expected to continue to grow over the next decade.

Systems relating to energy and utilities, particularly critical infrastructure assets - such as power generation plants, distribution and transmission and water supplies to name a few - are targets for these cybercriminals. Anecdotal evidence suggests that these cybercriminals have the resources and the knowledge to cripple even the largest organisation.

Therefore, one may suggest that the larger and more diverse the organisation, the greater the number of vulnerabilities that can be exploited.

Until recently, existing security measures have generally been sufficient to deal with known threats. This is especially true of systems that are quarantined or ‘air-gapped’ from corporate networks as well as those protected by traditional security endpoint enforcement technologies such as firewalls. There have also been only a handful of documented malicious cyber incidents to date in operational environments. However, as the opportunities continue to grow, the threats will continue to evolve and the repercussions become more serious.

The changing external environment, continued use of legacy systems and convergence of traditional information technology and operational technology systems means that many organisations must recognise the risk and enhance their security measures. The alternative is to risk exposure, the impact of which is not limited to breach of privacy, fraud or loss of competitive advantage but can include real loss of life and other catastrophic situations.

Network intrusion can leave an organisation open to sophisticated threats that range from the theft of valuable information to full access and control of operations. The best response is one that includes both technology and processes to minimise the chance of an attack succeeding.

When it comes to processes, for example, systems should be expressly designed to verify: the identity of the individual or system sending information; that the information is received without error; and that the content is intended and appropriate for the receiving system. This can help protect critical systems from access, manipulation and control by those intending harm through disruption and sabotage.

There are four key steps that organisations must take to identify what is needed to secure their industrial environments:

1. Stakeholder engagement
2. System sensitivity mapping
3. Vulnerability assessment
4. Threat modelling

Step 1: Key stakeholder engagement

Working with key engineers and IT staff helps organisations understand the systems and the environment, as well as their function and the platforms on which they are hosted. In this first phase, it is important to identify if there are any test environments that could be used for the assessment.

To provide a strong assessment of the production environment, organisations need to determine how closely these test environments replicate the configuration of the production system.

Step 2: System sensitivity mapping

The information obtained in the key stakeholder engagement can be used to develop system mappings and group the systems based on sensitivity and criticality. This lets organisations determine which systems are good for testing and which ones entail a high risk of compromising the operational availability. This system knowledge can then be used as a working tool for all future implementations in the environment.

Step 3: Vulnerability assessment

Once systems are cleared for testing, they need to be subjected to penetration testing. This process is similar to conventional penetration testing, but with control systems, organisations need to make sure that they are not saturated and not denying service to legitimate users.

Step 4: Threat modelling

With the information obtained from testing performed on the ICS environment, a threat model can be developed and risks can be determined. This process is generally performed when a conventional penetration test is impossible.

Threat modelling assists the organisation to understand how the systems in the environment will be attacked, the types of compromises that will occur and the likelihood of attacks.

Conclusion

The threat landscape is constantly changing, and with it, modern cyber defences must evolve even more quickly. An enterprise approach to these challenges supported by technology, process and cooperation across the organisation will help improve threat intelligence and stay one step ahead of cybercriminals in this age of digital criminality.