Cybersecurity Pros Signal Regulatory Challenge for Securing Industrial Control Systems

The discovery of a malware tool targeting the operational technology in critical infrastructure like power plants and water treatment facilities is highlighting issues policymakers are grappling with in efforts to establish a regulatory regime for cybersecurity.

The tool enables the adversary to move laterally across industrial control system environments by effectively targeting their crucial programmable logic controllers.

“There are only a few places that can build something like this,” said Bryson Bort, CEO and Founder of cybersecurity firm Scythe. “This is not the kind of thing that the script kiddie—the amateur—can all of a sudden, gin up and be like, 'look, I'm doing things against PLCs.' These are very complicated machines.”

Bort and other fellows of the Atlantic Council’s Cyber Statecraft Initiative hosted a webinar Friday on the new tool, which is built to commoditize cyberattacks on industrial control systems with a modular design that would make it more accessible to less skilled adversaries as well.  

“These are not protocols you can just go up, and, like, do against, like [web application penetration testing,]” Bort said. “So the complexity of this cannot be [overstated], the comprehensive nature of this particular malware cannot be [overstated]. This thing, I think calling it a shopping mall doesn't quite capture it right. This was Mall of America. This thing had almost everything in it and the ability to add even more.”

Bort said the design of the tool suggests a switch in the mindset of the adversary—likely the Kremlin in the estimation of cyber intelligence analysts, although U.S. officials have not attributed the tool’s origin.

He connected the tool’s emergence to “what we're seeing here in phase three on the ground in the Ukraine, which is the Russians seem to be going almost with a scorched earth approach. They are killing civilians, they are destroying the infrastructure. And that's a complete, almost, 180 from what we saw within the first few days of the war where it looked like … they thought they were gonna kind of stroll into the country, take everything. And you don't want to destroy what you're about to take. And now it seems to be just to cause destruction.”

In response to a question about the role of global vendors to the industrial control systems community, and potentially limiting their production to trustworthy partner nations, Bort argued, if there is a need for regulations, the focus should be on the owners and operators of the critical infrastructure.

“This isn't a vendor problem,” he said. “This is about ICS asset owners, and asset owners are working closely with their respective governments … and different countries of course, have different levels of regulation or partial regulation. We're in a kind of partially regulated area with likely more regulation coming in these sectors. But I would say it's the asset owners, not the vendors that I'd be looking to.”

But connected industrial control system environments are complicated, with many different vendors in the supply chain, including commercial information technologies like cloud services, which adversaries are increasingly targeting for their potential to create an exponential effect.

“Security matters on all of these sides,” Trey Herr, director of the Atlantic Council initiative, told Nextgov. “The vendors are the point of greatest regulatory leverage so addressing cybersecurity at the design stage can have the widest impact but with least understanding of the specific environments in which they'll be used. Asset owners have the best picture about how they use this technology and security matters here in how they deploy and manage the security of these devices. Vendors might be OT focused or IT focused, like cloud vendors, so regulators need to keep focused on both communities.” 

That is something lawmakers are currently deliberating on with the goal of introducing legislation this summer.  But Herr said more of the community’s attention is currently on the asset-owner incorporation level than on the IT supply-chain elements that are also involved.

“We have a lot more effort and energy on the asset owner level with the Sector Risk Management Agencies at the moment than other parties, especially the IT vendors,” he said.