Page 214 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 214
Increasing OT threat landscape
The terrain of the OT threat landscape is changing with the rhythms of Industry 4.0, industrial IoT, and
digital transformation. Stuxnet was one of the first pieces of malware specifically designed to target an
industrial control system (ICS) and caused the first major OT cyber incident. This kind of attack was
unlikely in an OT environment until 2017, when a worm called WannaCry propagated extremely widely.
In the aftermath many different kinds of malware emerged, and malicious actors began putting serious
work into designing targeted ransomware attacks to exploit specific industry verticals. The greater
productivity promised by modern technologies drives manufacturers to embrace them and to take the
risk of opening the door further to networking and the internet. However, every advancement brings with
it new attack surfaces, and the potential for another, even more aggressive wave of cyberattacks.
Finally, as a decentralized, untraceable digital currency, Bitcoin is the perfect means by which criminals
can collect ransoms without fear of the payment being tracked to reveal their identities. These factors
ensure the continual shifting of the threat landscape. Once attackers have created a new form of malware,
the malware typically gets into an OT environment through insider threats or external cyberattacks.
Insider threats and external attacks
Insider threats can be either unintentional or intentional. In an unintentional case, an employee or third-
party visitor, unknowingly brings an infected device onto the premises. An intentional case might result
from a dissatisfied employee or one who has been paid by third parties to conduct sabotage. In both
cases, unsecured USBs or laptops are the typical devices that transmit threats.
External cyberattacks often begin in the IT network, most commonly start with a phishing attack and
usually take the form of ransomware or bots. Ransomware encrypts assets and offers them back to
stakeholders at a high price. Bots usually allow attackers to prepare for or set up the rest of the attack,
e.g., allowing them to take direct control of systems, execute applications, or collect important
information. Once attackers have compromised the control center network, it’s very easy for them to
spread malware and escalate privileges in different levels of the system. Effects can include entire
production cycle shutdown, damage to assets, or human endangerment.
Network segmentation vs. cyberattacks
Network segmentation has become a common means for organizations to repel modern cyberattacks,
and this practice not only strengthens cybersecurity but also helps to simplify management. As quarantine
for malware is built into the network’s design, if an asset gets infected, only that segment will be affected.
The options for intruders are drastically reduced, and they will be unable to move laterally. For IoT
devices, it allows the data and control paths to be separated, making it more challenging for attackers to
compromise devices. Even if one production line is affected by a cyberattack, the threat will be contained
so that the others can continue to work.
214