Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

The Recycling of Industrial Cyberattacks

If an attack signature was isolated the first time it made an appearance, why would organizations fail to protect their environments from known attacks going forward?

For companies involved in critical infrastructure or any facet of manufacturing processes, one of the big action items today is securing operational technology (OT). For the very first time, the security of the industrial computers, which run discrete and continuous processes such as programmable logic controllers (PLCs), distributed control systems (DCSs) and human machine interfaces (HMIs), has eclipsed the conversations around IT security. Considering the frequency and impact of OT related attacks, it’s not surprising.

There have been many watershed moments in the evolution of OT security. While industrial control systems (ICS) have been around since the late 1960s, the spotlight on OT security really hit mainstream media around 2010 with the notorious Stuxnet virus that reportedly disabled centrifuges, among other things. Since then, we have seen critical infrastructure, manufacturing facilities, logistics and transportation and much more get probed and taken offline by attackers. These events have elevated the threat and have forced the issue to become a C-level agenda item in virtually every industry.

Since Stuxnet, there have been numerous attacks that have been launched including Shamoon, Havex, Wannacry, and Lockergoga. Now, with nine years of OT attack data behind us, one disturbing trend has evolved. These attacks are being recycled.

Consider LockerGoga in March 2019. This attack impacted Norsk Hydro, one of the largest aluminum manufacturers in the world. It was another watershed moment in OT security because it not only impacted OT operations by taking aluminum production offline, but it also impacted IT security. And while the lateral creep of attacks between once air-gapped IT and OT operations are new due to IT and OT convergence, perhaps even more alarming is how the same malware is being recycled. LockerGoga made global headlines in March, but it was neither the first nor last time the attack was launched. In fact, it was actually in January 2019 when LockerGoga made its first appearance hitting Altran Technologies. After it hit Norsk, it then made a third appearance that impacted Hexion and Momentive among other organizations. This is perhaps the most well-publicized incident of a recycled attack, but it is certainly not the only instance. Wannacry, Petya and Shamoon were all attacks that made multiple appearances either in their original form or as a variant of the original. 

Here are some of the key reasons why organizations have not guarded their systems against the latest attacks and how you can put the appropriate measures in place to ensure that recycled attacks do not make a repeat appearance in your OT operations.

  • No Visibility - Many organizations simply do not know what is in their environment. When a vulnerability is issued, they do not know the model numbers, patch levels or firmware versions of the devices that are in the network. Of course, it is hard to update what you do not know you have. Running an automatic inventory management system can not only keep that inventory up to date in a rapidly changing environment, but it can pinpoint the devices that are most at risk.
  • Maintenance Challenges - Once you know what is in the environment, a second parallel challenge is trying to schedule downtime to apply all necessary patches and updates. In many mission-critical operations, these windows do not happen as frequently as they need to because the industrial process must always be online. Having the ability to actively query every individual device to a very granular level including serial number, patch level, firmware version and much more, will allow you to stage the patches and other maintenance work to be performed so the windows are much shorter than in the past. You’ll be able to hit all relevant machines while taking the guesswork (and potential update errors) out of the equation.
  • Inability to Isolate and Load (i.e. New Signatures) – While the convergence of IT and OT are underway, there are still distinct differences between the signatures for each. OT live update options now exist and should be relied on by organizations to get the latest in terms of new OT-specific signatures. This service should be 24/7/365 and needs to perform auto-updates based on the new attacks as they hit the wild. The sooner they are issued, the smaller the vulnerability window.
  • Protection of Remote Locations – Many large organizations that have a distributed environment may be unwilling or unable to install OT security at every remote location. Similarly, small and medium sized industrial operations may not feel the need to do the same because they consider themselves a “small target.” In both instances it is essential to have 100 percent coverage. No remote location or business is too small. Leveraging a cloud-based OT security solution can secure these smaller locations, effectively closing a potential weak link in the chain where industrial attacks might find their way in.

Closing the vulnerability window by acting on these basic tenets can help reduce the attack surface for any threat to critical infrastructure and industrial operations. Doing so will help ensure attacks are unable to be recycled, effectively enhancing the security posture of OT environments across the board.

For more information on industrial cybersecurity, see our solution brief for strategies to mitigate threats across your OT environments.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Get FREE Advanced Support

with purchase of Nessus Professional

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.