Analysis
Attacks and Vulnerabilities
Critical infrastructure
Features
ICS Security Framework
Industrial Cyber Attacks
Malware, Phishing & Ransomware
Regulation, Standards and Compliance
System Design & Architecture
Technology & Solutions
The Skills Gap - Training & Development
Threat Landscape
Vulnerabilities

ICS environments must safeguard cyber threat landscape by building resilience against nation-state actors

April 16, 2023
ICS environments must safeguard cyber threat landscape by building resilience against nation-state actors

The uptick in nation-state hackers leveraging cyber-criminal tactics to disrupt critical environments has led to the need for organizations to develop comprehensive security policies, incident response plans, and stay abreast of the latest attack and threat intelligence. Evolving landscape has also made it increasingly difficult to categorize threat groups based on their tactics, techniques and procedures (TTPs) and motives, which have previously aided in attribution efforts. With hackers gearing up with new strategies and malware, the trend is expected to continue throughout 2023, pushing critical infrastructure environments to advance the security and resilience of industrial control systems (ICS) for safe and efficient operation. 

Nation-state actors have been identified to actively target and gain persistent access to public and private sector networks to compromise, steal, modify, or destroy data. These operators may come with government backing or they may be directed, funded, or provided with technical help by a government. Primarily known to attack high-profile targets such as military secrets, infrastructures, massive-scale disinformation, or propaganda campaigns, these hackers operate on a national level, so they will not face persecution in their native country as a result of their affiliation.

These hackers are primarily mission-driven, unconcerned about how long it takes to research, scan, and probe their target, and remain persistent. Nation-state threat actors employ various tactics to achieve their objectives, which can include malware, ransomware, phishing, DDoS, and backdoor attacks.

​​Cybercrime has become a major concern in the U.S., with schools, hospitals, businesses, local governments, and critical infrastructure being targeted by criminal groups and hostile nations, such as China, Russia, Iran, and North Korea.

As nation-state hackers and other sophisticated adversaries increasingly target and get closer to mission-critical systems and services, ICS environments need to focus their efforts on becoming more resilient to such threats and attacks. Organizations must work on improving resilience by implementing security controls, embedding IEC 62443 standards into their environments, adopting cyber defense strategies, and training employees.

The Office of the Director of National Intelligence (ODNI) observed in its annual threat assessment of the U.S. intelligence community that Russia’s unprovoked full-scale invasion of Ukraine highlighted that the era of nation-state competition and conflict had not been relegated to the past but instead has emerged as a defining characteristic of the current era. 

The European Union Agency for Cybersecurity (ENISA) also noted in its ENISA Threat Landscape 2022 (ETL) report that the Russia-Ukraine conflict had far-reaching impacts and changed the global cyber landscape significantly. The war led to an unprecedented increase in hacktivist activity, coordinated cyber operations, mobilization of hacktivists, and nation-state support during the conflict. 

Data released by Google revealed that Russian government-backed attackers aggressively pursue wartime advantage in cyberspace. Identifying that Russia’s cyber preparations began long before the invasion, Russian government-backed attackers ramped up cyber operations beginning in 2021 during the run-up to the invasion, which led to a 250 percent increase in Russian phishing campaigns directed against users in Ukraine in 2022 compared to a 2020 baseline. 

Google also identified an over 300 percent increase in Russian phishing campaigns directed against users in NATO countries in 2022, compared to a 2020 baseline. These efforts may reflect a longstanding Russian strategic priority to gather better insight into NATO activities, but in 2022 they were driven primarily by a Belarusian government-backed group that is closely aligned with Russia. 

Russian Armed Forces’ Main Directorate of the General Staff (GRU)-sponsored actors have used destructive malware to disrupt and degrade Ukraine’s government and military capabilities. Google disclosed that it observed more destructive cyberattacks in Ukraine during the first four months of 2022 than in the previous eight years with a notable spike in activity at the start of the invasion. The report also pointed out a notable uptick in the intensity and frequency of Russian cyber operations designed to maximize access to victim networks, systems, and data to achieve multiple strategic objectives.

