“Herd Immunity for Cybersecurity” is the topic for this year’s HITCON. Though the world has been turned on its head by the ongoing pandemic, the HITCON organizers worked hard to make it a lively, useful, and unique event, dealing directly with the multitude of issues created in cybersecurity by COVID-19. The CEO of TXOne Networks, Dr. Terence Liu, delivered this year’s keynote, Industrial Cybersecurity Landscape in 2020: Trends, Challenges, and Opportunities. As Dr. Liu pointed out, the modern digital transformation is currently being lead not by our executives, but by COVID-19.
COVID-19 has produced a complete change in the normal processes of doing business. Remote desktop access has become incredibly common. At the same time, customers and management alike want to know about utilization, progress, and even recipes and parameters in real time, which requires a link to the Internet of Things. Equipment vendors can no longer reliably send a technician to do on-site support – they need remote access and control as well. Air gapping is becoming a less and less viable defense option – and even with an air gap in place and effectively maintained, one careless insider is enough to bring down even the mightiest OT networks.
According to Gartner, a top information security research and advising company, “Due to the nature of cyber-physical systems (CPSes), incidents can quickly lead to physical harm to people, destruction of property, or environmental disasters. Gartner analysts predict that incidents will rapidly increase in the coming years due to a lack of security focus and spending currently aligning to these assets… A focus on ORM — or operational resilience management — beyond information-centric cybersecurity is sorely needed.” Their key point? Their prediction that 75% of CEOs will be personally liable for cyber-physical security incidents by 2024.
Since 2017, beginning with WannaCry, there has been a significant change in cyber-attacks and threats – the emergence of new malware specifically targeting ICS. Now, in 2020, these attacks have improved in sophistication – the targeted ransomware attacks we hear about in the media have actually become quite common. Currently, attacks follow a common pattern. The hacker targets RDP, compromises a computer or device, and escalates their privileges. Privileges are usually gained by exploiting the credentials of an insider – typically an insider with high-level credentials who might use them in multiple places on the company’s system. With those credentials, they can set up a drop point for their scripts, get AD (Active Directory) control, and deploy a GPO (Global Policy Object) that downloads their scripts onto computers all across the network. Attacks such as this are commonly brought onto the shop floor by careless insiders.
From Dr. Liu’s viewpoint, it’s impossible to patch each machine and each issue individually – it must be done manually. If there are 30,000 machines in your work force, then you’re doing the patching process 30,000 times. This is the key issue for the majority of ICS vulnerabilities — they’re easily exploited, and the number is still climbing. If you look at published advisories, 90% of them are easy targets. On the other side, if hackers can find out what you’re running, they can look up and follow step-by-step instructions to hack your system. For these reasons, it’s important to have cybersecurity solutions that don’t require update, and better yet, don’t require internet access.
Key takeaways:
- Cybersecurity improvement begins with education.
- It is inadvisable to pay ransoms – even if you pay them, you might not get your factory back.
- You must use a trust list. You want security that requires no updates, and that has no need for internet connectivity.
