In today’s automation systems environment, certain myths continue to persist. For example, "cyber attacks are only a concern for big companies". Although it may be less likely to be targeted by, say, a nation state attack, we’ve seen that malware can cause a shutdown of a system or trigger a loss of network equipment. Although there are security requirements that need to be met by the equipment suppliers and system integrators, there are also a lot of ongoing activities for cyber security that must be maintained by the asset owner.
Another myth we often hear is "my system is totally secure because it's air gapped or isolated from the network". What we've seen is although the system was air gapped, attackers were still able to gain access to the network through the use of USBs. Alternatively, with the growing connections of today's systems, it's really difficult to maintain a truly air gapped system. More and more of these systems are becoming connected potentially in ways that sites may not be fully aware of.
Another common myth we hear is "security by obscurity" or the idea that using legacy systems makes the system more secure by default. This correlates to using systems that can no longer be patched. If there are any known exploits or vulnerabilities for those systems, there's no way the site can protect against them. It tends to have more of a negative impact on security than a positive impact.
The reality of the current cybersecurity situation is that many automation systems or industrial control systems are experiencing attacks. A study from 2016 to 2017 showed over half or 54% of automation systems experienced an attack, with some of them experiencing as many as 10 to 25 attacks in that two year period. We've also seen that over time the number tends to be creeping upwards. This repeated study by the same group showed that in 2019 to 2020 that this number was over 60% of automation systems had seen an attack. A different study that I saw from 2020 to 2021 showed that it may have been as high as 90% for critical infrastructure type systems. The reality is that the majority of automation systems or organizations are seeing attacks and that's something that sites need to be aware of.
Part of the reason we're seeing so many attacks is many automation systems are poorly protected against cybersecurity considerations and are widely exposed to cybersecurity concerns. We're also seeing that organizations may not be as ready to respond effectively to cybersecurity incidents when they occur. Sophisticated tools are becoming more available even for unskilled hackers. One good example would be the Colonial Pipeline incident. This was a ransomware attack on a pipeline in the United States, and it was believed to come from the Dark side group, a hacking group located in Russia. The Darkside operates what's known as a ransomware, as a service group, where essentially a group of skilled hackers develop and put together ransomware that can then be used by unskilled hackers who are just focused on trying to gain a foothold onto the network to then deploy that attack. The hackers who developed the ransomware keep a portion of the ransom payments made. As result of the attack, the pipeline operations were down for multiple days. There were over 10,000 gas stations that were left without fuel. Colonial ended up paying nearly $5 million in ransom to the attackers.
A question we can ask ourselves is, “Is this the future for cyber criminals? Is this the way of the future? “. We are seeing that ransomware as a service business model can be financially viable for hackers and something that is growing in popularity. For the dark side group, the typical ransom demand ranged from $200,000 to $20 million. Hackers are incentivized to target industrial systems because of the potential for higher ransom payments. We think that that is something that is going to continue to grow.
If you would like to learn more about automation systems cybersecurity, check out our CS 002 self paced training course.