If hacks are like earthquakes—something you can prepare for but can’t avoid—the organizations that oversee the industrial-control systems that monitor and manage electricity, water, oil, transportation, and other essential daily services aren’t taking enough steps to prepare them.
That’s the conclusion of an annual security report based on a survey of 579 security experts, 85 percent of whom said they expect their country to suffer a major critical-infrastructure hack in the next five years.
“It’s not going to happen overnight, but as new, non-information technology devices get connected, the box expands of what IT needs to worry about,” says Todd DeSisto, CEO of Pwnie Express, the Internet of Things security company that published the report. With growing trepidation, security experts like him are watching the trend of adding Internet connectivity to myriad traditionally unconnected types of devices—in many cases, too many to even keep track of.
READ MORE ON INDUSTRIAL-CONTROL SYSTEMS
For critical systems, ‘just patch it’ is a paradox
After Russia warning, hole found in leading industrial-control software
Next up on hackers’ IoT target list: Gas stations
Critical systems at heart of WannaCry’s impact
Time for a Department of the Internet of Things?
The long reach of Mirai, the Internet of Things botnet
Only 49 percent of security experts surveyed at organizations with more than 1,000 employees know how many of the devices they control are connected to the Internet. At small and midsize organizations, that figure climbs to 70 percent, which still leaves nearly a third uncertain of how many of the devices they control are Internet connected.
While consumers can take steps to prepare for an earthquake, such as preparing a “go bag” with essentials to survive the first few days after a major tremblor, they can’t do much to prepare for a hack of an industrial-control system. That’s the job of security experts at the organizations running the systems. But it’s not clear that they’re taking the threats seriously.
The survey finds a slight decrease from last year in how aware security professionals are of their company’s exposure to threats, and that larger organizations, despite having more resources to dedicate to security, suffered attacks more often.
Dewan Chowdhury, founder and CEO of MalCrawler, a security software company that protects industrial-control systems, says the survey’s findings aren’t a surprise, given how carelessly Internet connectivity has been added to devices.
“More than ever, devices with IT are being integrated into operational technology,” he says. “But when it comes to security architecture, [when they’ve said] ‘Let’s make this thing connect to the Internet,’ did they consider security design? Ninety-nine percent of the time, the answer is no.”
“Criminals don’t care if your HVAC goes down, don’t care if your power system goes down, if they can make pennies on the dollar every single day.”—Sherri Davidson, CEO and founder, LMG Security
Earlier this month, researchers revealed a major flaw in industrial-control software made by Schneider Electric, one of the largest makers of ICS software in the world.
That lack of caution is a big part of what’s making it easier for hackers to get in, agrees Sherri Davidoff, the CEO and founder of LMG Security. Malicious hackers are getting smarter about how they hack, and that’s contributing to the problem, she says. Hackers who used to be interested only in stealing data, for example, are installing cryptojacking malware along with whatever else they’re doing.
“If you’re mining 25 cents a day on 2,000 systems—and it’s not hard to take over that many systems on the Internet—it doesn’t matter if it’s a data breach or ransomware; they’re going to install a cryptojacker just to make extra money,” she says.
In playing out a potential hack scenario, Davidoff says that because some cryptojacking tools have been known to cause inadvertent physical damage to devices, it wouldn’t be a stretch to imagine a cryptojacker infecting an industrial-control system or SCADA device that could cause it physical damage.
“Cryptojacking has really changed the game in this respect,” she says. “Criminals don’t care if your HVAC goes down, don’t care if your power system goes down, if they can make pennies on the dollar every single day.”
Beyond cryptojacking malware, basic, run-of-the-mill ransomware can also infect industrial-control systems. In February, researchers discovered the first instance of ransomware targeting an industrial-control system.
But getting in-house security experts to consider these new problems is a challenge when they struggle to be more aware of the ever-growing number of devices on their network. And simply hiring more security engineers isn’t feasible, when the industry faces a massive talent shortage.
Chowdhury says that one way to get around that, and improve security overall, is to train nonsecurity IT personnel in how to handle security issues.
“Organizations get the best results when they train engineers in security,” he says. “When they understand security, they’re more effective than any security engineer because they merge skills from both sides.”
Correction: A previous version of this story misspelled Sherri Davidoff’s last name.