Despite the fact that I haven’t been traveling much lately, the statistics that log my screen time are still as high as they ever were. It’s part of our modern way of working that we are so connected and “always on”—made easy by the Internet of Things (IoT).

The same is true for our critical systems. Cloud and internet-connected Industrial Control Systems (ICS) devices are becoming far more widespread in a move toward an Industrial Internet of Things (IIoT) environment. While this progress drives innovation, enabling a rapid growth in smart metering for instance, it has also opened the door to a new wave of attackers who are finding ways to exploit this improved connectivity.

The situation isn’t helped by a form of technical debt which has accrued, specifically in the area of insufficient security testing. Increasingly, businesses are using unpatched and untested devices—which offer a much more realistic and accessible target. Security leaders are fighting back, using public bug bounty programs and detection frameworks tailored to Operational Technology (OT), but OT threats still prompt the need for more effective security controls.

It's not a precise art. Security testing can be expensive—and it is difficult to assess the risk posed by each and every device. The risk of downtime for our critical industrial systems during testing adds another layer of complexity.

Changing landscape

As our latest 2020 Cyber Threatscape report reveals, slowly but surely, threats are being identified and remedied—many of the common classes of vulnerabilities affecting IoT devices have been at least partially solved and there is an increasing maturity in the IIoT space—but the challenge remains around how and when to apply this knowledge.

Security leaders are well placed to lead the charge against these connectivity challenges. By sharing knowledge and developing standardized systems that are simple and easy to integrate, the security behind such technologies can withstand a higher level of scrutiny.

In their annual analysis, Accenture Cyber Threat Intelligence (CTI) analysts noticed a shift in the threat landscape for OT networks. When we talk about attacks on OT networks, our minds go to complex, state-sponsored attacks, such as the likes of malicious computer worm Stuxnet. However, in the past year, Accenture CTI noted an increase in commodity malware, particularly ransomware, being used to target OT networks.

<<< Start >>>

<<< End >>>

As OT networks become more interesting targets for cyber criminals, here are three technical changes our analysts have observed that may be enabling threat actors to thrive:

  • Virtualization of operational technologies is increasing: Virtualization in the OT space enables quick deployment of systems (optimizing resource usage) and for redundancy and faster recovery from Finding vulnerabilities in commonly used virtualization technologies, rather than niche industrial systems, may introduce new attack opportunities for threat actors. Many organizations have taken a relaxed security posture when implementing their virtual infrastructure on the IT side. But the controls in place may need to be carefully considered when applied to the systems that control critical infrastructure.
  • Cloud connectivity for OT systems is increasing: Increased cloud connectivity is another example of OT shadowing development in the IT space—often used to run Supervisory Control and Data Acquisition (SCADA) applications in the cloud. Many ICS requirements can be addressed by the scalability of cloud computing, enabling increased flexibility, redundancy and But moving applications off-site can increase the attack surface. For SCADA applications, a major concern is Web application vulnerabilities that could be more easily discovered by an attacker than on-site hosting of the application.
  • Internet-connected devices are increasing: More and more devices are being connected to the internet in the OT and ICS space. One key example is the growth of smart metering in ICS systems. In November 2019, Tarlogic reported a several vulnerabilities in PRIME, one of the most well-used smart metering standards. As more critical devices are connected and new standards are introduced to facilitate this connectivity, it raises the potential for security issues and presents a prime opportunity for attackers who discover them first.

Walls and boundaries are being broken down as we extend modern technologies into our critical infrastructure, often opening new avenues of attack. Because the rewards are high, threat actors continue to innovate. It’s time for CISOs to share what they know, standardize and build resilience from the ground up to avoid the new climate of connectivity having consequences.

Take a look at the full report for more on the latest cybersecurity threats.

A special thanks to the following individuals who also contributed to 2020 Cyber Threatscape Report: Patton Adams, Omar Al-Shahery, Joseph Chmiel, Amy Cunliffe, Molly Day, Oliver Fay, Charlie Gardner, Gian Luca Giuliani, Samuel Goddard, Larry Karl, Paul Mansfield, Hannaire Mekaouar, Mei Nelson, Nellie Ohr and Kathryn Orme.

 

Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.  Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2021 Accenture. All rights reserved.

Joshua Ray

Managing Director – Accenture Security

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog
Subscribe