How AI and ML can thwart a cybersecurity threat no one talks about

Enterprise

Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more


Ransomware attackers rely on USB drives to deliver malware, jumping the air gap that all industrial distribution, manufacturing, and utilities rely on as their first line of defense against cyberattacks. Seventy-nine percent of USB attacks can potentially disrupt the operational technologies (OT) that power industrial processing plants, according to Honeywell’s Industrial Cybersecurity USB Threat Report 2021.

The study finds the incidence of malware-based USB attacks is one of the fastest-growing and most undetectable threat vectors that process-based industries such as public utilities face today, as the Colonial Pipeline and JBS Foods illustrate. Utilities are also being targeted by ransomware attackers, as the thwarted ransomware attacks on water processing plants in Florida and Northern California aimed at contaminating water supplies illustrate. According to Check Point Software Technologies’ ThreatCloud database, U.S. utilities have been attacked 300 times every week with a 50% increase in just two months.

Process manufacturing and utilities’ record year of cybersecurity threats

Ransomware attackers’ have accelerated their process of identifying the weakest targets and quickly capitalizing on them by exfiltrating data, then threatening to release it to the public unless the ransom is paid. Process manufacturing plants and utilities globally run on Industrial Control Systems (ICS) among the most porous and least secure enterprises systems. Because Industrial Control Systems (ICS) are easily compromised, they are a prime target for ransomware.

A third of ICS computers were attacked in the first half of 2021, according to Kaspersky’s ICS CERT Report.  Kaspersky states that the number of ICS vulnerabilities reported in the first half of 2021 surged 41%, with most (71%) classified as high severity or critical. Attacks on the manufacturing industry increased nearly 300% in 2020 over the volume from the previous year, accounting for 22% of all attacks, according to the NTT 2021 Global Threat Intelligence Report (GTIR). The first half of 2021 was the biggest test of industrial cybersecurity in history. Sixty-three percent of all ICS-related vulnerabilities cause processing plants to lose control of operations, and 71% can obfuscate or block the view of operations immediately.

A SANS 2021 Survey: OT/ICS Cybersecurity finds that 59% of organizations’ greatest securing challenge is integrating legacy OT systems and technologies with modern IT systems. The gap is growing as modern IT systems become more cloud and API-based, making it more challenging to integrate with legacy OT technologies.

Above: Six out of 10 process manufacturers and utilities struggle to integrate legacy OT technology with modern IT systems, contributing to a great cybersecurity gap that bad actors, including ransomware attackers, are looking to exploit.

USBs: The threat vector no one talks about 

The SolarWinds attack showed how Advanced Persistent Threat (APT)-based breaches could modify legitimate executable files and have them propagate across software supply chains undetected. That’s the same goal ransomware attackers are trying to accomplish by using USB drives to deliver modified executable files throughout an ICS and infect the entire plant, so the victim has no choice but to pay the ransom.

USB-based threats rose from 19% of all ICS cyberattacks in 2019 to just over 37% in 2020, the second consecutive year of significant growth, according to Honeywell’s report.

Ransomware attackers prioritize USBs as the primary attack vector and delivery mechanism for processing manufacturing and Utilities targets. Over one in three malware attacks (37%) are purpose-built to be delivered using a USB device.

It’s troubling how advanced ransomware code that’s delivered via USB has become. Executable code is designed to impersonate legitimate executables while also having the capability to provide illegal remote access. Honeywell found that 51% can successfully establish remote access from a production facility to a remote location. Over half of breach attempts (52%) in 2020 were also wormable. Ransomware attackers are using SolarWinds as a model to penetrate deep into ICS systems and capture privileged access credentials, exfiltrate data, and, in some cases, establish command and control.

Honeywell’s data shows that process manufacturers and utilities face a major challenge staying at parity with ransomware attackers, APT, and state-sponsored cybercriminal organizations intent on taking control of an entire plant. The flex point of the balance of power is how USB-based ransomware attackers cross the air gaps in process manufacturing and utility companies. Utilities have relied on them for decades, and it’s a common design attribute in legacy ICS configurations. Infected USB drives used throughout a plant will cross air gaps without plant operators, sometimes knowing infected code is on the drives they’re using. Of the plants and utilities that successfully integrate OT and IT systems on a single platform, USB-delivered ransomware traverses these systems faster and leads to more devices, files, and ancillary systems being infected.

Improving detection efficacy is the goal

One of legacy ICS’ greatest weaknesses when it comes to cybersecurity is that they aren’t designed to be self-learning and weren’t designed to capture threat data. Instead, they’re real-time process and production monitoring systems that provide closed-loop visibility and control for manufacturing and process engineering.

Given their system limitations, it’s not surprising that 46% of known OT cyberthreats are poorly detected or not detected at all. In addition, Honeywell finds that 11% are never detected, and most detection engines and techniques catch just 35% of all attempted breach attempts.

Of the process manufacturers and utilities taking a zero-trust security-based approach to solving their security challenges, the most effective ones share several common characteristics. They’re using AI and machine learning (ML) technologies to create and fine-tune continuously learning anomaly detection rules and analytics of events, so they can identify and respond to incidents and avert attacks. They’re also using ML to identify a true incident from false alarms, creating more precise anomaly detection rules and analytics of events to respond to and mitigate incidents. AI and ML-based techniques are also powering contribution analytics that improves detection efficacy by prioritizing noise reduction over signal amplification. The goal is to reduce noise while improving signal detection through contextual data workflows.

How AI and machine learning mitigate risks

Cybersecurity vendors with deep AI and ML expertise need to step up the pace of innovation and take on the challenge of identifying potential threats, then shutting them down. Improving detection efficacy by interpreting data patterns and insights is key. Honeywell’s study shows just how porous ICS systems are, and how the gap between legacy OT technologies and modern IT systems adds to the risks of a cyberattack. ICS systems are designed for process and production monitoring with closed-loop visibility and control. That’s why a zero trust-based approach that treats every endpoint, threat surface, and identity as the security perimeter needs to accelerate faster than ransomware attackers’ ability to impersonate legitimate files and launch ransomware attacks.

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member