The convergence of industrial control systems (ICS) and traditional IT networks has enabled a dramatic rise in the volume and scope of security attacks on large-scale manufacturing and critical national infrastructure (CNI).
David Masson is Darktrace’s director of enterprise security and has more than two decades of experience working in security and intelligence across civilian, military and diplomatic enterprises. He explains what accounts for this escalation in threat, the potential real-life, physical consequences of a successful breach, and why CISOs must adopt a unified security approach across IT and OT that harnesses the power of AI.
How real is the cyber threat to industrial control systems (ICS) and in what ways is the threat evolving?
Nation states and criminal groups are making persistent and sophisticated attempts to disrupt society. While the worst-case scenario remains an attack that directly targets industrial processes, the most pressing risk at the moment is IT-based ransomware – ransomware that initially hits employee’s laptops, for example – bleeding into the operational technology space, like the factory floor, causing operational disruption.
What examples have we seen of such attacks taking place?
Recent high-profile ICS attacks on manufacturers have had significant effects on production. Norsk Hydro and ASCO, for example, were forced by ransomware’s power to take industrial systems offline. Every minute counts for modern manufacturing powerhouses, so threats causing even temporary outages pose a great risk.
Ransomware is even more of a worry across critical national infrastructure, such as energy grids, where outages have seen cities plunged into darkness.
As cyber warfare plays an increasingly important role in geopolitical strategy, state-sponsored attackers are increasingly going after CNI and disruption of ICS.
State-sponsored attackers will use their sophistication to supercharge ransomware with AI capable of adapting itself to be virtually undetectable and lurking in industrial systems for years before spreading and shutting down critical systems at machine speed.
How likely are we to see CNI brought down by an attack on ICS?
We are witnessing an escalation in nation-state cyberattacks, as global tensions heat up and hacking techniques become more advanced. It is simply a matter of time before infrastructure is directly targeted.
Every piece of society that we depend on in our daily lives is under siege. From transportation, to water and waste systems, to healthcare and nuclear reactors – no industry or organisation is safe.
Cyberattacks now have the potential for real, physical consequences as attackers exploit vulnerabilities in outdated operating systems. The consequences are no longer confined to the cyber realm, as we saw with the first recorded death caused by ransomware in Germany last year [following an attack on Dusseldorf University Hospital in September 2020].
The integral challenge is how to detect these intruders faster before damage is done. Artificial intelligence has made massive leaps over the past five years in this area – it can now detect anomalous activity at an early stage and intervene, without human oversight.
Many critical infrastructure systems are already relying on AI to respond autonomously and “self-heal.” Looking forward, we are going to see more and more AI technology used in a proactive capacity, not just a reactive one.
Do you feel that the scale of threat is fully appreciated?
There is an expectation that critical national infrastructure – nuclear power plants, energy plants, and so on – are bullet-proof, locked-down and air-gapped, but that is no longer the case. All of the machinery and equipment that run these facilities, from reactor and control rods to cooling systems, are vulnerable. There is always a way in – often one security teams aren’t even aware of.
Critical environments do not fail gracefully. There isn’t the option of reverting to pen and paper and muddling along. We need to build in cyber resiliency, so these systems can resist and fight back against cyberattacks. Now that industrial environments cannot simply be air-gapped to keep them safe, we need to invest in AI systems that can work in the background to automatically and dynamically block attacks that bleed from IT and defend critical systems 24/7.
Many organisations struggle to achieve the level of visibility they need to be able to properly defend their systems from emerging threats. At Darktrace, when we first deploy our technology, we often discover 20-25% more devices on a client’s digital infrastructure than the clients have accounted for.
How is this evolving threat impacting the role of the CISO?
Security must be a board-level priority for all companies and having a dedicated c-suite security leader is a big step forward. However, CISOs must be sure to never be complacent. They must continue to innovate and implement technology under a broad and unified strategy that protects the IT and the OT of their companies from high-end attacks.
I also cannot stress the importance of visibility enough – security teams must have as close to full visibility in real-time over their entire digital environment as possible. This means that a unified security approach, including a technology solution that works at the speed, scale and sophistication of the incoming threats, is necessary for environments that include both IT and OT systems.
At this point, AI is critical in staying ahead of attacks. Human defenders simply cannot fight threats alone at the speed and level of precision that is now necessary.
We need to be putting the advantage into the hands of defenders. An attacker only needs to be lucky once, while defenders have to get it right every time – this is an impossible goal to achieve without building up cyber resiliency to face novel attacks.
Only AI is capable of automatically stopping an attack from spreading to the sensitive and invaluable industrial control systems, avoiding operational shutdowns and preventing physical impacts.