OT Cybersecurity in 2021 and Beyond Series: Part I – Threat Landscape

“In 2020, breaches are the digital pandemic proving to be just as insidious and difficult to stop as Covid-19.”

- Forbes

With 2020 in the rearview, all are looking ahead to what 2021 will hold and beyond. But, similar to how it started, 2020 didn’t end quietly.

One of the last notable events of the year, the SolarWinds cyber-attack, left businesses and government organizations alike with a renewed focus on cybersecurity. And as the scope and impact of the SolarWinds attack continue to come to light, organizations can waste no time in protecting their networks, operations, and businesses.

To that end, Mission Secure collaborated with guest authors from various perspectives to share their insights on what’s next for OT cybersecurity and what organizations need to consider as they plan their 2021 cyber-protection strategies and beyond. This series will cover three key topics: the threat landscape, risk management, and protection.

In Part I, Mark Whittley of Blackpanda, a cyber crisis management firm; Jonathon Gordon of Takepoint Research, an analyst firm; Steve Mustard of the International Society of Automation, a non-profit professional association and standards organization; and Mission Secure’s Paul Robertson, discuss the future of the evolving threat landscape. Check out their responses organized by topic and see what threats 2021 may hold for industrial control system (ICS) / operational technology (OT) networks.

Question: How will cyber threats evolve for OT networks in 2021? Any predictions on specific targets, the largest threat actors, or most common attack methods?

Threat Trend #1: Targeting OT network vulnerabilities

Mark Whittley, VP of Digital Forensics and Incident Response at Blackpanda: Threats to OT have been largely minimal relative to the volume of threats we see for IT. However, OT systems are far more easily attacked due to their age (OT systems generally do not receive as many updates or upgrades) and their lack of security controls or monitoring.

Paul Robertson, Director of Cybersecurity at Mission Secure: There will be more ICS-focused malware, including more ICS modules in IT malware. We see both more professionally built “modular” malware that can dynamically add attacks tailored to different environments and more malware designed to attack OT systems and system components. We expect to see these trends converge.

Steve Mustard, 2021 President of the International Society of Automation (ISA): Since 2010, when Stuxnet put a spotlight on the threat of a cybersecurity attack on OT networks, there has been a progression through the conventional layers of protection in mission-critical facilities, culminating in the 2018 attack on a safety system at a Middle East refinery. Now that the basic process control, operator alarm, and safety system layers have been compromised by cyber-attacks, more sophisticated attacks on these layers are only more likely, leaving facilities to rely on mechanical failsafe and disaster response procedures to mitigate the likelihood or consequence of an attack.

“Now that the basic process control, operator alarm, and safety system layers have been compromised by cyber-attacks, more sophisticated attacks on these layers are only more likely…”

Steve Mustard
2021 President of ISA

Threat Trend #2: Increasing attack sophistication

Steve Mustard, 2021 President of the International Society of Automation (ISA): As asset-owners are improving their cybersecurity posture, attackers are looking at weak links in the supply chain, whether it be service or product related. The 2018 Shamoon 3 incident involved strategic oil and gas vendors of the intended target. The incident impacted services to other asset-owners who shared services from these vendors. A more recent example, from December 2020, involved compromising the code base of a US network monitoring vendor whose products are used extensively by the federal government and by asset-owners. This resulted in the creation of back doors to many government agency and asset-owner networks, the scale of which is still being discovered. Given the results, it is clear this sort of tactic is going to continue to be used.

Jonathon Gordon, Industry Analyst at Takepoint Research: There is no doubt that attacks are becoming more sophisticated — the SolarWinds breach should tell you all you need to know — exploiting tactics and techniques that start by targeting the supply chain and then burrowing their way down to the user and beyond.

Paul Robertson, Director of Cybersecurity at Mission Secure: 2021 will see an increase in ransomware attacks in manufacturing and OT networks. Like the Distributed Denial of Service (DDoS) attacks of old, the Garmin compromise has shown attackers that shutting down production can be an extremely lucrative endeavor.

Steve Mustard, 2021 President of the International Society of Automation (ISA): Ransomware will continue to be a major factor as long as end users suffering ransomware attacks continue to pay ransoms to regain access to their systems, rather than employing effective response and recovery plans. Poor maintenance of software patch status, a lack of anti-malware, and no application control are significant factors in who will be impacted by a ransomware attack, as is personnel awareness.

