By Jason Haward-Grau and Mark Carrigan, PAS Global

Digitalization, IIoT, & 5G connectivity pose intensified threat to industrial control systems

As we reflect on 2019, cyber attacks against industrial control systems (ICS) continues to rise, with more sophisticated tools and techniques for hacking becoming readily available and operational systems more easily accessible. With this in mind, it is important for organizations to better prepare against threats facing operational technology (OT) environments, including assessing the benefits and increased risks posed by digitalization, 5G, and industrial internet of things (IIoT) devices, in the coming year. Furthermore, it will be critical for IT/OT teams to embrace collaboration and convergence in order to thwart additional risks facing this new era of connectivity.  

Jason Haward-Grau, CISO at PAS Global 

5G Risks Will Bleed Into Industrial Environments

With 2019's wave of hype surrounding 5G, new vulnerabilities and opportunities for exploit are almost certain in 2020. What makes 5G a greater-than-normal risk is the high business potential for its use and deployments, which will regularly occur in arguably less-secure industrial environments with outdated, legacy devices. Adversaries will begin to target these environments, bringing dire consequences such as unauthorized changes to configurations that make industrial processes do something they are not supposed to do, thereby, resulting in an industrial accident, outage or even environmental excursion.

IIoT Device Proliferation Will Increase Connectivity and Industrial Cyber Risk

With the continuing desire from the business to capture operations data for analytics, 2020 will see continued and increasing deployment of Industrial Internet of Things (IIoT) sensors across plants and facilities. With the vast majority of these devices prioritizing connectivity and data gathering over security requirements, their proliferation will significantly increase the attack surface in industrial operations leading to greater cyber risk exposure. With executive mandates for ‘big data' initiatives at the c-suite and board level, it will be challenging for security and operations teams to address this risk on the timelines these projects are being driven to.

IT/OT Team and Tools Convergence Will Become Mandatory

In 2020, worlds will continue to collide with the convergence of IT/OT environments. Recent years have brought multiple, well-publicized cyberattacks on industrial facilities, which are now occurring with greater frequency and sophistication. In order to keep up, organizations entering into the new decade have no choice but to embrace the convergence of environments and teams that previously seemed worlds apart. As we enter into 2020, we must realize that no network is isolated from each other, and in order to thrive - and inherently survive - we must be a part of a larger community, leveraging the expertise that both IT security and OT (operational technology) experts bring to the table. This convergence will present new challenges as control rooms and OT/IT networks become more centralized, e.g. a recent DDoS attack knocked the control room visibility offline at a power generation company.

Multi-Vector Industrial Infrastructure Attacks Will Become the New Normal

Spear-phishing attacks, compromised credentials, malware, ingress via infected contractor devices, and DDoS attacks have been grabbing the headlines of cyber industrial attacks for several years now. In 2020, we will see an increase in the combined, simultaneous use of such attacks as well as attempts to leverage IIoT and 5G hyper-connectivity to gain access to industrial control systems. This will lead to increasing ransomware demands on industrial operations providers as well as increased risk of reliability and safety-impacting incidents. We also expect to start seeing physical, e.g. drone-based, attacks used in combination with digital cyber attack methods.

Mark Carrigan, COO at PAS Global 

The Fourth Industrial Revolution Will Arrive - But Companies Won't be Ready 

With more connectivity, comes more risk. 2020 will signal a giant leap toward the fourth industrial revolution (Industrie 4.0), and organizations won't be ready from a cybersecurity perspective to meet the mandates of Chief Digital Officers (CDOs). In order to catch up, this means first assessing the unique risks that modernization brings to OT environments and developing an inventory of devices and the risk of potential threats. After all, you can't protect what you can't see. Secondly, organizations will need to minimize or offset these threats by blending safety and security to remedy existing vulnerabilities on legacy devices and build security directly into the new and innovative technology being introduced. 

A Wake-Up Call: Software Vulnerability Threats on Legacy OT/ICS Devices Will Skyrocket

As we enter into 2020, we must not press the snooze button when it comes to the importance of OT/ICS (operational technology / industrial control systems) security. Alarmingly, we have seen an uptick in attacks on OT environments in 2019. When OT systems were put in place 20+ years ago, cybersecurity-related threats were not a significant concern like they are today. Because OT is at the core for running utilities, refining, manufacturing, transportation and other industrial automation efforts, organizations will need to increase the prioritization of software vulnerability risks, in particular, to avoid potential life or death consequences in 2020. Going forward, we expect to see a significant increase in malware specifically targeted at exploiting software vulnerabilities in OT networks.

Increased Adoption of OT Security Frameworks and Standards Will Reduce Risk But Increase Cost & Complexity

We are seeing an increase in the definition of OT (operational technology) security frameworks and standards, such as ISA/IEC 62443 and the European Cyber Directive as well as frameworks from NIST, NERC, SANS, and the Center for Internet Security. In 2020, increasing adoption of these frameworks and standards will reduce cyber risk, however, they will increase industrial cybersecurity cost and complexity as organizations work to adopt and attest to their use of these frameworks and standards. Given the relative immaturity of adoption, organizations are also likely to evaluate adopting multiple frameworks, thereby, increasing cost and complexity further.

Shortage of OT-knowledgeable Cyber Security Analysts Will Increase Likelihood of Unpatched Vulnerabilities and Unidentified Breaches

The shortage of IT security analysts is well known, however, the shortage in operational technology (OT) knowledgeable security experts is even greater, posing significant risk to organizations running hazardous industrial processes. With the lack of available experts, many industrial organizations will be exposed to unknown and unpatched vulnerabilities, leading to an increase in unknown breaches. This will increase the likelihood not only for revenue and safety-impacting incidents, but also the risk of industrial cyber ‘sleeper cells' that are ready to take action based on the needs of nation-state actors at hacking groups at a moment's notice.

##