This post is part of an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017.
It’s time again to make our annual cybersecurity predictions, and this year, I have the pleasure of doing two! Since my Magic 8 Ball hasn’t been too dependable in the past and inspecting animal entrails is not really my thing, I’ll go with a more useful and less messy approach of looking at trends. Calling the future is a pretty challenging task, but one’s probability of success could be much improved if looking at the trajectories of past events and extrapolating.
Speaking of trajectories, at the beginning of September, I had to make a go/no-go decision about my family vacation to Hawaii. For weeks I had been hyping up the trip to my three-year old daughter, who loves beaches and adores sea animals. However, looming ready to spoil our Labor Day–week vacation was Hurricane Lester, which had reached Category 4 status on its approach to the Hawaiian Islands. Much of the archipelago was already on watch as just days before, hurricane Madeline grazed Hawaii, fortunately leaving the islands intact, but still causing quite a stir.
Having been through two major hurricane events while living on Oahu, I knew of the devastation a direct hit could bring and thus my first instinct was to cancel the trip. At the same time, I couldn’t bear the thought of breaking my daughter’s heart after getting her hopes so high. Two-hours before our scheduled flight departure, Lester was still on course to hit the islands, and I was faced with a tough decision: cancel my trip and disappoint my little girl or fly anyway and hope that the hurricane changes its path at the last minute. I’ll keep the suspense high and tell you my decision later, but first, let’s get back to the predictions.
As I observe the movements of the cybersecurity industry, a couple of approaching “storm systems”– which I foresee causing potential devastation to critical infrastructure operators – are ransomware and cybersecurity regulations. The devastation for ransomware is more strongly related to critical service uptime and safety, while the impact of regulations comes in the form of administrative costs. With that said, here are my predictions for 2017.
Let’s take a closer look at each prediction separately.
The direction of ransomware in critical infrastructure is pretty clear and concerning. In September of 2016, we heard of a concrete manufacturer who experienced significant downtime and other related financial damages caused by the successful ransomware attack. In 2016, there was the breach to an Electric Authority who while not an operator of the grid interacts with many of the organizations who do manage the local grid. Of more increasing concern was the breach to a Municipally-owned Electric and Water Utility. Here the attackers successfully breached the business network adjacent to the OT environment. This caused a reported $2M in remediation and legal costs. Highlighting the increasingly targeted nature of ransomware is the news of ICS-specific ransomware in July 2016. Here the E-ISAC reported ransomware apparently targeting Industrial Control Systems (ICS) in the form of a zip file named after a major supplier of ICS automation products.
These successful breaches have been to networks adjacent to OT and either did not cause downtime or, if they did cause downtime, had their impact contained to the ICS operator itself and did not affect services critical to the general populace. However, looking at where this is all headed, it is only a matter of time before there is a successful downtime-causing attack to a major critical infrastructure environment, such as the electric grid or transportation system supporting a large population.
The ability to gather intelligence for ICS environments, introduce ransomware, and make sure that it successfully compromises these specialized systems takes a lot of effort, possibly requiring the involvement of an insider. Hence, I believe that this attack will most likely involve well-resourced cybercriminals targeting an organization in an attempt to extract a hefty ransom. The impacted authority will be faced with a grave decision – pay the ransom in the hopes of quickly regaining functionality, or choose not to pay the ransom and instead remediate the situation with a functional disaster recovery plan and augment that with third-party resources and technologies whose total cost will end up far exceeding the ransom. None of us hopes this type of attack happens, of course, but such an event would cause the entire industry to wake up and think more urgently about how to safeguard ICS environments.
There are already cybersecurity regulations governing various sectors of critical infrastructure protection. These regulations include the NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) standards for the electric sector, CFATS (Chemical Facility Anti-Terrorism Standards) for the chemical sector, and the NRC (Nuclear Regulatory Commission) regulations for the nuclear power facilities. However, an area that has not had any cybersecurity regulations put in place is the transportation sector (and its widely varying subsectors). The importance of this sector is immense as the impact to daily life could be disastrous should key transportation services be disrupted. Consider that the transportation sector as defined by the U.S. Department of Homeland Security includes the following: aviation (including airports, aircraft, and air traffic control systems); mass transport and passenger rail; highway and motor carriers; maritime transportation systems; pipeline systems; freight rail; and postal and shipping. Yes, that’s about as critical as critical infrastructure gets.
