Recent research identifying nearly 100,000 exposed industrial control systems (ICS) around the world should serve as a critical wake-up call to national government policymakers responsible for ensuring national security, public health, and safety within their borders. These systems, fundamental to our critical infrastructure, underpin essential services that sustain modern society… and they should not be publicly exposed on the Internet! Industrial control system exposure is not just a technical concern; it’s a profound national security and business continuity issue. What can policymakers do to reduce cyber risks associated with these systems?
ICS Cyber Security is Critical to National and Economic Security
Industrial control systems are core to the world’s critical infrastructure. These systems range from sensors that relay vital data, to actuators and switches managing industrial machinery. They control building management systems, monitor fuel levels in commercial tanks, and oversee much of the infrastructure essential to daily life. The control and manipulation of these systems by malicious actors could potentially lead to serious consequences, making their protection a matter of urgent national and economic importance.
Cyber Attacks on Critical Infrastructure & ICSs are Not New
The following incidents are examples of just how serious cyber attacks on ICSs can be:
- Hacktivists in Palestine and Israel are targeting industrial control systems;
- In September, reports claimed attackers breached a national power grid in Asia;
- In May, Danish critical infrastructure was targeted by Sandworm APT;
- A ransomware event targeting the Colonial Pipeline disrupted oil and gas delivery on the eastern coast of the United States, causing shortages and panic; and
- Industroyer malware in 2016 targeted Kyiv, Ukraine’s electrical supply, shutting down power in targeted regions.
Current Exposure is Significant
Lacking industrial control system cyber security is a global issue, with nearly 100,000 exposed industrial control systems around the world. This exposure varies significantly by region and sector. For example, certain ICS protocols are more prevalent in the EU, while others dominate in the US. This variability necessitates a nuanced approach to ICS security. Sectors like education, technology, and government are among the most affected, underscoring the need for sector-specific cybersecurity strategies.
ICS should not be exposed to the public Internet. Public exposure of these devices allows attackers to easily exploit devices and potentially cause significant harm to organizations or the underlying functions that they perform. Because industrial control systems are used commonly in critical infrastructure, public exposure could cause harm to essential operations impacting health and safety.
With significant exposure across North America and Europe, policymakers and other government leaders must proactively act to reduce the risks exposed ICSs present to their nations’ economies, persons, and national security.
Policy Recommendations
- Understand current exposure and track performance over time. The most important thing that government policymakers can start doing is to track public exposure of ICSs by sector and industry. Data is currently available to help government policymakers track exposure by organization, sector, and industry. Armed with this data, governments can create a baseline of current performance in order to understand current national and sectoral exposure. Once a baseline of exposure is established, the next step is to remediate that exposure.
- Engage critical infrastructure owners/operators on remediation. Once government policymakers understand current exposure, they should leverage existing authorities to engage owners and operators in remediation. Different governments have different authorities that they can leverage to perform remediation work. For example, Belgium’s Centre for Cybersecurity issues alerts and warnings to critical infrastructure organizations who are observed to have an infection or vulnerability. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) can issue alerts and warnings when they detect a security vulnerability in an Internet-connected system and even leverage an administrative subpoena process in order to identify the impacted organization. The impact of remediation work can be tracked over time to assess the success of the program or whether new authorities may be necessary to reduce exposure.
- Work with ICS vendors and manufacturers to improve product security. Policymakers should work collaboratively with ICS vendors and manufacturers to improve the security of the products that they create. Critical infrastructure organizations continue to struggle patching their systems in a timely fashion. In fact, research shows that organizations address remediation of vulnerabilities at a rate of only 5% per month. Governments should continue to engage with ICS vendors and manufacturers to ensure that they are developing secure products and leveraging secure by design principles. For example, in a new report called “Secure By Design,” CISA, NSA, FBI and cybersecurity agencies from 13 other countries describe the importance for software manufacturers to make secure by design and secure by default the focal points of product design and development processes. This report contains advice and recommendations for vendors and manufacturers to follow in order to create more secure devices and experiences for their customers.
Reach out to Bitsight to see how we can help you protect your organization.