Cyber is a series dedicated to improving cybersecurity of industrial control systems. These are certainly my least pleasant posts to write and no doubt the least pleasant to read. However, they probably rank as some of the most important.
Why would adversaries hit industrial automation systems?
Let us start with a reality check. Industrial control systems are slow to migrate, slow to upgrade, typically underrated and funded by upper management, yet absolutely vital to the economy. They probably have a good ROI for attackers.
If so, why do we not see this more?
They are already targets of cyber-attacks. If you were a large company, would you publish how someone broke in?
But my OT / SCADA team says am I not online!
Have you ever taken a look at SHODAN? Just see if some of the IP addresses from your firm are listed.
Do you have any artificial intelligence, machine learning, real-time monitoring systems tied into your system? I have a strange feeling they are online.
Are your IT and OT networks properly separated? Do you have separate networks or common networks? There are ranges of separations and techniques. You could have fully separate fiber or separate them with VLANs and IPs. Even just being aware is a significant difference. The larger your system is, the better chance you have of being fully separated.
Do you have more than one site? If so, does your IT team have a real VPN? Have you had an actual pen-tester (not your friend's sister's son-in-law) take a look at the system?
Actually, I have a Maintained Service Provider (MSP) that handles all this. Why worry?
Let's play a game and pretend to be the adversary. If you can compromise the MSP, you can get control of several of their clients. As a client of said MSP, how confident are you that you would be their number one priority?
I have a great IT team, a great OT team, separated networks, great backups and even an air-gap. No one gets in. Why am I reading this?
This sounds just like the Iranian centrifuges, or the Maersk shipping line a few years back. An adversary with unlimited time and resources is getting in. You still need to decide how you get back online. This is far more important if you are getting targeted by state actors. Specifically critical infrastructure or critical manufacturing.
Are adversaries the only problem?
No! Lacking maintenance, supply chain shortages, (wo)manpower and environmental disasters also play into the management of your issues. Your management really should be investing in various potential issues and need to divide their resources for each potential mitigation.
Stagnation in research is a whole separate issue: if your firm is not improving their production methods, they are dooming themselves to economic disaster.
Anyone who says you should cut the maintenance budget to increase the cyber budget is making a proposition that is dangerous in a different way. Management rarely has good options.
Why bother then?
You bother so you have a job next year. Being aware of the issue is important and understated. Blaming your team for failure is different than having a measured response, with a plan. If you go down and have a plan to get back up, with all the parts already in place, you are going to be much better off than those without.
Good luck!
Comments