Cybersecurity: Mapping attack vectors in industrial environments
02 04 2019
In an ever more connected world, the IT threats facing industry are many and varied. In response to this pressure, the industrial sector requires heightened security policies.
In June 2018, a study by Kaspersky Lab highlighted the significant threats facing ICS (industrial control systems) regarding cybersecurity. More than three quarters of the companies taking part in the study stated that it was highly likely that they would become the target of a cyberattack. However, only 23% of them stated that they were compliant with the directives and regulations for industry and the public authorities.
Only 23% of them stated that they were compliant with the directives and regulations for industry and the public authorities
This trend is confirmed by the latest data from the American website MITRE, which lists CVEs (common vulnerabilities and exposures), i.e. all vulnerabilities and threats related to IT security. As an example, the American company Rockwell Automation saw its vulnerabilities double between 2017 and 2018 (+108%), well ahead of the French companies Schneider Electric (+64%) and Siemens (+22%).
The industrial sector is therefore more exposed to cyber threats than ever before. But what form can these threats take? To exploit the boundaries between IT and OT, cyberattacks have become polymorphic, and come through four main attack vectors: network-related, software-related, human and physical.
Types of attack vectors
- Definition: all attacks which exploit flaws in network configurations or directly in a network protocol.
- Examples: WannaCry, Heartbleed.
- Access: local or remote, according to the accessibility of the connection carrying the data flow being targeted.
- Targets: the network is only a vector here. The real targets are the sender or recipient of the data travelling via the connection being targeted.
- Impact: industrial sabotage, data corruption, springboard for lateral movement, extraction of information
- Definition: all attacks which exploit software flaws.
- Example: Mirai.
- Access: chiefly local via the network to which the target is connected, but occasionally remote if the target is accessible via the Internet.
- Targets: in most cases, the equipment is the real target but sometimes it’s only a machine which will be used as a springboard and from which a lateral movement may be performed.
- Impact: industrial sabotage, data corruption, extraction of information, springboard for lateral movement.
- Definition: all attacks using or targeting an individual, by e-mail but also simply by telephone.
- Examples: fake president fraud, WannaCry
- Access: remote.
- Targets: staff (or subcontractors) of targeted industrial companies are generally only an entry point and not an end in themselves. It is the company itself which is ultimately targeted by this type of attack.
- Impact: extraction of information (reconnaissance phase), springboard for lateral movement; corruption of the person’s computer.
- Definition: all attacks targeting physical equipment.
- Example: Stuxnet (USB).
- Access: local.
- Targets: in most cases, the targeted equipment is the real target, but sometimes this is only a machine which will be used as a springboard for a lateral movement.
- Impact: corruption of the equipment, industrial sabotage, springboard for lateral movement.
The new security challenges facing the factory in the future
The use of “digital twins” – the dynamic software models of a process, a product or a service using IoT connections and often connected to the cloud - is a typical example of the new vulnerability risks facing the factory of the future. To keep pace with the increasing levels of connectivity in industrial environments, security must be increasingly planned upstream, at the design stage for connected machines and IoT items. This trend has seen the growth of the Security-by-Design and Cybersecurity-by-Design concepts.
In view of the wide spectrum of attack vectors, the security system of an ICS must not neglect any of these attack categories and must not overlook any of its own potential flaws.