Adapt industrial control system (ICS) security to the new normal

Despite the number of high-profile attacks in the second half of 2021 that declined slightly from earlier in the year, the impact of these attacks did not. With cyber-physical assets still highly connected, security measures for critical industrial, healthcare and enterprise ICS devices have taken the front seat. A recent report found that 34% of vulnerabilities identified in the second half of 2021 were among cyber-physical systems in the Internet of Things (IoT), Information Technology (IT) and Internet of Medical (IoMT) verticals, which the need for said security measures to cover the entire extended Internet of Things (XIoT), not just operational technology (OT).

tardigrade malware

The Tardigrade malware, which was spread by several biotechnology facilities, was responsible for at least two attacks in the healthcare sector in April and October that allowed bad actors to obtain sensitive company information and deploy malware.

Tardigrade, a polymorphic malignancy, changes properties based on the different environments in which it finds itself, making it difficult to predict and protect against. BioBright researchers have compared the Tardigrade malware to Smoke Loader and more specifically described that it has the functionality of a trojan, which means that once it is installed on a victim network, it searches for stored passwords, deploys a keylogger , data begins to filter out and a backdoor for attackers to choose their own adventure.

In response to the known attacks, healthcare companies that may be at risk have been warned to scan their bio-manufacturing networks for any possible signs of an attack. In an opinion issued by the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC), the non-profit organization that initially published the Tardigrade research, recommended treating networks as if they were or will be compromised and reviewing and monitoring cyber security measures to fit as needed.

log4j

Another major vulnerability discovered in the second half of 2021, the Log4Shell vulnerability is a zero-day vulnerability unveiled for the first time in December and found to be the popular Java-based library for recording error messages , Log4j, affected. Able to execute by remote and unverified users, there were more than 100 known affected providers, according to this list published by CISA, of which more than 20 are ICS providers.

Because the software was widely used in OT environments, it was just as exploitable, and its remote attack capability made it easy to do so. In response to the discovery of the vulnerability, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), noted that it poses an urgent challenge to network defenders, given its wide use. End users are dependent on their suppliers, and the supplier community has been asked to immediately identify, mitigate and patch the wide range of products with this software. Sellers are also advised to communicate with their customers to ensure that end users know that their product contains this vulnerability and should prioritize software updates.

New cooperative ransom attack

A uniquely vulnerable industry, food and beverage manufacturers have seen a growing focus on their operations due to the devastation that can cause a disruption in their production efforts. Similar to the JBS Foods attack earlier in 2021, NEW Cooperative, an Iowa-based farmers’ cooperative that is part of the state’s agricultural supply chain, had a ransom attack carried out by BlackMatter in September.

Similar to food processor JBS Foods, NEW Cooperative quickly and proactively took their systems offline to contain the attack and limit damage. With 40% of grain production running on its software and 11 million animals’ feed schedules relying on it, an attack would have quickly and negatively impacted the food supply chain.

ICS Security Recommendations

From the last six months of 2021, and after studying three different major attacks, security personnel can implement many different measures to fully protect the XIoT going forward. ICS security measures include network segmentation, phishing and spam protection, and the protection of remote access connections.

This year, awareness has been drawn to the fact that network segmentation is a key to protecting remotely accessible Internet-connected industrial devices. To best protect against these types of attacks, network administrators need to ensure that their networks are virtually segmented and set up in such a way that they can be remotely managed and controlled.

In addition, phishing efforts have increased as a result of remote work and can be protected by, among other things, not clicking on links from unknown senders, not sharing passwords and enforcing multifactor authentication.

Remote access connections must also be protected as this is a critically important aspect of the OT and industrial environments in the new normal. To do so, security personnel in these industries must verify that VPN vulnerabilities have been fixed, monitor any and all remote connections, and enforce permissions and administrative controls related to user access.

Chen Fradkin is a computer scientist at Claroty.