Kaspersky Labs recently shared results from a survey showing that 28 percent of industrial companies surveyed have faced a targeted cyber attack in the last 12 months. This is an increase of more than 33 percent.
Edgard Capdevielle is the CEO of Nozomi Networks, a leading provider of Industrial Control System (ICS) cybersecurity that recently raised $15 million in Series B financing. He states that, “the escalation of targeted attacks has been matched with advances in detection capabilities. Whether it’s Industroyer, Triton or other threats, real-time monitoring of ICS is essential to identify anomalies.” Capdevielle recently offered some additional perspective in an interview with IEN Editorial Director Jeff Reinke.
What have we learned from recent cyber attacks targeting the industrial sector?
Industrial control hacks are real and growing in sophistication. Outside of Stuxnet in 2010, the industrial sector was highly vulnerable and effected only by proxy from other attacks. Now, the notion that many ICS assets are vulnerable is becoming apparent. Noting Industroyer/CrashOverride and the very recent Triton attack specifically, we can take note that the importance of industrial cyber security is entering mainstream adoption and that investments in ICS cybersecurity are worth it.
A virus can come from internal or external sources – which is more difficult to protect against?
Comparing the difficulty of detecting and defending against internal vs. external cyber attacks is difficult. The complexity of the virus, and the existing security protocol of the host network are the main parameters that define the level of difficulty – more so than the source of the attack.
However, internal threats will always be a risk factor for any ICS, no matter the cyber security precautions taken, because they have direct access to system controls and infrastructure. This is why investing in ICS cybersecurity solutions that provide real-time monitoring and strong access controls to a set of security stakeholders are critically important for any OT cyber security strategy, as they provide multi-tenant oversight and detailed operational and user visibility.
While the industrial sector is more aware of potential attacks, what do you think it will take for cybersecurity to become a greater priority for manufacturers?
I think manufacturers do view cybersecurity as a priority. The space is simply new and developing. There’s a great disparity between market demand and technological acumen. For manufacturers to catch up to the demand, which I believe they will, it’s going to take more of the same that had brought the field of ICS cyber security to where it is today - i.e. more cyber attacks, more regulatory pressures on municipalities and more education on how passive ICS cybersecurity technologies with rich threat detection capabilities can improve existing solutions.
Is there a specific “soft spot” when it comes to cyber security in the industrial sector?
The industrial sector has an overarching soft spot when it comes to network visibility and device readiness. When it comes to DCS and MES, these systems are often comprised of non-homogenous systems and devices that have been connected to one another over the course of years - from hardware to software.
Improved SCADA systems, and the advent of cloud accessibility to industrial networks, has made these systems more efficient, but more vulnerable. Therefore, all connected devices susceptible to an attack need to be located, logged and monitored in real-time. In many scenarios, vulnerable devices and nodes go unnoticed and unmonitored.
Secondly, device ‘readiness’ refers to the low computational nature of many industrial assets, devices and networks. Simply put, a typical ICS wasn’t created to support massive amounts of data throughput. Outside of ripping and replacing very complex, pervasive and expensive ICS infrastructure, ICS cybersecurity technology needs to monitor these systems without over-burdening them.
In such a case of using an active cybersecurity solution, the cure could be worse than the disease; causing network latency and system shutdowns. ICS and OT systems are critical by their very nature, so they require protection that can be integrated non-Intrusively.
For those who haven’t started implementing cyber security strategies, where should they start?
First, define your problem or monitoring ambition. Then research ICS cybersecurity vendors and engage in POC processes with those vendors who offer a comprehensive passive approach to ICS cybersecurity and monitoring.
Whomever you select, the vendors or technology providers must prove that they can integrate seamlessly with existing cybersecurity infrastructure (such as firewalls and SIEMs). They need to offer a comprehensive ICS threat detection capability and they need to illustrate how they can scale for future deployments. The best ICS cybersecurity solution is going to be the one that provides both security and operational intelligence.
What tool or technology do you think will play the biggest role in fostering new cyber attacks?
IoT, for all its advantages, is also among the list of “new technologies” fostering new cyber threats. “Devices” and “things” that cannot protect themselves is the top security concern according to the latest SANS ICS Security survey – ahead of internal threats (accidental) and external attacks.
What tool or technology do you think will play the biggest role in protecting against cyber attacks moving forward?
Artificial intelligence will play a significant role in the future of cybersecurity. At Nozomi Networks, we’re already seeing that first hand. Technologies that leverage artificial intelligence and machine learning to continuously monitor operational technology networks for cyber threats and process anomalies will increasingly play a significant role in helping protect infrastructure and ensure reliability.