The Recycling of Industrial Cyberattacks

If an attack signature was isolated the first time it made an appearance, why would organizations fail to protect their environments from known attacks going forward?

For companies involved in critical infrastructure or any facet of manufacturing processes, one of the big action items today is securing operational technology (OT). For the very first time, the security of the industrial computers, which run discrete and continuous processes such as programmable logic controllers (PLCs), distributed control systems (DCSs) and human machine interfaces (HMIs), has eclipsed the conversations around IT security. Considering the frequency and impact of OT related attacks, it’s not surprising.

There have been many watershed moments in the evolution of OT security. While industrial control systems (ICS) have been around since the late 1960s, the spotlight on OT security really hit mainstream media around 2010 with the notorious Stuxnet virus that reportedly disabled centrifuges, among other things. Since then, we have seen critical infrastructure, manufacturing facilities, logistics and transportation and much more get probed and taken offline by attackers. These events have elevated the threat and have forced the issue to become a C-level agenda item in virtually every industry.

Since Stuxnet, there have been numerous attacks that have been launched including Shamoon, Havex, Wannacry, and Lockergoga. Now, with nine years of OT attack data behind us, one disturbing trend has evolved. These attacks are being recycled.

Consider LockerGoga in March 2019. This attack impacted Norsk Hydro, one of the largest aluminum manufacturers in the world. It was another watershed moment in OT security because it not only impacted OT operations by taking aluminum production offline, but it also impacted IT security. And while the lateral creep of attacks between once air-gapped IT and OT operations are new due to IT and OT convergence, perhaps even more alarming is how the same malware is being recycled. LockerGoga made global headlines in March, but it was neither the first nor last time the attack was launched. In fact, it was actually in January 2019 when LockerGoga made its first appearance hitting Altran Technologies. After it hit Norsk, it then made a third appearance that impacted Hexion and Momentive among other organizations. This is perhaps the most well-publicized incident of a recycled attack, but it is certainly not the only instance. Wannacry, Petya and Shamoon were all attacks that made multiple appearances either in their original form or as a variant of the original. 

Here are some of the key reasons why organizations have not guarded their systems against the latest attacks and how you can put the appropriate measures in place to ensure that recycled attacks do not make a repeat appearance in your OT operations.

• No Visibility - Many organizations simply do not know what is in their environment. When a vulnerability is issued, they do not know the model numbers, patch levels or firmware versions of the devices that are in the network. Of course, it is hard to update what you do not know you have. Running an automatic inventory management system can not only keep that inventory up to date in a rapidly changing environment, but it can pinpoint the devices that are most at risk.

• Maintenance Challenges - Once you know what is in the environment, a second parallel challenge is trying to schedule downtime to apply all necessary patches and updates. In many mission-critical operations, these windows do not happen as frequently as they need to because the industrial process must always be online. Having the ability to actively query every individual device to a very granular level including serial number, patch level, firmware version and much more, will allow you to stage the patches and other maintenance work to be performed so the windows are much shorter than in the past. You’ll be able to hit all relevant machines while taking the guesswork (and potential update errors) out of the equation.

• Inability to Isolate and Load (i.e. New Signatures) – While the convergence of IT and OT are underway, there are still distinct differences between the signatures for each. OT live update options now exist and should be relied on by organizations to get the latest in terms of new OT-specific signatures. This service should be 24/7/365 and needs to perform auto-updates based on the new attacks as they hit the wild. The sooner they are issued, the smaller the vulnerability window.

• Protection of Remote Locations – Many large organizations that have a distributed environment may be unwilling or unable to install OT security at every remote location. Similarly, small and medium sized industrial operations may not feel the need to do the same because they consider themselves a “small target.” In both instances it is essential to have 100 percent coverage. No remote location or business is too small. Leveraging a cloud-based OT security solution can secure these smaller locations, effectively closing a potential weak link in the chain where industrial attacks might find their way in.

Closing the vulnerability window by acting on these basic tenets can help reduce the attack surface for any threat to critical infrastructure and industrial operations. Doing so will help ensure attacks are unable to be recycled, effectively enhancing the security posture of OT environments across the board.

For more information on industrial cybersecurity, see our solution brief for strategies to mitigate threats across your OT environments.