This interview was originally published in the French magazine L'Usine Nouvelle and translated to English for your convenience. You can read the original interview in French here.
Researcher and consultant on cyber-security and cyber-defence issues.
As a researcher and consultant on cyber-security and cyber-defence issues, Guy-Philippe Goldstein is a speaker at the School of Economic Warfare, a contributor to the academic journal of the Institute for National Security Studies in Tel Aviv and a Strategic Advisor for the venture capital fund ExponCapital. He is also a fiction author: his novel, Babel Minute Zéro, which was read in some government circles in Israel, was one of the first to describe a scenario of cyber-conflict between China and the United States.
Production systems are less mature in preventing cyber threats
The last twelve months have been marked by an unprecedented upsurge in ransomware attacks (see here), including in the industrial sphere. At the same time, the cybersecurity of industrial systems (Operational Technology) is a different field from the cybersecurity of so-called general-purpose computing (Information Technology), even if it has many of the same problems. In the interest of further discussion, this blog will talk to certain specialists. This week we will begin with Danny Bren, former head of the military's cybersecurity in Israel and founder of Otorio, an Israeli-Austrian firm specializing in cybersecurity of industrial systems, who is often asked these types of questions by the Israeli media.
Question: Is the current ransomware crisis linked to the Covid crisis or are there other contributing factors at play?
Danny Bren: There is no doubt: The COVID-19 pandemic has had an enormous impact on ransomware targeting industrial organizations and their operational technology (OT). One of the underlying reasons is the speed at which networks have opened up. This rapid pace has not always made it possible to introduce the appropriate security measures. And it didn't take long for cybercriminals to take advantage of it.
However, as early as 2019, we saw an exponential increase in OT/IT ransomware attacks. Several factors explain this trend. On one hand, the race for digitization and automation (also known as Industry 4.0). On the other, IT-OT convergence (note: the most extensive communication between industrial systems and so-called general-purpose computing).
In addition, OT networks have developed differently from computer networks and have been slower to open up to the Internet.
So is the OT network a better target for cybercriminals?
Yes. While computer cybersecurity is quite mature, OT security is really only developing now. The OT network therefore offers an easy target for cybercriminals. This is especially true because industrial companies are more susceptible to ransomware attacks due to their direct impact on the company's ability to make money. When a production line is shut down, there is no "backup" to restore operations. The systems need to be brought back fully "online". This makes industrial companies more likely to pay a hefty ransom - and attackers know it. Finally, criminals are more sophisticated. We are dealing with organized cybercrime, which uses advanced tools that until recently were often only available to nation-state actors.
The crisis has increased the use of remote access tools, including by suppliers. This poses major security problems. What should be done?
Remote maintenance has become fundamental. However, industrial organizations must have total control over access to their production environment, otherwise they are simply “giving the keys” to their most sensitive operations to their subcontractors. It is therefore necessary, among others, to use tools that monitor, audit and control the connections of remote access tools; to verify that these tools are themselves updated, for example by using vulnerability databases such as B&R Vulnerability or mB Connect Vulnerability; to continue to ensure the cybersecurity quality of subcontractors, in particular by remembering that a supplier without known vulnerabilities is not necessarily secure - and that the machines of a third party ... may sometimes contain elements of a fourth!
What factors would make it possible to finally solve the above-mentioned problem of speed and maturity of the OT environment?
Senior executives in industrial companies need to understand that they are risking legal liability for the damage caused by cyber attacks, especially with regard to human security. A recent report from Gartner predicts that 75% of CEOs will be personally responsible for cyber-physical security incidents in 2024. This prediction has the potential to radically change the status of cybersecurity in OT environments. At the same time, operational managers should be able to provide comprehensive reports on security status to stakeholders, clearly highlighting the business impact of the risk. They will have to ensure that the risk posture does not become too expensive - or too complicated to manage.
The other side of the coin involves cybersecurity solution providers. They need to understand that trying to protect "OT" networks with "IT" tools will not work. Cybersecurity solutions for OT must be developed with industrial engineers and operational managers in mind.
Is a shift in posture also needed?
Yes, there is a need to move from a reactive approach, where you try to detect the threat once it is in the systems - to a proactive approach. Because once the threat is already there, in the industrial environment, it is already "game over" and the costs in terms of stopped production, as well as the high risk to human security, become too important and serious. Multiple actions are needed. In addition to what has already been mentioned on remote actions and on the key elements of preparation that are common to OT & IT environments, I would also mention the need to listen well and help teams of OT experts, who are in the best position to manage the situation on the production chain, simplifying cybersecurity management and providing clear remediation guides; or to automate surveillance as much as possible, as the industrial environment has become simply too complex for manual surveillance. This also includes the cyber risk assessment of OT networks, which should be continuous and automated as much as possible.
The United States seems to remain the primary target of ransomware attacks against industrial systems. What about Europe?
Our most recent research shows that ransomware attacks have mostly targeted major industrial centres - the United States, Germany, France, Japan and India (Author's note: notice that these are western centres). The Persian Gulf states, as energy production hubs of the world economy, have also been targeted by industrial ransomware. We believe that this geographic targeting will continue in the years to come. However, we expect attacks on OT systems to become more serious if geopolitical tensions increase.
France is the seventh largest economy in the world, the second in the European Union and one of the most important industrial centres on a global scale. In spite of this, the French industrial ecosystem does not always necessarily have an "early adopter" profile on industrial cybersecurity issues. This combination of factors may attract cybercriminals ... In addition, the French industrial ecosystem is structured by very large global industrial groups with smaller suppliers. That makes France a market with fewer targets, but the impact of such attacks could be systemic. This concentration is true for many sectors, including automotive, defence and aerospace, energy, pharmaceuticals, chemicals and to a lesser extent, food. It is therefore no accident that the National Cybersecurity Agency of France (ANSSI) takes the threat seriously and is imposing increasingly drastic standards on certain areas.