By Gregory Hale
When you hear the phrase “more of the same” it can connote the “same old thing,” which can conjure up thoughts of boring, or rote kinds of security.
But to security expert Eric Byres, as he adroitly points out, “more of the same” means much, much more.
“I think 2016 will bring us ‘more of the same’ with a big emphasis on ‘More.’ More publicly disclosed vulnerabilities, more published ICS exploits, more sophisticated attacks directed at control systems, more insecure IP devices connected to the control network, more interconnections from the outside world to the control system and of course, more hand wringing and gnashing of teeth about the sad state of the industry,” Byres said.
Byres is not the only expert to feel that way.
“I believe that 2016 will continue the trend of attacks against automation and control infrastructure,” said Joel Langill, operational security professional and founder of SCADAhacker.com. “Events that have occurred over the past 3-5 years have shown the sophistication of these attacks is increasing, indicating the opponent is gaining more industry- and system-specific knowledge. My observations and analysis show more and more of these attacks will succeed due to the lack of a cyber security program based on operational security principles. The influx of organizations into the industrial sector that lack these OpSec principles has caused many organizations to focus too much of their attention and budgets to externally-originated threats leaving them extremely vulnerable to numerous inside vectors.”
Disregard Same Old Things
“The continued dependence on standard information security concepts like patch management and anti-malware protections are no longer sufficient in industrial architectures,” Langill said. “Until there is greater emphasis on limiting network access control, focusing on endpoints like embedded controllers and field devices that typically represent the greatest operational risk, and having established incident response procedures, future attacks are likely to target more valuable assets that will likely result in significant operational impact to those organizations targeted.”
Targeted assets remain a key factor moving forward.
“The consumer ICS market will continue to be hit through vulnerabilities by actively circulating exploits,” said Graham Speake, CSO at Berkana Resources Corp. For instance, “Automotive control systems will be a good target and as it still has the ‘cool’ factor. Hackers (white and black) will want to find new ways to exploit the vulnerabilities and use these findings to elevate their status, often through events such as BlackHat, but also by releasing videos of the hack.”
“As a New Years gift to the community, Chris Sistrunk put a great slide together on ICS vulnerability and exploit trends since 2001,” Byres said. “Not surprisingly, we see a big jump in the number of public ICS vulnerabilities and exploits when Stuxnet was discovered. After that, there is a rather bouncy, but clear upward direction over the past five years. I have no idea why the number of vulnerabilities and exploits varies year by year so much, but the trend is clear: We can expect lots of insecure ICS product to be publicly exposed in 2016.
“The good news is that many of the large ICS vendors are now taking security seriously. I see proper Secure Development Lifecycle (SDL) programs launched as part of the product development process at big PLC and DCS companies. And I see good guidance on secure product deployment being increasingly available to the customer,” Byres said.
“The sad news is that an increasing number of disclosures each year doesn’t seem to be rallying the small and mid-sized vendors to clean up the security of their products. In fact, I recently had a manager of a mid-sized ICS vendor tell me the fact that a search on ICS-CERT for the major vendors shows so many vulnerabilities means his small company doesn’t need to worry much about making their product secure for now. Maybe next year,” Byres said.
Adding to the problem is the growing excitement around the “Industrial Internet of Things” (IIoT). IIoT is bringing new non-industrial players into the industrial space. All of them want to attach their new smart device onto the control network. The analyst team at Gartner nailed it in their new report “Predicts 2016: Security for the Internet of Things”:
“The Internet of Things is an increasingly attractive early link in attack chains. IoT vendors remain likely to repeat the security mistakes of the past and not embrace modern security, vulnerability management and disclosure practices.”
Byres continued, “As an industry we are attaching more ‘smart’ equipment to the control network. We also want to make more use of all the information available in a control system by sending to the corporate network and beyond. Both are part of our well meaning attempt to be more productive and responsive. But we still don’t have an easy way to determine if these new IoT products are reliable and secure. So we just trust the IoT vendors when they say ‘our product is secure.’ And in my experience, many are not — the claim of security is just marketing fluff. Until companies can show how they design security into their product from the start, industry is going to see a lot more insecure products attached to the control system in 2016. Security isn’t something you can bolt on after the fact.”
In terms of connectivity, and very related to ICS, medical instruments will also be in for a more robust round of attacks.
“The few hacks released last year have opened the doors for others and the relatively easy access to the devices makes it a good target to exploit,” Speake said. “The continued rise in IoT devices, particularly in the home environment, again gives an attacker an easy, cheap device to hack into and these will again make the news on multiple times throughout the year.”
From worldwide perspective, Speake said “with the low oil price, the investment in oil and gas systems may be kept down over the next year (or two). There is still ongoing and potentially increasing instability in the Middle East which may reflect in more anti-western fervor. This could result in more malware being produced that is specifically targeting energy companies. While a successful attack that could bring down a power station or refinery is probably not likely, there is likely to be rise in the amount of malware that gets onto control systems, often with the main action being to exfiltrate data.”
Awareness remains key, but being able to do something about it appears to be missing.
“Public entities like ICS-CERT provide a much-needed service to organizations, however their lack of providing meaningful, actionable mitigations to known threats leaves organizations with a false sense of security,” Langill said. “Private companies on the other hand, do not typically have the depth and experience needed in working with industrial risk that is outside of the standard ‘information’ domain. These factors are amplified by the lack of actionable threat intelligence relating to known risks and vulnerabilities that can be directly converted into intrusion protection mechanisms to help organizations identify when they are potentially under attack.”