ASEAN’s cybersecurity conundrum

The ASEAN region’s cybersecurity is at a crossroads.

On the one hand, digital transformation means that systems – and plants – are getting increasingly competitive in the digital space, as everyone fights to upgrade and improve upon existing operational technology.

On the other hand, it opens the industry up to unprecedented threats, as seen in the recent Colonial Pipeline cyberattack which left the American East Coast vulnerable and saw a six-day shutdown of the company, alongside a fuel shortage.

It’s clear that cybersecurity is increasingly important to players in the downstream industry, but what can be done to ensure companies stay ahead of the curve? Vijay Vaidyanathan, Regional Vice President (Solutions Engineering), APJ at Claroty, weighs in with Asian Downstream Insights.

What do you think is the current state of cybersecurity in the ASEAN region?

An increased reliance on remote access during the pandemic has amplified the risk of enterprises being targeted by phishing or spam attacks and thus ransomware and other malware infections. Industrial control systems (ICS) in particular are at high risk – Claroty researchers have found that 71% of ICS vulnerabilities disclosed during the second half of 2020 were remotely exploitable through network attack vectors, as reported in our latest Biannual ICS Risk & Vulnerability Report.

It is likely that we will see more ransomware attacks affecting critical sectors, employing extortion methods, and strategic targeting, in ASEAN and other parts of the world. In fact, there have already been attacks against the US Colonial Pipeline and a water treatment plant in Florida. Closer to home, there have been attempted attacks against vaccine research and distribution efforts in India and Japan.

Fortunately, the ASEAN region has been taking steps to improve operational technology (OT) security standards in some markets in recent years. For instance, Singapore’s Cyber Security Agency released an OT cybersecurity Master Plan in 2019, and recently established an OT cybersecurity panel. Malaysia, on the other hand, announced its cybersecurity strategy 2020-2024 last year, which includes the need to enhance ICS protection.

There has been an increase in operators embracing digitalisation and shifting to Industry 4.0. What risks should they be aware of?

Digitalisation and the shift towards Industry 4.0 will see greater integration of OT and information technology (IT) systems. While this can unlock tremendous business value, IT/OT convergence also brings about new security challenges that operators have to address.

Historically, OT networks were designed to work in isolation, meaning they were “air gapped” from their IT counterparts. However, IT/OT convergence has created new pathways between industrial processes, as well as the machinery that controls them, on the OT side and the proprietary information, systems, endpoints, and ultimately, the open internet on the IT side. The result is a greater surface area and more vectors for potential cyberattacks, as well as a greater risk of exposure to such attacks.

While some operators may think of OT and IT as separate networks, bad actors do not differentiate – a network is a network, so attacks are intertwined. Many attacks that impact OT environments begin on the IT network. Operators therefore need core security controls that span the entire enterprise, as exposure and attack vectors can come from any attack surface. This includes security tools that have deep visibility into their networks to determine all connected devices and network processes, and mechanisms that allow them to detect, investigate and resolve malicious activities in real time.

What lessons do you think the ASEAN petrochemical industry can learn from the recent Colonial Pipeline cyberattack?

Some of the most important takeaways from this cyberattack include:

• The emergence of targeted ransomware. While we don’t know exactly how DarkSide introduced ransomware into Colonial Pipeline’s IT network, we do know that DarkSide targets specific high-value companies. Once an infection occurs, improper segmentation between IT and OT environments enables OT ransomware infections. By isolating and segmenting OT, organisations can stop the lateral spread of ransomware.
• The bar for successful extortion has been lowered. The Colonial pipeline cyberattack showed the bar for successful extortion from critical infrastructure has been lowered because you do not necessarily need the skills to go deep into OT/ICS. If you disrupt enough to pass the risk threshold for shutting down process equipment, the end goal is achieved.
• The risk of obsolete technology. The number of attacks against critical infrastructure has been increasing in frequency and severity. As cybercriminals seek opportunities for extortion, our reliance on emerging technology makes our critical infrastructure highly vulnerable based on its enormous attack surface area. Many ICS environments operate with obsolete technology that’s patched infrequently, if at all. This leads to a situation where cybersecurity risk levels are below acceptable tolerances. Thus, updating technology and improving governance can go a long way in mitigating risk.
• The need to secure distributed environments. Pipelines are highly distributed environments and the tools used to grant asset operators remote connectivity are optimised for easy access, rather than security. This gives attackers opportunities to sneak through cyber defences, as we saw in the Oldsmar attack.
• The energy sector is especially at risk. Claroty researchers have found that energy companies are one of the most highly impacted by ICS vulnerabilities. The energy sector experienced a 74% increase in ICS vulnerabilities disclosed during the second half of 2020 compared to the second half of 2018. This shows that cybercriminals have many ways of exploiting the controls of industrial networks.