Some cyber incidents to the airlines industry demonstrate why this is a major concern. In 2013 there was a cyberattack to Passport Control Systems at major airports leading to delayed departures and long waiting times for passengers. Also in 2013, APT campaigns involving Phishing scams were found to be targeting as many as 75 airports in the United States with some organizations successfully breached. More recently in 2016, an outage at a major airlines carrier, while not attributed to a cyberattack, led to a five-hour outage costing $150M dollars and 2,000 flights cancelled over two days.
To be sure, there already are transportation-specific ICS cybersecurity plans in place, such as those from the U.S. Department of Homeland Security involving guidance on best practices. However, for 2017, I think there is the potential for new cyber legislation or regulation that one of the many transportation sector oversight bodies issues under their existing authority, possibly involving rigorous audits and steep fines for violation. This potential for regulation speaks to the gravity of these real-world threats, given that both President-elect Trump and the Republican-led Congress are generally opposed to increasing the country’s regulatory environment.
So there are my predictions for 2017. It will be interesting to see just how close or far off I am, but measuring my ability to accurately predict the future is not really the objective here. Rather, the purpose is to bring to light some of the key trends in industrial cybersecurity to hopefully build awareness and drive action.
On the former prediction, the unfortunate truth based on what I’ve seen so far is that most OT organizations are ill-equipped to deal with sophisticated attacks. Ransomware is but one of many modern attack methods that call for a different defensive mindset and set of new protective technologies. Granted, OT organizations are waking up and modernizing their OT security, but there is a long way to go for most, especially in being able to stop more advanced attacks. As IT and OT integrate even more deeply, organizations need to educate themselves to find out what attackers are doing and the state of the art, in terms of cybersecurity best practices and technologies.
Similarly, transportation organizations, or more broadly, other critical infrastructure operators not subject to regulations today, need to plan for the potential of such cybersecurity laws. As these organizations plan for upcoming regulations, whether they get put in place next year or further out, it is important to remember that compliance doesn’t mean they are secure. Even a well-crafted regulation that promotes risk management rather than a culture of minimum compliance means that compliant companies establish a good baseline, but they need to strive for more. Fortunately, a good natural outcome of applying the best known practices and technologies is that there is a very good likelihood that one will exceed the requirements of cybersecurity laws and pass their audits with reduced effort and cost. Invest a little more time up front and make it easier on yourself later during the audit.
Going back to the critical decision I had to make about my family vacation, I ended up trusting my gut and cancelled our trip to Hawaii. We decided instead take a drive south to SeaWorld and the San Diego Zoo Safari, which my daughter absolutely loved. So all ended up well. As for hurricane Lester, it ended up changing its direction and, like Madeline, just grazed Hawaii to cause some heavy rain and winds, but nothing major. My initial reaction was that I made the wrong decision. However, considering the risk to my family’s safety, had I decided to go and the hurricane did hit, I still stand by my decision to forego the trip. The stakes were simply too high.
A parallel statement could be made for successful cyberattacks to critical infrastructure. A “roll the dice” approach is simply not an option. Millions of people are dependent on operators to be proactive and stop cyberattacks. Whether the cyber hurricane hits or not, one needs to strive for more than just hitting the minimum compliance requirements and invest in the capabilities to stop advanced cyberattacks.
At Palo Alto Networks we firmly believe that a key approach to stopping advanced attacks and reducing the efforts to deploy and administer cybersecurity is in adopting a prevention-focused cybersecurity platform that provides as much automation as possible. Learn more about our platform by accessing the following resources.
What are your cybersecurity predictions for the ICS industry? Share your thoughts in the comments below.