Keywords
OT security, ICS security, network security monitoring, state adversaries, hacktivism, cybersecurity regulations, colonial pipeline
Summary
Mike Holcomb, independent OT/ICS security advisor and former Director of OT security at Fluor, talks about the shift of cyber threats in the OT space and the struggles of small entities to secure themselves. He proposes the BASIC principle to get started fast despite limited budgets.
Takeaways
OT cyberattack have shifted from state actor adversaries to classic ransomware cybercriminals. Colonial Pipeline was the wake-up call.
Attacks on OT have increased, both directly and indirectly.
OT that relies on IT is easy to attack by mere taking down the IT.
Attacks on OT could be even more lucrative for attackers since payment might be faster.
Volt Typhoon and its prepositioning campaign are changing the rules for OT security. And it showed us that we are very vulnerable.
Geopolitical conflicts have hacktivists and state actors aligned. This alignment will shift the speed and frequency of OT attacks.
Too few companies have network security monitoring. That’s one reason why there is so little information on OT cyberattacks, because they can’t see it.
Companies must pay attention to incidents in their sector to learn from them. For example, there actually was a precedent for Colonial Pipeline a few months earlier at a smaller pipeline.
Cybersecurity regulations are unwanted but needed because companies won’t take care otherwise.
There needs to be a strategy and financial support for critical infrastructure cybersecurity because most of them are very small and will never have the budget.
Most small entities don’t have any cybersecurity for their OT and ICS in place.
A SectorCERT could be a solution to bundle resources.
There a 5 steps in BASIC: Backup & recovery, asset management, secure network architecture, incident response planning, continuous vulnerability management.
Sound Bites
“What's really concerning to me is that we're starting to see an alignment between state adversaries and hacktivists.”
“State actor attacks are rare but high impact. Hacktivist attacks are very often but low impact. The alignment of both is really concerning.”
“I think a lot of people don't realize that OT or ICS environments are made up of a lot of Windows systems.”
“If you're not watching your network, how are you going to know if an attacker is in the environment?”
“Only 5 to 10 % of industrial companies monitor their OT networks, and I would say that about half of those aren't even doing a very good job. So yeah, there's a lot we just aren't seeing in terms of OT attacks.”
“If you don’t have OT visibility, it's very easy to claim that here's no sign of a cyber security attack. But we need to get to the point where we can say we have the evidence to definitely say this is or this is not the result of a cyberattack.”
Chapters
00:00 Introduction
01:08 Shift in speed and source of OT cyber attacks
06:30 The Windows ecosystem in OT networks
08:29 The scaring strategic threat in town: VoltTyphoon
10:10 The mounting lack of network security monitoring in OT
11:45 The even more scaring threat in town: hacktivists going hand in hand with APTs
13:45 Increase of OT incidents over the years
15:18 The illusion of secure OT networks
16:49 Regulated sectors have better cybersecurity
18:50 The struggle of and possible solutions for small entities
23:40 The BASIC program to start your OT security journey
