While advances in security technologies continue to evolve, I suspect that history will surely repeat itself when the inevitable ICS-born breaches begin to surface.
We already know that the lack of basic security practices such as regular patching, antivirus, back-ups, network filtering and access control are still top contributors to breaches. The challenge that ICS industries face is that the programmable logic controller (PLC) market is highly competitive.
For a few hundred pounds a PLC can be bought and analysed by anyone who wants to gain deep knowledge as to how industrial control devices work and communicate on the allegedly secure ICS network.
Similarly to IoT devices, poor OS configuration, misconfigured web servers, weak authentication and simple network protocols are all major risk factors in ICS networks. For the PCL manufacturers, their priority is to increase functionality at a minimal cost to remain financially competitive. While security is a consideration it's not the main focus.
And let’s not forget the fact that ICS networks were built many years ago, which to this day utilise not only internet-connected devices but also older legacy network protocols and even serial cables within the infrastructure.
The harsh reality is that we are practically going back in time to a point whereby the perpetrators are already scanning and enumerating ICS-connected devices in order to map out their target. The primary difference is that this may take longer than a traditional attack on a modern network, due to the added complexity of ICS networks.
Once a foothold into the network has been established, we will likely see the basic security practices being a top contributor to an ICS-targeted attack. Phishing e-mails have already been sent to industrial targets in attempts to infect client machines, some of which are regularly connected to the ICS network for diagnostics purposes.
The lack of patching or endpoint security will likely play a part in a future attack at some point. The scary thought is that while ICS awareness is generally on the rise, no one really knows just how long the attackers have been mapping out these networks - and no one really knows exactly how far into the information-gathering stage they have reached.
We already know the damage and disruption that Stuxnet and BlackEnergy caused in recent years. According to a recent study by SANS, a shocking 12 per cent neither patch nor layer controls around critical control system assets. What would this mean to you in the long run? As the Ukraine saw in December 2015, a complete denial of service of electricity that we very much take for granted.
And with internet-connected smart devices for your home becoming ever popular, gas, electricity and water could all be disrupted. It’s really no surprise that fuzz testing ICS and IoT hardware equates to low hanging fruit for security researchers, and not to forget the attackers who are already mapping out ICS networks for the attacks of tomorrow.
And then the internet happened and we started putting everything on the global network—exposing these things to the internet means we see a lot of flaws and a lot more threats.