Halfway through December the time has come to look back at 2022 and ask, “What have we learned?” and, “What progress has been made?” in the space of OT security trends. On the threat side, the big news early in the year was the PIPEDREAM / INCONTROLLER malware. The attack software is presumed to be of Russian origin and was linked to the invasion of the Ukraine. The malware has extensive functionality to manipulate industrial control systems from many vendors and, presumably, cause them to malfunction. The good news is that the malware was discovered before it caused any physical consequences, and to date no physical malfunctions have been attributed to the malware.
More generally, the war in the Ukraine caused a great many cyber incidents, most of them in the Ukraine, and most of them impacting business and government systems. Critical infrastructures and other OT providers world-wide were put on high alert early in the year, though “risk fatigue” set in within a few months of no attacks on industrial infrastructures. The reports I’m hearing from my contacts in the industry suggest that in most organizations, risk awareness has long since slipped back to very close to historically “normal” levels.
OT Security Trends 2022
So, what are we seeing, by the numbers? Last year we identified 22 cyber attacks that shut down physical operations or otherwise produced undesirable physical consequences, attacks that affected roughly 100 sites in process and discrete manufacturing industries. We hope to update this report in 2023 for the year 2022, and the year is not over, but we do have some preliminary numbers to share. In the last report, we projected that cyber attacks with OT consequences in these industries would more than double, from 22 to roughly 50. The numbers we have to date confirm that projection.
Through the end of June, we counted 25 attacks on these industries. The industries most impacted were transportation and discrete manufacturing. Almost all the attacks were ransomware, again this year. Two noteworthy exceptions were hacktivist attacks – hacktivists halted trains in three cities in Belarus and set a steel mill on fire in Iran. Only a single attack was noted in the first half on oil and gas infrastructure – the attack that shut down oil movements at the Oiltanking / Mabanaft tank farms.
Ransomware attacks continue to become more sophisticated, trailing nation state attack tools and techniques by less than five years. The bad news: if this trend continues, we should expect to see at least some ransomware actors using PIPEDREAM / INCONTROLLER class attack tools against industrial targets before 2028.
OT Security – Trends in Defenses
OT security incident reporting requirements are increasing in many jurisdictions. Germany passed stringent reporting laws recently, and reporting laws are being debated in the USA as well. Will these new laws result in more public disclosures of cyber attacks with physical consequences? Personally, I don’t foresee greater public disclosures of big incidents, though the new rules may increase reporting of smaller incidents. If the lights go out in a big city, or the there is a “boil water” advisory because of a cyber incident, it is hard to keep that from the public eye, even without new laws.
In the USA, the TSA continues to issue updated rules for petrochemical pipelines, as a result of the Colonial Pipeline incident. The organization also issued new rules for rails. A common theme in these rules is the directive to keep OT networks independent of IT networks, so that if an IT network is crippled by a cyber attack, physical operations can continue unimpeded. In a sense, this is not surprising – pretty much everyone I talk to has assumed that this has been the whole point of OT cybersecurity initiatives for the last decade. Keep the lights on, keep clean drinking water in the taps, and so on. Ever since the attack that shut down the Colonial Pipeline, however, TSA directives have been making this point explicitly, for the first time.
OT Security Engineering
On the defensive side, a potentially more important development in 2022 is the report by the US Department of Energy on a National Cyber-Informed Engineering Strategy. The report does not explain how to do cyber-informed engineering, instead it gives a few examples, says “we need this” and lays out a plan to develop a body of knowledge that will become cyber-informed engineering.
What is it? The report gives examples of physical, unhackable mitigations for cyber attacks. These are mitigations the engineering profession has used for decades – buckle-valves to prevent over-pressurization of boilers and other pressure vessels, centrifugal kill-switches to prevent over-speed rotations of steam turbines and other heavy, rotating equipment, manual operations as a fall-back for critical infrastructures, and so on. These are tools that are unique to the OT space, and until very recently were not recognized as important parts of cybersecurity programs.
In a sense this is no surprise – these are not cybersecurity mitigations. Where is an over-pressure valve in the NIST Cybersecurity Framework? It’s not there. The framework is blind to this kind of solution. In a real sense, these OT tools and techniques are not part of the cybersecurity solution domain. They are, however, ways to address cyber threats to physical operations. After all, the engineering profession has been dealing for over a century with physical threats to public safety. Cyber threats are just another threat to public safety that must be considered in physical designs. Many of the mitigations that engineers have used for a century to prevent unacceptable physical outcomes also work against cyber threats – work just as effectively as they work against the equipment failures and human errors and omissions they were designed to address decades ago.
In a sense, the future of OT cybersecurity may seem bleak. In the name of increased efficiencies and organizational flexibility, we continue to deploy more and more computer automation – more and more targets for cyber attacks. And data in motion is the lifeblood of modern automation, so we continue to deploy more and more connections into and between our automation systems and components. The problem with this is that all cyber-sabotage attacks are information. Every one of these connections is another opportunity for our enemies to attack our constantly increasing number of targets. Neither of these trends is likely to reverse in the foreseeable future. The OT security problem is likely to get much worse before it gets any better. If you talk to young people, point out that there is job security in the OT cybersecurity world – we will need people to address this problem for decades into the future.
In another sense, there is progress. Standards and regulations are getting stronger, awareness is increasing, and more and more owners and operators are taking action. In particular, I have high hopes for the future of cyber-informed engineering, or “industrial security engineering” if you prefer. For too long, the engineering profession has been the junior partner in OT security programs – coming hat in hand to the enterprise security experts, asking how we might protect our systems from the consequences of cyber attacks. What the DOE report highlights is that the engineering profession has powerful tools to bring to the table – not tools to improve cybersecurity, but tools to manage physical due to cyber risks.
With that I leave you for 2022. To those who celebrate Christmas, as I do, I wish you a merry Christmas! To those who celebrate other kinds of holidays at this time of year, I wish you a happy holidays! And to everyone reading, I wish you a peaceful and prosperous 2023, and look forward to working with you throughout the year, to make our world a safer place.
- CISA ICSJWG Event – A Lot to Look Forward To - April 14, 2023
- Air Gaps – I do not think it means what you think it means - April 6, 2023
- The OT Security Revolution - March 13, 2023