Mark Whittley, VP of Digital Forensics and Incident Response at Blackpanda: Historically, we see the most attacks on OT systems coming from highly motivated entities such as state-sponsored groups; however, we expect this to change significantly from 2021 and beyond as more of these OT systems are being networked to support higher demand for remote administration. COVID has been a huge driver for this change. We can also expect many organizations to continue under the untenable premise of “security through obscurity.”

“We can also expect many organizations to continue under the untenable premise of “security through obscurity.”

Mark Whittley
VP of Digital Forensics and Incident Response at Blackpanda

Threat Trend #3: Escalating cyber warfare and nation-state actors

Jonathon Gordon, Industry Analyst at Takepoint Research: The global cyber battlefield continues to evolve, with nation-states and unaligned threat actors becoming bolder. The stakes are growing. Critical infrastructure, such as energy production and distribution (Ukraine) or transportation (Iran), may be viewed as legitimate targets between two belligerents, slogging it out in the offline world. The greater concern may be on the commercial side. Targeting pharmaceutical companies, for example, to exfiltrate IP or damage production capabilities for the latest vaccine or the threat (ransomware) of doing so may be more luring for both nation-state and unaligned groups.

Steve Mustard, 2021 President of the International Society of Automation (ISA): Nation-state actors increasingly see attacks on critical infrastructure as being effective alternatives to military power in their conflicts. Smaller nations investing in their cyber capabilities can create consequences beyond their expected capacity, especially against other nations that are ill-prepared to deal with such warfare, perhaps those who are still heavily invested in conventional military.

Paul Robertson, Director of Cybersecurity at Mission Secure: There’s a greater emphasis on causing physical damage via cyber-attacks. Besides news reports of exploding generators in the lab, centrifuges flying apart, and buildings catching fire, we are tracking researchers causing fires with “smart” chargers. Given the unchecked state of attacks, as well as the monetization of those attacks, we expect to see more attempts and successes going forward.

“The global cyber battlefield continues to evolve, with nation-states and unaligned threat actors becoming bolder. The stakes are growing.”

Jonathon Gordon
Takepoint Research

Threat Landscape: Final Comments & Recommendations

Steve Mustard, 2021 President of the International Society of Automation (ISA): Intellectual property theft, while not necessarily involving OT network attacks, will influence the choice of critical infrastructure organizations targeted in 2021 and beyond, and the integration of IT and OT networks can easily allow an IT attack resulting in an OT-network incident and subsequent operational outage. One obvious example is the pharmaceutical sector, given the rush to vaccinate the world’s population from COVID-19. The proper segregation of IT and OT networks, as well as their preparedness, will be crucial in determining the extent to which a business will be impacted.

“The proper segregation of IT and OT networks, as well as their preparedness, will be crucial in determining the extent to which a business will be impacted.”

Steve Mustard
2021 President of ISA

Jonathon Gordon, Industry Analyst at Takepoint Research: COVID-19 has highlighted many gaps that can be exploited remotely – gaps that many are still yet to plug. Overall, as an industry, we are evolving. Industrial cybersecurity will become part of the overall strategy of industrial enterprises. It will be addressed like any other business issue, in terms of gain versus risk. 2021 will see industrial cyber being brought more into the fold, increased collaboration between the teams on the ground (IT, OT, SecOPs) and the management teams (CEO, CRO, CISO, and the board). The definition of industrial cybersecurity will continue to broaden within organizations as they seize on new technological opportunities that require more connectivity (IoT, cloud, 5G).

As Forbes poignantly states, “In 2020, breaches are the digital pandemic proving to be just as insidious and difficult to stop as Covid-19.” A fact that our guests and internal experts reiterate and foresee persisting into 2021 and beyond.

Cybersecurity doesn’t just protect the corporate headquarters, leaving field offices open, yet OT networks are still lagging far behind. As threat actors increase their sophistication, resources, and ability to infiltrate often weaker OT networks, it will be more pertinent than ever for organizations across industries to bolster their cyber-protection. Everything is connected anymore, and that trend is only going to escalate in the future. It’s time to take OT cyber-protection seriously.