Rise of Disruptionware: Inside Forescout’s Latest Joint Report with Institute for Critical Infrastructure Technology (ICIT)

“Disrupting” traditional business models might be hot talk for start-ups pitching investors, but in the world of manufacturing, transportation, energy and similar sectors, real “disruption” of production and facilities due to cyberattacks can have devastating safety and financial consequences.

The old concepts of malware wreaking havoc in a system for monetary gain are still present, but a new breed of attacks that we call “disruptionware” is wreaking havoc in networked industrial control system (ICS) and operational technologies (OT) environments. These attacks are becoming increasingly consequential for the operator community because of the immediate disruption to operations and the potential safety impact to employees.

A joint report with Forescout and the Institute for Critical Infrastructure Technology (ICIT), a cybersecurity think tank in Washington, D.C. digs into this concerning trend. The report titled “The Rise of Disruptionware: A Study on How Disruptionware Like LockerGoga Significantly Impacts Critical Infrastructure” examines the attack patterns targeting critical industry sectors like manufacturing, including ransomware, disk-wiping malware and similarly disruptive malicious code.

Here are some of the key highlights and the immediate reasons why we feel this study is important:

Modernizing the Shop Floor but Forgetting Cybersecurity

The attack surface was narrower when you had to scale walls or cut fences to get at a manufacturer’s network. But operators today are making massive investments in newer, more productive and efficient equipment that relies on connectivity to receive orders, self-diagnose issues and scale to demand. Those updated systems, which are often connected to the Internet and traditional IT networks, have changed the risk equation for cybersecurity because they can potentially be hacked from afar.

In the typical IT security world, a ransomed file or infected laptop can be quickly restored thanks to strong back-up and recovery postures. But manufacturing assembly lines or water pumps damaged by malware or the ripple effects of a cyberattack don’t have that luxury. You cannot simply restore those physical goods with a cloud back-up. And, without that backup, a cyberattack can mean immediate interruption of services, regulatory issues and financial hits.

“Disruptionware” is More than Just a Nuisance

Disruptionware is about more than just preventing access to systems and data. It is about suspending operations, disrupting continuity, and crippling a business’s ability to engage in operations, gather resources, and disseminate deliverables.

In the past year, relatively low sophistication ransomware like LockerGoga has plagued a variety of industries. One manufacturing company that became infected with LockerGoga estimated the impact to its business to be north of $40 million just after one week of downtime.

We expect the wave of “disruptionware” to continue to impact critical infrastructure with malicious actors having a variety of goals, which can include receiving a ransom, exfiltrating data to sell, leaving a backdoor to allow further attacks, or even suspending operations just long enough to allow another company to obtain a high profile contract.

Recommendations to Improve Resiliency

Utilities, shipping companies and factories look and operate very differently, but our report with ICIT argues that these sectors all have more in common than you might think. When it comes to approaches for mitigating disruptionware’s risks – the basics matter the most.
Operators need to understand the degree to which physical equipment, control systems, office IT and other assets touch each other and ultimately, the Internet using visibility and control solutions. Otherwise they risk having security blind spots. They also need to make sure these rapidly-changing network connections are properly segmented and watch for changing patterns in network behavior that could indicate someone off-premise might be introducing a shared connection to exploit for intrusion. Other risk factors include wider use of vulnerable third-party partners and services in critical sectors and “network drift,” which is when unmonitored devices creep onto the network.

We see many of these challenges firsthand at Forescout because we support many of the world’s largest ICS and OT-dependent organizations. Our team understands that in the world of pipelines, factories and power plants, digital hazards consist of much more than just malicious intruders – any type of outage or disruption, even if due to false-positives or errors, still causes harm. But there is common ground that can be found under security and modernization as these disruption-sensitive industries push toward new software and connectivity technologies.

I am pleased to count ICIT among the community of research, public policy and other forums Forescout encourages to drive awareness and discussion of cyber risk issues driven by the Internet of Things (IoT) – more specifically the Industrial Internet of Things (IIoT) for this report’s stakeholders. I encourage you to download the report and share your feedback.