Threats to industrial control system (ICS) environments have been growing steadily in both complexity and prevalence in the last few years, a natural progression resulting from adversaries gaining a better understanding of the target environments and potential weak spots. But this may just be the leading edge of a wave of more serious attacks if defenders and government agencies don’t work together to identify the most important systems, increase operational visibility and respond to incidents more quickly and effectively, experts say.
Incidents such as the recent attack on a water treatment facility in Oldsmar, Fla., tend to draw a lot of attention because they’re noisy and the potential outcomes can be catastrophic. But those attacks, while serious, are not the ones that generate the most concern among ICS security experts. The more concerning intrusions are the ones we don’t know about until the adversary has been in place for a long time, gaining an understanding of the environment, finding the soft spots and figuring out ways to exploit them. Those attacks have been few and far between, but that may change in the coming years as adversaries become more comfortable with ICS environments.
“What we see based on the physics of the problem is that it takes about five to seven years of research and development after someone is interested in conducting attacks against an environment to get to a predictable state to know what’s going to happen once they’re in place and aren’t just pushing buttons. That’s a deterministic adversary,” said Sergio Caltigirone, vice president of threat intelligence at Dragos, a security firm that specializes in ICS security services.
The number of attack groups that have that capability right now may be limited, but that is likely a function of the relative immaturity of their interest in these targets compared to normal IT networks and the time it takes to develop effective attack tools and strategies. Caltigirone said he anticipates a continued maturation of capabilities by threat actors in ICS environments going forward, the same kind of progression that has happened with IT networks, mobile networks, and other targets over time. As the technologies and systems mature, the threats follow a similar curve, although it may not be simultaneous. Caltigirone pointed to the discovery of Stuxnet in 2010, a watershed event in many respects, as a starting point for some threat actors’ serious interest in ICS and SCADA systems as real targets.
"If people don’t see what’s going on, we’re never going to defend in the first place.”
“I think we will start seeing a gradual increase in threats as people become more mature in this area. Threats start off small and then grow in maturity and abilities until reaching a peak and then slowly decline. If you have lots of adversaries that started at about the same time a few yrs after Stuxnet, then you will have many adversaries peaking at the same time,” he said.
In a new analysis of the ICS threat landscape released today, Dragos’s data shows that for every threat actor that went dormant (or did not perform any new known intrusions) in 2020, three new ones emerged. The company put this down to the increased investment in ICS activity by threat actors in the last few years, a trend that is likely to continue as their understanding of those networks increases.
For defenders, that presents a difficult challenge. The field of ICS security is a young one, and many of the people tasked with defending ICS environments are much more used to defending enterprise IT networks. While many of the same principles apply, there are plenty of challenges in ICS environments that don’t arise in most mature IT environments, namely the lack of visibility. While enterprise networks are peppered with devices, sensors, and agents that spit out logs and telemetry for analysts to comb through, this is not the case in many ICS environments. In fact, 90 percent of the customers that engaged Dragos for incident response services last year had limited or no visibility into their ICS environments.
“ICS is a long-maturing environment so we need to get over our ten year deficit to get to where we are in IT where everything emits telemetry and logs. Not just computers, but all of these other specific technologies, and there has to be technology that can consume that data for defenders,” he said.
“An IT team that has spent their lives protecting Active Directory will have no idea how to protect an industrial controller. The risk has to be effectively managed by the private sector.”
The vast majority of the critical infrastructure in the United States is privately owned, and much of that is connected to ICS networks, but effectively defending those assets requires help from the government, Caltigirone said. And not just the U.S. government.
“National governments need to work together. This is not a competitive scenario. We can’t let people be unprotected,” he said.
“An attack against india is an attack against the U.S. because they learn how things operate in one place and then use that knowledge. The private sector needs support from the government to understand what to do now. We can’t think of this as everybody stands alone. Visibility, visibility, visibility. If people don’t see what’s going on, we’re never going to defend in the first place.”