Cyber-security management landscape of the Indian automation industry: Overview, challenges, action points

The Modern Industrial Automation Cyber-Threat Landscape

The modern IIoT-driven IA cyber-threat landscape consists of two broad classes of attackers exploiting existing abovementioned IT/IoT/OT security loopholes: opportunistic attackers, such as prolific ransomware groups seeking OT targets, and highly sophisticated threat groups, such as nation-state-driven ICS/OT threat actors targeting industrial infrastructure advanced persistent threats (APTs). Such cyber-attacks result in a business disruption that can last from days to weeks, potentially costing enterprises hundreds of millions of dollars in multi-party cyber-risk impact.

The ransomware attacks against the IA sector in the US (and similar trends hold in India also and on the upward with Indian IAs getting increasingly digital and subsequently being on the radar of cyber-attackers) and increased approximately 86 percent from 2022 to 2023 via opportunistic threat groups with 72 percent of these ransomware attacks for 2023 targeting 437 manufacturing entities in 104 manufacturing subsectors. There was a nearly 30 percent increase in ransomware groups attacking critical industrial infrastructures between 2022 and 2023, with ransomware-as-a-service (RaaS) being the growing cyber-attack vector. Examples of well-known IA targeting ransomware groups include Lockbit, Conti, and Black Basta.

It is not just ransomware cyber-attacks that affect industrial automation systems. APTs are equally effective in launching business disruption cyber-attacks on IA enterprises in diverse sectors, including oil, gas, electricity, manufacturing, transportation, and food and beverage. In the last six years, the number of cyber-threat groups targeting industrial infrastructure has increased by approximately 300 percent. Some of the well-known and recent IA APT threat groups (along with their threat characteristics) include CHERNOVITE (manufacturing and ICS Kill Chain and IA software supply chain), BENTONITE (manufacturing, espionage and IT compromise), INDUSTROYER2 (IA software supply chain), KOSTOVITE (zero-day exploitation in IA systems), KAMACITE (command and control communications with IA infrastructure), XENOTIME (compromise of industrial safety instrumented systems), ELECTRUM (software supply chain), ERYTHRITE (search engine optimisation poisoning in IA systems), and WASSONITE (nuclear energy themed spear phishing, and command and control communications).

Also read: Why AI in cybersecurity needs to be part of business strategy to boost resilience

The Challenges of Incident Response in the Industrial Automation Industry

Cyber-attacks such as ransomware and APTs are inevitable; hence, incident response plays a vital role in the current Indian IA market. However, incident response in the IoT/OT-driven IA space differs starkly from that in the IT sector. Subsequently, it cannot be adapted from an IT incident response playbook.

In contrast to that in IT systems (used for how you manage a business), cyber-incidents that impact OT systems (resembling why you are in business) can have physical consequences that threaten human and environmental safety. On top of that, OT incident responders must be able to effectively triage systems without shutting them down to maintain operational and uptime requirements. Moreover, traditional forensic tools for IT enterprises offer little or no visibility to systems and protocols in the OT network, which is usually a complex network of systems of systems. In addition, system abnormalities in OT-driven IA industries are very different from IT system abnormalities, and alternative OT network expertise is needed to respond to IA cyberattacks. Unlike in an IT system, where the adversary needs to exploit vulnerabilities in the software management systems to achieve its goal, an adversary might just need to exploit a single IT vulnerability and then abnormally operate OT systems to threaten human and environmental safety.

The OT-driven IA sector poses significant challenges in charting an incident response program (IRP). First, it is quite difficult to align operational and IT engineers on the same plane regarding agreeing on procedures and policies that need to be part of an IRP. However, as OT = IT + Physics, the IRP must have a good blend of IT and OT engineering system expertise. This is because a simple IT security breach on an Engineering Workstation System (EWS) can cause a set of cascading OT functionality abnormalities with potentially significant physical and environmental damage, and this damage space needs to be anticipated by OT system experts. Add to this the very high costs of dedicating an OT engineering team full-time within an enterprise to build a bridging capability between the IT and OT space for an IRP.

One might wonder (as many executives do) whether the IT incident response team could do the job of an OT incident response team, and the answer is a 'no'. IT incident response retainers are usually incapable of managing the cyber risk of physical consequences. What an IA enterprise needs (according to Dragos) is a retainer relationship with a firm specialised in OT-focused experts who:

1. Are equipped with OT-capable tooling and technology.
2. Are aware of the physical consequences of cyber-incidents, as well as forensic and response actions.
3. Experienced in exhibiting good judgement of IA industry-based cyber-risk and pressure situations.
4. Exhibit a cross-functional understanding of OT incident stakeholders.

Residual cyber risk is inevitable if cyber insurance is not integrated into the incident response. On the third-party cyber-insurance dimension of incident response in Indian industrial automation markets, an important question is whether the cyber-insurance business in India is helping to mitigate the risk of an organisation being hit by ransomware or APTs. Recent market surveys and experimental studies that involve underwriters, claim handlers, incident response-focused cyber re-insurers, cyber-insurance buyers, industry associations, regulators, and employees in India observe the following nine residual cyber-risk management trends for cyber-attacks – whether they be ransomware, APTs, or otherwise.

(a) Cyber-insurance markets have become less dense despite enterprises' increased coverage demand for ransomware cyber-risks.

(b) Small and medium businesses (SMBs) are buying cyber-insurance coverage for ransomware (to mitigate the adverse effects of business disruption), but at the same time, some enterprises in the SMB space query on the prospective value of cyber-insurance – resorting to self-insurance instead if the cost outweighs the value.

(c) Cyber-insurance can reduce the risk of ransomware via pre and post-breach consultancy regarding increasing cyber-resilience in a ransomware attack—but only as a means and not as an end.

(d) Increased cyber-insurance premiums/deductibles and a sparse cyber-insurance market are pushing some enterprises to good cyber-security practices, including zero-trust, multi-factor authentication, and backups.

(e) As cyber-insurers get more insight into organisational cyber-security practices and mandated security controls (without which these organisations may not be able to purchase cyber-insurance), certain organisations cannot purchase cyber-insurance. Subsequently, they cannot protect themselves against residual ransomware cyber risk.

(f) Cyber-insurers often do not find it rational to engage in cyber-loss prevention efforts that cyber-security experts and governments recommend for enterprises due to their attention to enterprise. In contrast, selectively engage in cyber-security efforts only.

(g) Cyber-insurers have not been able to adopt a traditional K&R insurer's approach (due to privacy concerns) to negotiation for managing ransomware cyber-attacks.

(h) In certain situations when the impact due to a ransomware attack becomes un-insurable, cyber-insurers have been successful in pressuring governments to bear coverage responsibility in part and

(i) Cyber-insurance often does promote their clients to adhere to a critical NIST guideline that states that corrective actions post cyber-incident response should be shared in the private and the public to ensure that industrial automation organisations learn together, and improve together in preventing, protecting, handling, and recovering from cyber-attacks. This is because the breach attorneys hired by cyber-insurance agencies suggest enterprises against forensic and vulnerability information sharing to reduce litigation risk for the insured client.

Also read: The cyber-insurance vision is failing for ransomware attacks in India

Five Actions to Improve Industrial Automation Cyber-Risk Management

We propose five managerial action items that should form a part of an efficient and effective industrial automation security program.

Action #1 - Chart an Incident Response Plan Specific to Industrial Automation Systems

An effective incident response (IR) plan should necessarily account for OT environments' complexities and operational nuances as part of the IR design process for the security program. This accounting should not be an appendix to the IR design program. As an example, managers should, while designing the IR program, ensure that the threat detection strategies, IA process network architecture choices, and cyber data collection procedures align with the incident response requirements and anticipate questions targeted towards successful IR before a cyber-incident occurs. More specifically, managers should

1. Come up with attacker-defender scenario(s) that present the maximum cyber-risk to an IA enterprise and plan efforts to protect 'crown jewels' that will subsequently mitigate this cyber-risk and
2. To overlay these scenarios against the organisation's environments and sites, perform tabletop exercises.

Action #2 - Deploy Defensible Architectures to Reduce IA Enterprise Cyber-Risk Exposure

IA enterprise management should design and deploy defence architectures that reduce the cyber-risk exposure of industrial automation enterprises to ransomware and APT threat groups. The ways this can be achieved are:

1. Identifying and inventorying all the crown jewels in an enterprise's IA sites.
2. Segmenting process networked environments by creating "choke points" that reduce the number of ingress and egress points into networks for improved security and monitoring.
3. Collecting IT/OT network traffic with switched port analyser (SPAN) ports or tap infrastructure.
4. Logging system cyber data collected from value systems such as HMIs, EWSs, SCADAs, and PLCs.
5. Getting into a defensible cyber-position to reduce unwanted connectivity between IT/OT devices.

Action #3 - Ensure Continuous Industrial Automation Network Visibility and Monitoring

IA enterprises' intricately networked systems architecture necessitates network traffic monitoring (e.g., deep packet inspection) and subsequent AI/ML-driven smart analysis to understand the interactions among such sub-systems. This aids general resilience and recovery to mitigate downtime due to business disruption and avoid generating too many unnecessary alerts for incident response teams. The network monitoring management team should:

1. Adapt a passive monitoring approach that does not create barriers to industrial operations.
2. Analyse IA networking protocols in detail to understand control communications.
3. Design and deploy tactical threat and vulnerability detection mechanisms that do not generate unnecessary alerts.
4. Streamlined real-time data collection and aggregation at the process level to support incident response.
5. Should support root cause analysis of operational issues and outages.

Action #4 - Ensure Secure Remote Access Inside the Industrial Automation Infrastructure

The digitisation of OT systems and COVID-working norms has significantly increased remote connectivity in work environments, even post-COVID. While it has been established that work-from-home (WFH) has its benefits, it brings significant cyber-risks. This calls for ensuring secure remote access for all employees within an IA enterprise is necessary. Multi-factor authentication (MFA) deployment and zero-trust solutions can go a long way to reduce the adversary attack paths. The management should prioritise the employee use of traversal paths sharing private networks between organisations, public networks, and the Internet for remote access. Wherever MFA and zero-trust solutions cannot be deployed, the IA enterprise management should include controls such as jump hosts and communications "break and inspect", guide remote communications through "choke points", and the capability to cut communications in certain scenarios.

Action #5 – Promote Risk-Based Vulnerability Management

The IA enterprise management should understand cyber controls and device operating conditions, aiding in cyber-risk-based vulnerability management decisions to patch cyber vulnerabilities and mitigate their impact. As recommended actions, the management should

1. Generate a software bill of materials (SBOM) to identify and mitigate cyber vulnerabilities,
2. Should be careful not to rely on patching vulnerabilities, as, at times overly, it may introduce additional risk – the ideal solution here is simply mitigating the vulnerability through changing a firewall,
3. Make sure that active querying is preceded by testing and an attempt to confine the querying window to maintenance windows or downtime at the facility.

By Ranjan Pal (MIT Sloan School of Management) Bodhibrata Nag (Indian Institute of Management Calcutta) Michael Siegel (MIT Sloan School of Management)