Industrial software is a prominent target. What should we do?

In the run-up to the Russian invasion of Ukraine, we were starting to hear a lot more about vulnerabilities in our industrial controls systems along with the need to secure our infrastructure from cyberattacks. Immediately after the war began, the U.S. government started a program to help utilities, municipal water companies, industrial plants, and more harden their infrastructure against such cyberattacks.

But now, some nine weeks later, it’s become clear that hackers have found a soft target in industrial networks — and plan to exploit them. Microsoft released a report this week showing how Russian attackers have stepped up their fight against Ukrainian targets. Meanwhile, in the U.S., security researchers are looking for vulnerabilities and the government is being far more open about publicizing them so that businesses can implement a fix before they get hacked.

Given how rapidly the security situation can change, and in light of the recent (and well-publicized) vulnerabilities in industrial networks such as PIPEDREAM as well as a Russian attack on the Ukrainian grid, I spoke to Marty Edwards, VP of OT security at Tenable, to find out why industrial security is getting so much attention. It turns out that a confluence of events — an active threat in the form of Russia’s war, more security researchers paying attention to OT security, and years of groundwork to help improve security documentation at industrial companies — is making industrial vulnerabilities more visible.

Basically more people are looking at industrial networks for vulnerabilities. And the companies that deploy industrial equipment have been spending more time documenting their cyber assets thanks to regulations that require them to do so, which makes it easier for the people looking for vulnerabilities to actually find them. It’s akin to turning on the lights in a dark room.

So while all the news about new vulnerabilities sounds scary, it’s actually a good thing, because if you don’t know what’s out there you can’t secure it.

Edwards also sees a shift happening as companies re-evaluate their risks. Prior to the documented increase in active hacks against OT networks, and ransomware attacks that can lead to operations being shut down, some businesses decided that the best way to address the risk of hacks was not to hire experienced staff and invest in security, but to boost their cyber insurance.

In the wake of Russia’s invasion, hacks of organizations such as Colonial Pipeline, and the rise of ransomware gangs, the potential damage from an attack has risen — and insurance has become more expensive. Edwards told me this changes the equation and is leading more businesses to invest in security to prevent hacks.

The U.S. government has also been more open about the risks associated with vulnerable systems, and is allocating grants that will help municipalities — which operate their own infrastructure — invest in cybersecurity as part of larger infrastructure grants. The Biden administration has also been prodding businesses, by way of executive orders, to invest in securing their infrastructure while offering funding to help make sure those orders can be fulfilled.

So while we have a ways to go on cybersecurity, and it sometimes seems as if all we read about are new vulnerabilities and attacks, Edwards is optimistic that things are improving. I hope he’s right, because it’s about time.