The LockerGoga ransomware recently made headlines when it crippled several of Norwegian aluminum manufacturer Norsk Hydro’s plants. The incident has so far cost Norsk Hydro at least $40 million in damages. LockerGoga also affected operations at French engineering consulting firm Altran, and U.S. chemical companies Hexion and MPM Holdings (Momentive). While the ransomware does not target or infect industrial control systems (ICS) directly, its debilitating effects on the business and production networks tied to these operational systems results in costly production down time.
Last year, two ransomware attacks—WannaCry and NotPetya— shut down operational-technology (OT) networks at pharmaceutical manufacturer Merck, package delivery service FedEx and shipping firm A.P. Moller-Maersk, to name a few. Meanwhile, a ICS specific form of malware known as TRITON was used to attack a Middle East petrochemical plant in December, which could have caused significant damage to the facilities, or worse.
The writing is on the wall. OT networks now face the same threats that have plagued IT networks for the past two decades.
Until fairly recently, industrial facilities and equipment were isolated from the rest of the world. They were not connected to the internet or even other systems, which made the threat of security incidents very unlikely. Furthermore, the computers used to run industrial processes generally operate for years without any updates or changes. In some cases, these devices can run for 20-30 years without requiring the typical care and feeding given to traditional computers.
In addition, the development known as the industrial internet of things or IIoT, has eliminated this buffer zone or “air gap”. By connecting once isolated industrial devices to business networks, IIoT has introduced new security risks that could be right out of a science fiction novel. But they’re not.
That’s because the consequences of industrial security incidents can dwarf the damages associated with computer security incidents. Consider the physical, environmental and health safety implications that could result from security breaches that cause processes in food, beverage, pharmaceutical, chemical, water, utility or nuclear facilities to go awry.
On January 10, an investigative report published by the Wall Street Journal reconstructed a hack of the US electrical grid by Russia which was achieved by compromising hundreds of contractors and subcontractors that work with utilities to break in the back door of energy providers’ networks. Meanwhile, on January 15, Forbes reported that two hackers in Italy were able to take control of 15 cranes and other heavy construction equipment using an industrial control system vulnerability and a remote control device costing less than $500.
To protect industrial equipment, processes and facilities from digital security threats, we need to implement the same approach used to protect IT infrastructure to OT systems. While the tools need to be architected for an OT environment, many of the concepts are the same. They include:
- Maintaining an up-to-date inventory of assets.
- Patching systems when vulnerabilities are discovered.
- Applying a strong access control standard so that insiders such as employees and contractors get access only to the assets required for their job function.
- Deploying a strong, multi-disciplinary threat control system consisting of both signature and anomaly detection.
- Performing regular device checks on OT assets to ensure they are running as expected and have not been compromised.
Monitoring control systems and processes for unintended changes, whether they are the result of malicious attacks or human error, is central to preventing shutdowns. This is an important beneficial byproduct of implementing an OT security program.
Finally, one of the most effective measures for protecting the broader industrial attack surface created by digitization initiatives is to unify IT and OT security. Working together they share information to mitigate risks and vulnerabilities that span both infrastructures, simultaneously implement security best practices, and respond to threats before they can move laterally from the IT to OT network.
Michael Rothschild is director of product management for industrial security vendor Indegy. He has more than 20 years of experience in IT security with Thales, RSA, SafeNet (now Gemalto), Dell, Juniper Networks and Radware. In his spare time, Michael volunteers as an Emergency Medical Technician.