MY TAKE: Cyber attacks on industrial controls, operational technology have only just begun

By Byron V. Acohido

“May you live in interesting times.” The old Chinese proverb–some consider it a blessing and others a curse–certainly describes the modern-day cyber landscape.

Related: 7 attacks that put us at the brink of cyber war

In today’s geopolitical terrain, nation-state backed cyber criminals are widening their targets and starting to zero in on their adversaries’ business and industrial sectors, using more and more sophisticated weaponry to do so.

With the bulls-eye on a country’s financial Achilles heel, state-sponsored attackers are sowing chaos, disruption and fear. And the risks are multiplying as more digital devices become connected in insufficiently secured environments.

Monitoring and management of many existing industrial control systems’ (ICS) embedded devices, like pumps, valves and turbines, are ancient in technological terms. And until recently, security surrounding operational technology (OT) – the networks that run production operations – have been siloed, or air-gapped, from information technology (IT) operations, which work in the corporate space. Isolating OT operations from public networks like the internet had once been considered best practice.

Dismantling the silos

But Gartner and others now recommend merging OT and IT security. Convergence of the two in the industrial internet of things (IIoT) makes for better communication and access to online data and processes, but it also flings the door wide open for nefarious activity by cyber criminals. Espionage scenarios that once were the basis of movies and novels now have become real-life exploits.

I talked to Phil Neray, vice president of industrial security at CyberX, a company founded in 2013 that operates a platform for real-time security of the industrial internet.

Read on to learn what Neray has to say about industrial security, then hear a more in-depth discussion on the subject on the accompanying podcast:

As organizations digitize their operations and add more sensors and other devices to the production environment, they increase their real-time intelligence and efficiency. With more connectivity between OT and IT the attack surface is broadened.

And by compromising activities on the IT side, stealing credentials, deploying phishing emails, and infecting websites with drive-by malware, criminals can infiltrate the OT network.


At the operational level, critical industrial sectors are dependent on technology developed 10 to 15 years ago and that aren’t regularly patched. “It’s time to upgrade security to a modern, multi-layered approach and realize that firewalls are no longer sufficient,” Neray says.

Expensive collateral damage

Cyber warfare is a piercing, straight-shooting arrow in an attackers’ quiver. Countries with limited military might and financial resources can create a more level battleground for themselves by engaging in cyber battles.

Russia, North Korea and Iran have employed sophisticated, well-trained soldiers on these frontlines in recent times.

Damage to a nation’s critical infrastructure networks, including pharmaceutical companies, logistics firms, food production, energy or petrochemical plants can impose massive environmental, financial and psychological damage. Their intent is to disrupt society and establish power.

Fancy Bear, a Russian cyber espionage group serving political interests, has used spear phishing, malware and zero-day attacks to advance its agenda, including election manipulation.

NotPetya, considered one of the most destructive cyber attacks, completely destroyed global shipping company Maersk’s computer network in 2017. The company’s IT team got the network back online in a record 10 days, but cost Maersk between $250 million and $300 million. These sorts of strikes impose collateral damage as the effects of one attack trickle down to third-party businesses and operations.

What’s to be done? In the face of these widening threats, cyber targets must not stand pat.  Neray lays out the complex challenge:

“At a policy level, the United States must be much more vocal and let Russia know it’s not okay to attack civilian infrastructure. Diplomacy and other tools like sanctions must be used, but policies are in disarray right now.

“On the one hand, we have extreme and warranted concerns about state-sponsored threats to our elections and critical infrastructures. On the other hand, the only actions we can take are sanctions against firms and individuals such as those announced last month by the Treasury Department against alleged Russian actors.

“The fundamental economy is ‘you can’t make a state responsible for the actions of its citizens, but at the same time it’s so easy for a state to hide its own actions against individuals and firms.’ How do you set effective policies under those conditions?”

Being vigilant and proactive

Organizations and industries don’t have to remain sitting ducks. Instead of jumping into recovery mode following an attack, they can be vigilant and set up safeguards ahead of time, including:

•Good security audits. “Most organizations don’t know what security they have because devices have been added in an ad hoc way over time” Neray says. Often they’ve been “tracked manually, in a spreadsheet or the authors are unknown.” Knowing what’s in place is the first step.

•Managing vulnerabilities. Devices are hardly ever patched, plus they often have other vulnerabilities, like only being protected by plain text passwords. Recognizing security shortcomings and prioritizing remediation is critical.

•Continuous monitoring. Putting in place continuous monitoring with behavior and anomaly detection allows an organization to know if attacker is in the network, even in the earliest phases. Security operations teams are alerted about any unusual activity and can track down and mitigate the threat.

What’s ahead

As attackers become emboldened, U.S. companies and infrastructure are more at peril. It’s unknown how far nation-states will gamble on digital intimidation in the face of military retaliation.

But despite the grim circumstances, there are bright spots emerging. There is more regulatory movement afoot. The EU passed the network and information systems (NIS) directive, which specifically applies to critical infrastructure systems. It includes American companies with global operations in Europe. Noncompliance includes hefty penalties and fines of as much as $20 million.

Management and boards of directors also are becoming more knowledgeable of cyber risks and are assigning resources to the problem.

So while the political impetus to step up U.S. industrial control security currently may be lacking, industries must continue to increase self-regulation to protect their bottom line and the nation as a whole.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

Last Watchdog’s Denise Szott contributed to this report.

(Editor’s note: LW has supplied consulting services to CyberX.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone