Topics:
Hacktivists have taken a decided interest in attacking operational technology (OT). As more assets are connected online—many of which in an insecure fashion—OT is becoming a target-rich environment. Many of these groups, however, are not acting on their own; they're aligning with and being leveraged by state-actors in Russia, Iran, and other nations adversarial to the West.
In this episode of the Nexus Podcast, OT cybersecurity expert Mike Holcomb discusses this growing and concerning phenomenon, and explains his development of what he calls a Converged Actor Framework that was revealed this week at the S4 Conference in Miami.
The framework is a tool defenders can use to delineate these groups according to the impact and frequency of their malicious activities. His hope is that this will inform decisions and inspire organizations to keep abreast of actual attacks involving OT and cyber-physical systems.
"One thing that's caught my attention is that we have more evidence of state actors aligning with hacktivists," Holcomb said, pointing specifically to Russia's infamous Sandworm directing the activities of the Russian Cyber Army Reborn.
"When I talk to owners and operators, or anyone just coming into the field, there's misconceptions of who's doing the attacking and why," Holcomb said. "There are still many owners and operators who still say [their industry] is only being targeted by state actors , and we don't have anything Russia, China, or North Korea wants. Then we don't need to do anything about OT cybersecurity."
The hurdle is demonstrating to manufacturers and other critical infrastructure companies that there is more out there targeting their operations than state actors. Hacktivists and ransomware operators are indeed carrying out disruptive campaigns, first by enumerating internet-facing OT and then often exploiting exposures by decidedly low-tech means. These include the use of default credentials that haven't been changed, or assets directly connected online.
On Holcomb's framework that measures impact and frequency, state actors are categorized as low frequency, but high impact. Hacktivists acting on their own, meanwhile, are high frequency and relatively low impact. The danger is with converged actors, Holcomb said. Nation-states leveraging hacktivists are suddenly high frequency, high impact actors.
"We have state actors aligning with hacktivists, that moving into the future, are we on this path to where we're going to get high frequency and high impact incidents," Holcomb said. "I think there's a case to be made that it could be coming, at least to a degree. And we're not prepared for what's happening today, let alone being prepared for what could potentially be coming down the road."
Critical infrastructure organizations heavy in OT assets and CPS must be aware of the potential that a state actor could be the puppet master behind some of these hacktivist-related attacks. This also gives rise to discussions about attribution.
"From an attribution perspective, does it matter if I know who it is? If we're in hour 2 of an incident, and the plant is down, executives want to know two things: When are we back up? And, who is it? It doesn't matter," Holcomb said, conceding it's a different discussion for military and government agencies. "We just want them off the network. We want to figure out how they got in, what they're been doing so we can get them off and reverse everything they've done in order to be safe."
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
