Attacks against industrial control systems (ICS) are only getting worse with time. There are two key reasons for this. First, these attacks are becoming more numerous as time wears on. IBM X-Force revealed in February 2020 that the security incidents involving attacks against ICS and operation technology (OT) assets had increased over 2,000% since 2018, with the number of events observed in 2019 exceeding the total for the past three years combined. Most of those incidents consisted of attackers exploiting vulnerabilities in supervisory control and data acquisition (SCADA) assets and other ICS hardware components, as well as using brute-force login techniques.
Second, these attacks are becoming easier to launch. About a month after IBM X-Force announced its research, FireEye clarified that standardized digital operation tools were enabling malicious actors with even low levels of technical expertise to customize and launch attacks against organizations’ ICS and OT assets. The security firm observed that the vast majority of those tools had emerged in the past 10 years, didn’t target a specific vendor and contained exploit modules for over 500 zero-day flaws and other vulnerabilities.
Why and How Attackers Target Organizations’ ICS
The growth of attacks against ICS reflects the ability of all kinds of malicious actors to find motivations for launching new operations. Trend Micro noted that digital criminals could prey upon an organization’s industrial assets for financial gain by stealing information and selling it to a competitor, for instance. Malicious insiders could have a similar goal. Alternatively, attackers could embrace hacktivism by seeking to disrupt industrial processes for a political cause or other aim. They might even be state-sponsored actors and carry out their attacks with the purpose of fulfilling a military objective that’s received authorization from their government.
Regardless of who’s behind it, an attack against an organization’s ICS tend to follow a certain playbook. Trend Micro explained that the typical intrusion begins with a reconnaissance phase in which the malicious actors collect intelligence about the targeted environment. They then use phishing attacks or other techniques to gain an initial foothold in the environment. At that point, they can deploy malware that preys upon an ICS asset’s vulnerabilities or configurations. Such functionality could disrupt the organization’s industrial operations more broadly.
The common thread that unites each phase of this attack scenario is change. Malicious actors need a way to exfiltrate information gained in the reconnaissance phase. They need to remain persistent on the target’s environment. And they need to activate their payload’s malicious capabilities by adjusting a configuration or exploiting a bug. All of these steps require that the attackers change something within the target environment.
A Window of Opportunity for Defending Organizations
These changes by attackers open a window of opportunity for organizations to protect themselves. This window comes in the form of change management, a process which allows organizations to control and approve changes to their IT and other technology assets.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) pointed out in a resource guide that change management is particularly pertinent given the growing complexity that characterizes the processes necessary to create ever-evolving information systems. These processes elevate the probability of accidental errors surfacing in the configuration of those systems. Such mistakes could jeopardize the data and/or business operations of an organization.
In response, CISA urged organizations to follow the four phases of change management:
- Create a change management plan
- Identify which assets need protection
- Implement the configuration changes necessary to protect those assets
- Monitor configuration changes and use those results to adjust the plan, thereby creating a feedback loop.
Why Change Management Isn’t Always that Easy
The issue is that change management isn’t always that easy. For example, CSO Online drew attention to the special case of applying change management to supply chain attacks. These security incidents involve malicious actors infiltrating an organization’s systems via an outside provider or partner with access to the organization’s network. Such attacks increase the attack surface by enabling nefarious individuals to use security weaknesses affecting third parties as attack vectors into an organization’s systems.
Supply chain attacks are no laughing matter. As an example, the FBI issued an alert in late March 2020 warning organizations about a state-sponsored group called “Kwampirs” using malware to conduct supply chain attacks against organizations in healthcare and other sectors. ZDNet clarified this was the third time that the FBI had sent out an alert about the group that year. It had published its earlier alerts on January 6 and February 5.
What makes supply chain attacks so insidious is that they’re difficult to spot. In these types of attacks, malicious actors target organizations in specific regions, sectors or industries. A successful vendor or partner breach enables attackers to wind their way through the supply chain via automatic updates and verified partner pathways. All of this complicates the ability of organizations to control changes across their entire attack surface.
Cyber Security Supply Chain Risk Management
The difficulties discussed above aren’t lost on industry entities. Back in July 2016, for instance, the Federal Energy Regulatory Commission (FERC) issued Order No. 829: “Revised Critical Infrastructure Protection Reliability Standards.” That directive instructed the North American Electric Reliability Corporation (NERC) to devise a new standard or modify existing practices in order to help organizations managing Bulk Electric System (BES) operations to mitigate the risks of supply chain attacks.
NERC responded by creating Project 2016-03: “Cyber Security Supply Chain Risk Management.” This initiative consists of three standards. One of them is CIP-010-3: “Configuration Change Management and Vulnerability Assessments.” The purpose of this Critical Infrastructure Protection standard is to help organizations prevent and detect unauthorized changes to their BES Cyber Systems by abiding by the following roadmap:
- Develop a baseline configuration that includes OS or firmware versions, open-source applications, custom software, logical network accessible ports and security patches.
- Authorize and document changes that deviate from the baseline.
- Update the baseline configuration within 30 days if the change deviates from the existing baseline configuration.
- In the event the change deviates from the baseline, determine which controls in CIP-005: “Electronic Security Perimeter(s)” and CIP-007: “System Security Management” might be affected by the change. It’s also important to verify that the change won’t affect required measures in either of those standards and document the results.
- Test the change prior to fully deploying it in a production environment and document the results to ensure that CIP-005 and CIP-007 aren’t adversely affected.
- Verify the identity of the software source as well as the integrity of the software program obtained from that source.
- Monitor for changes to the baseline configuration at least once every 35 calendar days, paying particular attention to unauthorized changes.
- Conduct a vulnerability assessment at least once every 15 calendar ,months.
- Perform an active vulnerability assessment in a test environment or an assessment in a production environment that models the baseline configuration of the BES Cyber System at least once every three years and document the results.
- Perform a vulnerability assessment of most new assets before adding them to the production environment.
- Document the results of all vulnerability assessments as well as all remediation action plans that are necessary to safeguard the assets.
Beyond the Industrial Sector
Change management isn’t just essential to industrial supply chains. It’s becoming increasingly relevant to entities in all sectors. This becomes truer every day as new data protection standards come into being. According to the United Nations Conference on Trade and Development, 132 of 194 countries of the world have already put legislation in place that’s designed to protect people’s data and privacy. That number is likely to grow. Indeed, 67% of respondents to a SAS survey said that they think the U.S. government should be doing more to protect data privacy such as via federal legislation, reported PR Newswire. It’s these types of attitudes that support Gartner’s forecast of modern privacy regulations covering 65% of the global population’s personal information by 2023—up from 10% today.
Along the way, organizations will need to keep up with the latest standards, determine whether those regulations apply to them and work to maintain compliance. ITEGRITI can be a partner in helping organizations achieve compliance as well as align digital security design approaches with the risks in their networks. Learn more here.