OT/ICS Exploited through “Unsophisticated Means”: Why Cybersecurity “Basics” Remain Critical (in 2024)?

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an alert warning that “Threat Actors Continue to Exploit OT/ICS Through Unsophisticated Means.” Successful attacks are perpetrated in critical industrial settings—CISA specifies the Water and Wastewater Systems (WWS) sector, in particular—on the strength of neglected security basics, with default credentials and brute force attacks presenting easy wins for attackers. Remote access is a particularly concerning point to protect, with the VNC Protocol allowing Human-Machine Interface (HMI) access and opening OT system control to exploitation.

Industrial and critical infrastructure facilities, in particular, are being targeted by state actors and attackers such as Pro-Russia Hacktivists, so the pressure is on to harden networks and stop presenting soft targets, even if the exploitations made available are, as CISA refers to some, “nuisance effects.” Availability or quality of service attacks are magnitudes more impactful in this environment, and as attackers constantly seek escalation and lateral movement once inside a network as an Advanced Persistent Threat (APT), they must be prevented from making initial steps.

CISA also warns of the impact of ransomware on industry, detailing the encryption and exfiltration of data from industry victims. Ransomware has been an increasingly prevalent threat over the past year, and with double-extortion models as data are both encrypted (requiring payment to decrypt) and exfiltrated (for subsequent re-sale), the impact of this attack type is increasing.

Twenty-five percent of global OT companies have had to shut down operations due to cyberattacks in the past year, so failure to implement the advice posed by CISA could lead to significant business disruption and data loss.

CISA presents, in conjunction with several other government agencies, a fact sheet with best practices for defending OT operations, with specific focus on ongoing Pro-Russia hacking. The urgent recommendations are to change default passwords of OT devices such as Programmable Logic Controllers (PLCs) and HMIs and use strong, unique passwords, as well as limiting Internet connection of OT systems and to implement Multi-Factor Authentication (MFA). Known vulnerabilities are regularly published as advisories on the CISA website, allowing engaged teams to be alerted of potential risks and isolate the problem before exploitation.

Once these basics are covered, CISA directs industrial organizations to its “Secure by Design” webpage. Many OT companies have already embraced “Secure by Design” principles and invested heavily in advanced security, but CISA’s report demonstrates that this is not ubiquitous. Even for those with advanced security expertise, it can be easy to neglect best practices and revert to poor security hygiene, particularly when operational requirements supersede security. This balance must be carefully struck, particularly when considering capacity for remote connection.

Furthermore, CISA notes that several compromised HMIs were “unsupported legacy, foreign-manufactured devices rebranded as U.S. devices.” Effective supply chain monitoring is a critical component of comprehensive security, but the immediate exercise of asset inventory and understanding the risks present in an environment are nonetheless beneficial. Simple mitigations, such as effective credential management, selective Internet connection, and a check on software update policies, go a long way to maintaining security and protecting against the barrage of large-scale, unsophisticated attacks being aimed at industry. After this, supply chain monitoring becomes the critical next step to prevent weak links. Many security vendors market to OT businesses as participants in a supply chain, offering compliance-based solutions that focus on the customers’ own deliverables, but it is crucial that OT companies also interrogate their own supply chains with rigorous hardware sourcing and the employment of tools such as Software Bill of Materials (SBOM) automation to prevent vulnerability. With traditional SBOM tooling being primarily focused on the threat checking of standard open source libraries, there is work to be done in this space within verticals that draw on customized, niche, or proprietary code-based sources.