The Next Disruptive ICS Attacker: Only Time Will Tell

Throughout this blog series, I have examined real-world ICS cyber-related incidents as a way of looking back to predict what the next attack may look like. The three categories of attacker that I have considered so far are disgruntled insiders, ransomware groups, and APT. Knowing about past events, their impact, and how they unfolded can be critical for thwarting similar attacks in the future. As citizens with little or no control over the ICS in our lives, having this knowledge may help us prepare for catastrophe by having appropriate supplies or emergency plans.

As important as it is to study the past and learn from what is already known, it would be foolish to limit our consideration to the events which are behind us. (You wouldn’t drive using just your rear-view mirror, would you?) In this final installment of the series, I will attempt to turn on the headlights and speculate on what other disruptive ICS events may be on our horizon.

It is likely that all three of the attack sources I’ve discussed in this series will continue to happen until serious efforts are made to prevent intrusions or at least identify and evict intruders before they can cause harm. It’s also worth mentioning that the above groups are not mutually exclusive. A disgruntled insider may sell access to a ransomware gang or get recruited by a foreign adversary. Some ransomware attacks have also been attributed to military operations either as a false flag or simply as a means of generating revenue. As I have observed in my own research as well as countless infosec briefings, many ICS networks are very exposed and give attackers an open door to access ICS networks. Fortunately, the complexity of these systems and the real-world implications of their failure are enough to deter most attackers from creating real chaos. Nonetheless, there is still a lot of damage that can be done whether by accident or on purpose.

What the Future of ICS Attacks looks like

The sky is the limit for what a creative attacker can do to leverage access into OT networks. As organizations get better at incident response, attackers will almost certainly respond with new schemes to make money or harm national interests. Sabotage campaigns may move beyond directly targeting or disabling industrial equipment for the sake of disruption and attempt more complex, multi-stage attacks. Some examples may include a foreign adversary preparing for armed conflict by sabotaging weapon components, or a financially motivated group may trigger a plant shutdown to benefit an investment portfolio. These scenarios are only limited by the attacker’s resources and access to industrial process expertise.

Unfortunately, attackers seem to be getting better and better at breaching IT networks and hijacking their associated OT networks. In many ways, the criminal hacking underground has been making itself more and more public with Ransomware-as-a-Service operations and specialized operators selling their services on organized marketplaces. Meanwhile, APT groups have become far more brazen with attacks and with endangering public safety. The time is now for businesses and governments to act swiftly with enhanced security tactics to match the evolving threat landscape with both technological and diplomatic solutions. There will never be a way to fully avoid the threats of compromised industrial systems, but there are certainly things that we can be doing to make it more difficult or costly for attackers.

Basic IT security practices like prompt patching, phishing education, and fine-grained access controls go a long way in making an organization harder to breach. Ultimately though, there needs to be a shift away from decades-old insecure protocols and onto modern encrypted and authenticated channels for thwarting simple spoofing and replay attacks. While IT security went through a kind of renaissance in the early 2000s, OT systems largely missed this push with the expectation that these systems would remain disconnected or that attacks were otherwise infeasible.

This progression can be daunting for industrial operations with high equipment costs and losses tied to even short production outages, but it is necessary to step-up the baseline security of our manufacturing and critical infrastructure systems.

Read more in The Next Disruptive ICS Attacker Series:

The Next Disruptive ICS Attack: 3 Likely Sources for Major Disruptions

The Next Disruptive ICS Attacker: A Disgruntled Insider?

The Next Disruptive ICS Attacker: A Ransomware Gang?

The Next Disruptive ICS Attacker: An Advanced Persistent Threat (APT)?