Industrial Cyber contacted cybersecurity experts to give us an idea of the kind of effect attacks from nation-state actors have had on the cybersecurity posture of the ICS cyber threat landscape. They also look into the changes that these environments have had to make, as the intensity and number of such attacks rise in the evolving geopolitical scenario. 

Daniel dos Santos, head of security research at Forescout's Vedere Labs
Daniel dos Santos, head of security research at Forescout’s Vedere Labs

“Nation-state attacks show what damage is possible when actors with advanced resources and expertise target a victim,” Daniel dos Santos, head of security research at Forescout, told Industrial Cyber. “Several nation-state attacks have changed the threat landscape, such as Industroyer, which showed that OT/ICS sabotage could directly affect civilians; Triton, which showed that OT/ICS malware can affect safety systems; and INCONTROLLER, which showed that this kind of malware can be more flexible for several environments.”

These attacks have pushed asset owners to ensure that basic cyber hygiene is in place for their OT assets, after decades where these assets were not part of cybersecurity programs, dos Santos said. “This cyber hygiene has included extending practices such as asset inventory, patch management, credential management, and network segmentation to OT assets that are often insecure by design.”

Jason Steer, CISO at Recorded Future said that “we have seen an increase in the convergence of threats over the past 12-18 months, which have included specific geo-political attacks, such as recent attacks on India’s power grid, which we have attributed to a likely Chinese state-sponsored threat activity group we track as RedEcho.”   

Jason Steer CISO at Recorded Future
Jason Steer CISO at Recorded Future

Other examples have included wiper malware deployed across a variety of industries such as energy plants, logistics companies, and many other targets across Ukraine, which featured several destructive cyber attacks launched against various entities, Steer told Industrial Cyber. “Earlier this year, we reported that the U.S. Environmental Protection Agency (EPA) is asking states to include cybersecurity in its audits of public water systems in a measure designed to address a spate of attacks on the sector. In a memorandum released Friday, EPA officials said several public water systems have not adopted even basic cybersecurity best practices — leaving them exposed to dangerous digital attacks.”

Steer said that the challenge is that ICS infrastructure was originally not designed to be connected to the Internet. “These legacy systems now increasingly need to be monitored as well as maintained and patched remotely. This challenge is an enterprise-wide challenge across many industries. Against this backdrop, we have started to see the US government/ Biden administration push for ‘security by design’ software and it is clear that the US is trying to take a lead on this initiative by putting pressure on vendors to build secure products by design.” 

In Europe, “we are seeing cyber resilience initiatives, introduced for example by the Digital Operational Resilience Act (DORA) for the financial services sector. The same is needed across many other markets to ensure countries and citizens can live their lives unimpeded,” according to Steer. “These initiatives highlight the importance around visibility – being able to monitor, detect and respond to incidents across the ICS landscape. Ransomware attacks that impact critical infrastructure underpin how fragile these systems are and to what extent the time and effort to recover them have huge implications on not just cost but cause pain and suffering for societies whose consumers and citizens depend on these critical services,” he added. 

Joe Weiss, Managing Partner at Applied Control Solutions
Joe Weiss, Managing Partner at Applied Control Solutions

Industrial cybersecurity expert Joe Weiss said that prior to Stuxnet, most control system cyber incidents were not ‘nation-state.’ “Moreover, there was generally no attempt to camouflage the cyberattacks as equipment malfunctions. There were, and still are, minimal cyber forensics or training to identify some of these types of attacks as being cyber-related. In most cases, the changes needed to identify these types of attacks still have not been made as the focus has remained on IT and OT networks while domain engineering experts generally have not been involved,” he added.

With the rise in attacks by nation-state actors, there is an increased likelihood of these adversaries targeting critical industrial control and process control systems. The experts detail what organizations must do to safeguard their ICS cyber threat landscape and increase visibility within their operational environment.

