Consider the case of the phantom gas turbine. Robert Lee, CEO and founder of Dragos, shared this anecdote during his Emerson Exchange presentation “The Reality of Today’s Cyber-Threats and Advice to Safeguard Civilization.” A little while back, a gas turbine sprang to life on its own, puzzling—but not injuring, thankfully—personnel who had properly shut it down.
An investigation revealed that this anomaly was not a cyber-attack by some nefarious nation-state, but rather mere moths attracted to the brightly illuminated, outdoor HMI touchscreens. They powered up the turbine with the delicate flutter of their wings.
The lesson, as Lee framed it for this lunchtime speech? Vulnerabilities and the cyber-attacks they enable should be prioritized, ranked to enable industrial enterprises to address the most important elements first, then worry about the least likely attacks down the road.
And to properly make those prioritizations, you must properly understand your industrial environments, particularly as these environments are evolving. “Proper defense is entirely doable if you have a solid understanding of your environments,” said Lee, who cut his teeth as a US Air Force cyber-warfare operations officer tasked to the National Security Agency and has worked on headline-grabbing cybersecurity incidents such as the 2016 attack on Ukraine’s electric system, the 2017 TRISIS attack on a Saudi Arabian petrochemical facility in the first attempt to try to kill people through malicious software, and the 2021 Colonial Pipeline ransomware incident. “This requires real visibility into your industrial environments.”
Adversaries, of course, are getting more visibility themselves. Lee explained how, with the rise of connectivity between assets and facilities as a critical component of Industry 4.0, bad actors often have as much (if not greater) entry to private industrial systems as those charged with protecting them. Connectivity extends to the crooks.
Likewise, the homogeny intrinsic to the digitalization of industry, in which multiple assets can operate on mirrored systems, enables attacks to be launched at scale.
“Attacks used to be limited by the environments…the laws of physics prevented widespread attacks,” he said, adding that adversaries couldn’t repurpose attacks from, say, one substation to another.
No more. Industry is changing. We are becoming more connected, more homogeneous, and as the presenter described, we more often have the same software under the hood at many different assets. That invites scaled attacks, enabling communication PLC to PLC, offering access to engineers’ workstations to, say, reprogram controllers and cause serious harm.
“This is a real concern,” he stressed, explaining how what was once considered primarily an IT problem has seeped into the other side of the house. “Now, we have to think about security in the operations context.”
Lee proffered five critical controls for doing so. First, create a solid incident-response plan specific to industrial control systems (ICS) and other operational technology (OT) that enables you to determine what is needed to mitigate risks. Next, establish a defensible architecture—creating a truly defensive environment.
Then, focus on ICS network security monitoring, followed by establishing secure remote access/multi-factor authentication. Consider the interplay between your IT and OT environments here, he said, and the access granted to your service providers. This is where compromises take place, and where multi-factor authentication is a great threat-deterrent.
Lastly, study your key vulnerability-management program. In other words, prioritize. “If it can impact your operations, that makes it a key vulnerability,” Lee explained. “You should get to a place where you are mitigating risk at your key vulnerabilities rather than wasting your time with low-risk elements.”
This mindset grows more critical each day, as attacks become more sophisticated and pervasive. Consider weapons such as PIPEDREAM, a highly flexible framework to attack industrial infrastructure globally that the Dragos team uncovered before it was launched. This attack is a greatest-hits collection, Lee labeled it, indicating how adversaries are learning from each other and aggregating tools of destruction. (Dragos discovered and disabled the PIPEDREAM threat before it was employed at more than a dozen US energy infrastructure facilities.)
Scary stuff for sure. But there is cause for optimism. Lee noted during his presentation that adversaries are only human, oftentimes less skilled than their counterparts within industrial enterprises. He also recommended that security teams exploit their “home field advantage,” knowing the IT and OT systems they built much better than those merely poking around to undermine them.
And the cybersecurity pro who has helped extinguish cybersecurity fires around the globe has tremendous faith in the engineering community—many of whom joined him for this lunchtime presentation—that builds, implements and maintains security-focused industrial networks in this digital era. “Reliable environments,” he assured, “make it easier to prevent cyber-attacks.”