There is a commonly held and dated misconception that a successful cyber attack can only cause damage to or steal information and data. But with increased interconnectedness and the rise of the Internet of Things, a different type of cyber threat exists with an even more sinister motive to physically damage critical civilian infrastructure and potentially cause serious injury or death.

These attacks focus on controlling operational technology (OT), which is the hardware and software assets organisations use to control physical processes.

Once these assets have been compromised, attackers can manipulate machinery remotely. These industrial cyber attacks can have far more catastrophic consequences than a data breach, such as system failures, leakages or even explosions. For the transport sector, that may result in train collisions, loss of speed controls, or even failures in barrier operations. For the oil and gas sector, it could actualise in the overfilling of a tank, overheating of a unit or the spillage of hazardous raw materials.

In our annual 2022 ICS/OT Cybersecurity Year in Review, Dragos reported the highest number of vulnerabilities affecting industrial control systems (ICS) and OT, totalling 2,170 individual CVEs in the year. This represents a 27% increase compared to 2021 and points to a worrying trend of future attacks on industrial infrastructure.

Much is at stake if OT environments are compromised in industries like mining, utilities, oil and gas, transportation, and manufacturing. That’s why ICS/OT cybersecurity is fundamental to protecting and securing critical infrastructure and ensuring the safety of employees and the broader community.

A sophisticated platform created for a malicious purpose

An example of such a threat was recently uncovered within a series of alleged contracts between the Russian company NTC Vulkan and the Russian Ministry of Defense. These documents provide a description of software components and the underlying infrastructure for an offensive cyber operations platform that would allow for a range of impacts in rail and petrochemical environments with physical consequences, including damage to physical equipment or creating unsafe conditions.

Among a range of capabilities, this cyber program enables the ability to attain control of the information and technical facilities for telecommunications and “life support systems”, which refer to critical civilian infrastructure like energy utilities, gas and oil pipelines, rail and transport systems and water treatment facilities.

A concerning aspect of the Russian program is that it enables attackers to remotely achieve control of the target environment and equipment via the local area network and scan networks to identify hardware, firmware, and software used to control industrial equipment. The program automatically notifies the operators of vulnerabilities, enabling them to conduct computer network intrusions, deny control, take control, damage property, or remove safety controls. These techniques could degrade, damage, or destroy physical equipment; or injure or kill people.

Dragos provides a full analysis of the Russian programs threatening critical civilian infrastructure in a recent intelligence brief.

Investing in OT cybersecurity isn’t a choice; it’s a necessity

Defenders should be aware of these real and concerning capabilities and prioritise their OT cybersecurity programs to protect critical infrastructure and services. Organisations that form part of our critical infrastructure have an obligation to provide a safe working environment and a duty of care to the communities they operate in by ensuring appropriate cybersecurity investment.

There are five critical controls for OT cybersecurity identified by the SANS Institute that provides a framework to defend against adversary activity directed against OT networks, be it intellectual property theft, ransomware, or targeted cyber-physical effects.

1. ICS Incident Response Plan

A clear strategy to maintain and recover system integrity during a cyber attack. It should include step-by-step instructions and scenarios and use case examples for the specific organisation’s environment.

2. Defensible Architecture

IT infrastructure that enables security management to have visibility of device use, activity logs, asset identification, and process communication enforcement

3. ICS Network Visibility and Monitoring

Continuous network security monitoring of the environment with systems in place to inform authorities of potential risks to control.

4. Secure Remote Access

Identification and inventory of all remote access points as well as on-demand access.

5. Risk-Based Vulnerability Management

Understanding of cyber digital controls in place and device operating conditions that aid in risk-based vulnerability management decisions.

The first step in implementing these controls is achieving executive alignment on the role and importance of OT cybersecurity. One potential way to achieve organisational alignment is to tie the effort to real-world scenarios, adversary capabilities, and their intended impacts. These details can be instrumental in understanding how the threat activity might impact a given network, the potential operational and business implications, and the steps necessary to defend against and remediate the potential effects.

Once an organisation can achieve executive and board-level alignment on the importance of investing in OT cybersecurity, the foundation is in place to implement these five critical controls.