Organizations need to ensure that their cyber hygiene practices include every device in their networks, not just IT or OT in silos, dos Santos said. “A recent example of an attack from Chinese APTs targeting the Indian power grid showed how advanced adversaries can leverage IoT devices such as vulnerable IP cameras to get access to critical networks. If cyber hygiene is limited to IT or OT only, organizations may be vulnerable to attacks that cross these types of devices.” 

“Cybersecurity must start with visibility because you cannot secure what you cannot see, so the first step is to ensure there is granular visibility on every device within the network, including IT, OT, and IoT,” dos Santos added. “This granular visibility should include information such as operating system, firmware version, protocols used, and open ports, which can be obtained via a mix of passive network monitoring and selective active network scanning.”

Steer said that “we believe the risk has always been there. What has changed, is that the threat surface (due to remote management & working, etc.) has become wider and more difficult to assess. Managing systems remotely to reduce cost has added risk. This in turn has made it easier for attackers to exploit vulnerabilities.” 

“As every organisation is moving to the cloud, its attack surface has expanded, but cybersecurity budgets likely haven’t expanded in line in order to compensate for that risk,” Steer pointed out. “Net result is that systems that were not supposed to be exposed to the internet can be accessed directly or via enterprise networks that are.”

He also called attention to a recent Dragos report which highlighted there was a 35 percent bump in ransomware groups specifically targeting operational technology (OT) or industrial control systems (ICS) last year. “Dragos incident responders found poor network segmentation and several other problems that plagued many industrial companies.  Eighty percent of Dragos customers had limited visibility into their ICS environments while more than half had issues with network segmentation, undisclosed or uncontrolled external connections to their OT environment, or lacked separate IT and OT user management,” Steer added.

Steer also provided organizations to start with understanding their technology stack and they need to ask themselves some critical questions. The questions included how they can better track activity to and from the network; how network designs align with industry best practices; how they monitor it more effectively for likely risks such as advanced adversaries, and how much friction they can add to user experience with security measures to allow the job to be done in line with the risk it exposes to the organization.   

He also called upon enterprises to seek answers to whether they know what their technology stack currently is, whether they are tracking for new and existing vulnerabilities days in the technology stack, if the organization has any threat intelligence on actors that typically target ICS environments, how accurate and up to date is this threat intelligence, and how can they turn that intelligence into an ever-improving security strategy for their ICS systems. 

“It is important to have visibility into the OT network. However, there is also a need to monitor the control system field devices (e.g., process sensors and actuators) which have no cyber security or authentication,” Weiss said. “Moreover, control system device output is the input to the OT networks. The process sensor monitoring should be out-of-band from the OT networks and at the physics level since ‘you can’t hack physics.’ As part of this effort, the engineers MUST be part of the process and the ICS cyber security program should be under the purview of engineering, not the CISO,” he added.

The experts cover the measures that federal governments around the world adopted to deal with advanced and persistent threats coming from nation-state actors. They also look into the effect that these measures are likely to have on the ICS cyber threat landscape. 

“For a long time, cybersecurity has been based on voluntary agreements between the public and private sectors. However, there are ongoing movements around the globe advocating for more regulation on the topic,” according to dos Santos. “This regulation typically includes the need for manufacturers to ensure their devices are secure, for asset owners to ensure these devices are securely configured and used, or for organizations to report relevant cyber incidents. Examples include the US National Cybersecurity Strategy and the EU NIS2 Directive.”

Beyond regulation, dos Santos said that several countries are also forming international task forces to improve cybersecurity. Examples include the International Counter Ransomware Task Force led by Australia and the Quad’s increasing focus on cybersecurity.

Steer said that “we have already seen that the US government has taken active steps by taking down ransomware groups such as Lapsus$ and REvil in 2021 and 2022. The recent take-down of the Genesis market by the FBI is a great example of these efforts alongside the Hydra market takedown recently as well. The FBI indicted 7 members of Contio in Feb 2023 as well. This is all encouraging. There are some positives from this as the US continues to fight back together with law enforcement agencies around the world,” he added. 

