November 2023: The Game of IT/OT Security: Unveiling New Critical Developments in Our Critical Infrastructure Threat Landscape

When
November 1st, 2023 11:00 AM EST

Who
Adam Robbie, Senior Staff Researcher, Palo Alto Networks

What
“The Game of IT/OT Security: Unveiling New Critical Developments in Our Critical Infrastructure Threat Landscape”

Description
Critical infrastructure such as manufacturing, electrical-grid, or water-utilities uses Industrial Control Systems/Operation Technology for daily operations. If you have pumped your car, turned on the light, or drank water, then you have interacted with ICS. In this presentation, we will discuss our research team’s findings related to three new critical developments in the ICS/OT threat landscape. These findings are based on data we collected from ten thousand companies and across 50 countries over the past three years. We will then demonstrate by using the Purdue model, how non-ICS malwares can exploit and propagate through the ICS system. 

First, we will show that ICS/OT industries have become the new top target for many national-state adversaries and cyber criminals. This conclusion is based on an extensive technical analysis of recent exploits. We found that the rate at which exploits targeting ICS/OT industries far surpasses the exploit rate as to all other industries in both quantity and growth trend. Another data-driven analysis indicated that in 2022, the industry most impacted by ransomware and extortion attacks was manufacturing.

The second finding is that, contrary to popular belief, ICS malware centric is not the top threat for ICS/OT industries.  Rather, as our analyses revealed, approximately 99.99% of malware impacted the ICS/OT industries were exploiting IT technology/protocols, such as Emotet, Coinminers, or AgenTesla.  Only 0.001% of malware targeting ICS/OT industries were exploiting ICS/OT protocols (e.g., Havix, Shamoon, or BlackEnergy). 

The final finding concluded that ICS/OT industry detection time of compromised devices lags far behind the industry standard.  In the most extreme example of delayed detection, we found an unattended compromised device that communicated with C2 for a period of ten months.  

The totality of the above findings confirms why ICS/OT leaders need to update their defense plans to protect our critical infrastructure. To this end, we will demonstrate how to create a zero-trust defense strategic solution by applying Game Theory to risk assessment and by mapping threats to MITRE TTPs. This approach incorporates Game Theory modeling and the ICS ATT&CK framework to conquer the adversary in this new landscape.