Common Threat Vectors & Industrial Control Systems (ICS): Modern Cybersecurity Practices, Part 2

In this three-part audio series, we’ll share some insights from a cybersecurity professional with 18 years of experience in industrial network design and support, information and network security, risk assessments, pentesting, threat hunting, and forensics.

Blumira’s Account Executive Mike McCarthy interviewed Pascal Ackerman, the author of a new book, Modern Cybersecurity Practices: Exploring And Implementing Agile Cybersecurity Frameworks and Strategies for Your Organization. Ackerman is also Managing Director of Threat Services at ThreatGEN.

Check out the first video in Building a Cybersecurity Program: Modern Cybersecurity Practices, Part 1.

In this second video, they discuss common threat vectors and challenges with security in the industrial control systems (ICS) industry and more broadly. Listen to the full audio interview here:

Here’s a summary of a few of the questions and answers that may provide value when considering your organization’s overall security strategy:

What aspects of the book are the most relevant now, given this new security landscape that we’re in?

The threat hunting and security monitoring part is most relevant, as you have to keep your eyes open as more and more people are connecting remotely to your network and bring in untrusted network connections and untrusted devices – it’s more prudent than ever to monitor malicious activity.

What are some of the unique cybersecurity problems or challenges that the industrial control systems (ICS) industry faces?

When comparing IT (information technology) to OT (operational technology), if something goes wrong on the IT side with cybersecurity, you might have a database that is compromised or credit cards that are leaked. You might have downtime on your web portal and can’t sell your product.

But depending on where an attacker attacks (either an ICS or OT system), you can get physical damage up to and including personal injury and death – because we’re talking about machinery that runs robots that weld together cars. If anything goes wrong with that due to cybersecurity, people might die – and that’s a major difference, as the stakes are higher.

The equipment tends to be older in this industry because a lot of automation equipment was bought decades ago and it’s expected to run another 10 to 20 years. Combined with old technology and lack of downtime, it’s really hard to do patching for basic security.

Threat detection is a major area for improvement, especially given the current COVID and BYOD (bring your own device) landscape. What are some of the ways that you’ve seen attackers try to infiltrate networks, both generally and for the industrial space?

This applies to all general industries and the industrial network as well – it is still spear or phishing attacks. If you get an email or Word document with an attachment or redirection to a malicious website, you can get compromised because you click the wrong link. From there, the ultimate goal of the attacker could be to spread ransomware or infiltrate your systems and exfiltrate some of your proprietary data.

The same mechanism allows attackers to get a foothold into what I call the enterprise side of an industrial business, then move their way over to the industrial side. A good, well-defined system will have some sort of boundary between their enterprise industrial systems. An attacker would need a foothold into the enterprise or business side, then move laterally into the industrial.

Another method includes using Shodan to search for open ports and a certain IP address. Once you find that, you can open up your programming software, connect to the internet-facing board and use their control system.

Why are attackers still targeting the enterprise side, and not industrial?

It may be because it gives attackers more control over an entire network. If you do a Shodan search, you most likely end up with a single controller or a single HMI (human machine interface). If you go from the enterprise side, you have control over the whole network.

Stay tuned for part 3 of the interview, coming next week!