War is eternal and inevitable. “At the end of the day, we’re fighting for resources, and that’s probably not going to change in the near future,” said Nadav Zafrir, CEO and co-founder of Team8, an Israeli cybersecurity company, who spoke during the Automation Perspectives media event held in the run up to this week’s Automation Fair in Philadelphia. And in the digital world where we live, secure systems have become the best and yet most elusive defense.
Five conditions have created a perfect storm for cyber threats, said Zafrir, who is also CEO of OT cybersecurity specialist Claroty. These conditions include cross-connectivity; convergence of IT and OT; lack of a common language or protocol; lack of visibility; and the active threat landscape.
Cross-connectivity is a relatively new occurrence. “It hit around the year 2000, when a number of networking technologies matured at the same time. Around 2017 we went from connectivity to hyper-connectivity, and the numbers became staggering. Today, we’re at the age of cross-connectivity. That leads into an amazing world.”
Convergence is inevitable, explained Zafrir. “When you think about IT-OT convergence, these environments were not designed to play together,” he said. “We have to think about the legacy environments. Security was assured by two concepts that no longer hold in today’s environment—isolation and obscurity.”
Divided by language
There’s also no common language or OT/IT protocol. “Each one has its own gray areas,” he explained. The lack of visibility at subsystem levels also creates risks for cyber attacks. And finally the active threat landscape is abundant. “Nation-state attacks target industrial control systems. There are repeated warnings from DHS/FBI and GCHQ; and ransomware attacks are costing billions in collateral damage,” explained Zafrir.
“There’s a perpetually expanding attack surface, which makes defense a lot harder. Barriers to entry are lowered. This opens the door to non-state-aligned actors, who are less likely to be deterred by geopolitical and economic circumstances.”
One recent example, NotPetya, which included the EternalBlue exploit and masqueraded as Petya ransomware, was quite a devastating attack, he said. “It was carried out by Russians against the Ukraine,” said Zafrir. “It was not a direct attack on OT, but it showed that OT is susceptible to IT vulnerabilities.”
Control systems in crosshairs
Fast forward to August 2017 and an attack specifically against a critical manufacturing site in Saudi Arabia. Triton malware, designed to interact with Triconex devices, attacked Saudi Aramco’s industrial controllers as a means for physical damage. “They were not going after a shutdown,” explained Zafrir. “They were going after a red button, so they could make use of it whenever they wanted to carry out an attack. The Triconex system did what it was supposed to do, and shut down.”
“Every time one of these things happens, we see copycats,” said Zafrir. “This is something we should be aware of. We take the malware into a lab and reverse-engineer it. At the end of the day, cybersecurity is a learning opportunity. We go out and identify the heart of the problem. Visibility is the minimum. You can’t defend what you can’t see.”
But that’s just the beginning. “Discern the languages or protocols,” recommended Zafrir. “Build the baseline. Build profiles and alerts based on anomalies. Create complete asset visibility across IT and OT. And industrial control systems need to be designed with built-in security. The idea is to make safer, more secure environments and anticipate what will happen at a very early stage. These attacks are very sophisticated, and they take time.”