Dragos CEO: Digitization in critical infrastructure will spur attacks
MIAMI – As critical infrastructure organizations become increasingly digitized, homogeneous and connected, the risk of cyberattacks from both nation-backed and criminal hackers will increase, Robert M. Lee, CEO and founder of the industrial cybersecurity firm Dragos, warned in remarks on Wednesday.
“You look at a lot of our water systems across the United States. There’s many antiquated, older systems that are not digital and that are not connected,” Lee said at the ICS-focused security conference S4x24 in Miami. “As those systems get upgraded over the next three to five years, you’re going to start to see a massively more connected and massively more homogeneous water sector than we’ve ever had before.”
Lee argued that this development will replicate how other industries have moved from analog to connected digital systems — only to see themselves subject to widespread cyberattack. Seeking efficiency, the manufacturing sector was one of the first to digitize, and today it is the sector hardest hit by ransomware attacks, according to a recent year-in-review from Dragos.
Greater digitalization has also brought greater homogeneity, and that will soon be seen in other critical infrastructure sectors, which, in turn, will increase both the number of ransomware attacks as well their impact, Lee warned.
“The insulin manufacturing plant didn’t need to be homogeneous to anything else in the world. It was a self contained plant,” Lee said. “But now we are seeing that.”
Homogeneity will also make it easier for hackers to reuse capabilities that were traditionally only found in IT systems that have similar technology stacks. Lee warned that soon criminal hackers will realize that they can reuse capabilities on multiple facilities and have a greater impact on operations.
That’s especially concerning for industries that have historically underinvested in cybersecurity. Speaking at a hearing in January, Rick Jeffares, president of the Georgia Rural Water Association, told House lawmakers that many smaller water utilities in Georgia use limited SCADA systems and are often not connected to the internet. So for some of those water utilities, cybersecurity is simply not a pressing concern.
The potential impact of increased connectivity and homogeneity was illustrated recently by a relatively unsophisticated attack targeting a device made by the Israeli firm Unitronics that was carried out by a group calling itself the Cyber Av3ngers, a hacking crew connected to Iran’s Islamic Revolutionary Guard Corps.
By targeting a single device, the crew was able to cause disruption at multiple water facilities, a brewery, as well as the chemical and manufacturing sectors, according to Dragos. By connecting the devices to the internet and relying on a default password, administrators made themselves easy targets.