“But ICS is a niche part of the cybercrime landscape, compared to the general landscape, so it will take some time for these efforts to come to full fruition in terms of us seeing significant changes in the ICS cyber threat landscape,” Steer added. “To my earlier point, building secure software will take years to have security by design so in the short term we are not expecting too much to change in the ICS world.”

Weiss assesses that the efforts have been good but limited as they have focused on the OT networks. “Consequently, it leaves a hole at the control system device level that adversarial nation-states will, and have, exploited,” he added.

Last November, a Microsoft report assessed that nation-state actors are launching increasingly sophisticated cyberattacks designed to evade detection and further their strategic priorities. The deployment of cyberweapons in Ukraine’s hybrid war marks the beginning of a new era of combat. Russia has also supported its war with information influence operations, using propaganda to impact opinions in Russia, Ukraine, and globally. Outside Ukraine, nation-state actors have increased activity and have begun using advancements in automation, cloud infrastructure, and remote access technologies to attack a wider set of targets. 

The experts lay down actions that ICS environments and critical infrastructure organizations must adopt to safeguard their infrastructure.

“Critical infrastructure organizations need to continue the work that was started with cyber hygiene as the baseline and now extend to threat detection and response that spans IT, IoT, and OT,” dos Santos said. “A leading approach in IT security has been called ‘assume breach,’ which means that organizations should not adopt a mindset that cyberattacks might target them, but that they will target or are targeting them already. Therefore, the focus becomes detection, response, and recovery from attacks. This mindset must be translated to OT/ICS environments too so that organizations prioritize detection of attacks that span multiple types of devices and work on automated responses for those,” he added. 

Steers said that it is “important to know your technology stack, to review access, manage authentication and monitor your network access points across your attack surface as well as partnering with industry peers to share intelligence. First and foremost, it is all about getting the basics right.”

Weiss pointed out that Microsoft’s report identified IoT and OT controller devices using COTS operating systems. “The Microsoft report did not address the serial networks and control system field devices that do not use COTS operating systems such as Windows. As there is no cyber forensics or authentication at the serial and control system field device level, it is not clear what is happening with the infrastructures.” 

He added that there is a need to monitor the control system field devices (e.g., process sensors and actuators) out-of-band at the physics level. “The engineers MUST be part of the process and the ICS cyber security program should be under the purview of engineering, not the CISO.”

Anna Ribeiro

Related

CISA outlines forward-looking National Plan for critical infrastructure security and resilience
CISA outlines forward-looking National Plan for critical infrastructure security and resilience
GAO adds priority recommendation for EPA, drives focus on need for continued cybersecurity measures
GAO adds priority recommendation for EPA, drives focus on need for continued cybersecurity measures
NIST releases finalized security guidelines for controlled unclassified information in SP 800-171r3, SP 800-171Ar3
NIST launches ARIA program to assess societal impacts, ensure trustworthy AI systems
DoD issues information collection requirements for assessing contractor compliance with cybersecurity standards
DoD issues information collection requirements for assessing contractor compliance with cybersecurity standards
EU releases Network Code on Cybersecurity for electricity sector to boost resilience, cross-border protection
EU releases Network Code on Cybersecurity for electricity sector to boost resilience, cross-border protection
NATO conducts initial meeting for undersea infrastructure network to boost security against rising threats
NATO conducts initial meeting for undersea infrastructure network to boost security against rising threats
BlackBerry exposes cyber espionage by Transparent Tribe targeting Indian government, defense sectors
BlackBerry exposes cyber espionage by Transparent Tribe targeting Indian government, defense sectors
Strengthening industrial supply chain security by addressing challenges, strategies, collaborative initiatives
Strengthening industrial supply chain security by addressing challenges, strategies, collaborative initiatives
New Diverse Cybersecurity Workforce bill to promote inclusivity, provide CISA with millions for outreach
New Diverse Cybersecurity Workforce bill to promote inclusivity, provide CISA with millions for outreach
Claroty reports critical OT assets vulnerable to internet exploitation; release of xDome Secure Access
Claroty reports critical OT assets vulnerable to internet exploitation; release of xDome Secure Access