Yariv Lenchner According to a recent report from The Institute for Critical Infrastructure Technology (ICIT), “if a SCADA or industrial control system (ICS) in an energy, utilities or manufacturing organization becomes infected with ransomware, then lives could be jeopardized in the time it takes to investigate the incident and return the systems to operation.” Ransomware is an emerging threat to industrial and manufacturing organizations and one that should not be dismissed as affecting only IT systems.
For manufacturers, ransomware represents a clear and present danger to the business. ICS and IT share many of the cyber security attack vectors that come with the use of Commercial-Off-the-Shelf (COTS) technology. The consequences of a cyber attacker infiltrating and tampering with IT systems and moving laterally into ICS systems could be disastrous. There is also the possibility of intruders directly affecting ICS endpoints, such as Human Machine Interfaces (HMIs), and holding these ransom. This could potentially impact the integrity and safety of the manufacturing process. Manufacturers must accelerate the implementation of risk-based cyber security programs to prevent the broad-scale cyber attacks we see across other mission critical industries.
Understanding ICS Security Risks
As control systems become more connected with IT networks, third party service providers, the internet, remote users and more, the number of security risks have skyrocketed. In part, this is due to the dramatic increase in the number of users and applications actively accessing and extracting operational data from ICS. Some of these active users and applications requires privileged or administrative credentials to access industrial networks and critical systems. Support and maintenance personnel, along with operators and control engineers, remote vendors, corporate applications and automated batch applications all use these privileged credentials.
But these privileged credentials are more than just arbitrary logins. Privileged accounts or credentials — often referred to as the “keys to the IT kingdom” — provide users with widespread, powerful access to every corner of an organization’s network, including ICS. Since privileged accounts are often numerous and unmanaged, they pose a serious risk if exploited by a malicious attacker.
The risks that manufacturers face with ICS don’t stop there. Most ICS software applications are now running on COTS technology, but are significantly less secure than in other IT environments. This is evident by the prolific use of shared accounts, remote access for outside vendors and default, hard-coded credentials, all of which often go unsecured or unmonitored for extended periods of time, making it very difficult to assign and report on specific user activity.
Prioritizing ICS Security
Varied ICS security challenges present increased risk to manufacturers, their networks and their customers. These potential risks include everything from operational downtime, increased costs and regulatory or compliance infractions to serious, irreparable consequences such as environmental damage, complete operational compromise, loss of or defective products and consumer safety.
By taking the proper steps to securing privileged accounts and protecting their networks and critical assets, organizations can provide IT and operational technology users, third party vendors and applications with ICS access without sacrificing security standards or operating efficiencies. Here’s how:
1. Discover, manage and secure privileged credentials
The common thread across these vulnerabilities is the proliferation of privileged accounts. The first critical step in mitigating the risk of an attacker exploiting one (or many) of these accounts is for manufacturers to identify all users, applications and associated credentials used for granting access into the ICS network and into ICS devices and servers. This should include hard-coded credentials, embedded passwords, and accounts that belong to terminated employees or are simply no longer needed. By reducing the number of privileged accounts, manufacturers can reduce the potential ICS cyberattack surface. From there, actively securing and monitoring these credentials, alongside multi-factor authentication, one-time use password rotation and other strategies will help manufacturing organizations protect these accounts, gain granular-level insight into use and improve accountability.
2. Monitor sessions
Unmanaged users or applications accessing the ICS network, whether from the corporate environment or from remote, third party vendors, provide an opportunity for attackers to install and use malware or ransomware — including keylogging software or other tools to obtain direct access to sensitive assets and capture privileged credentials. From there, attackers can compromise critical systems or manipulate physical devices and products. By isolating all sessions that use a privileged account and adopting real-time and recorded monitoring, manufacturers gain a critical record for attack forensics and analysis.
3. Identify and stop suspicious activity
In addition to session monitoring, analytics tools that learn the typical patterns of activity and continuously monitor user and privileged account activity can identify and alert on suspicious behavior. The alerts can be used by IT, OT and security teams to help detect and disrupt in-progress attacks, dramatically reducing any damage to operations and the business.
4. Implement endpoint security controls
A highly effective way to mitigate the risk of ransomware attacks is to prevent unknown applications, including ransomware, from gaining the read, write and edit permissions needed to encrypt files. A combined approach of removing local admin rights and application control is recommended as a mitigation strategy in preventing ransomware from victimizing critical systems.
Manufacturers are living in a new world of ICS security risks. By protecting the most critical and sensitive assets from cyberattacks, they’re poised to gain the operational efficiencies from ICS environments through internet connectivity and COTS software and devices, without compromising their businesses, their products or the safety of consumers.
Yariv Lenchner is Senior Product Manager at CyberArk.