OT

Let’s find out what gives OT security experts the creeps. Most of the times, the issues are associated with IT. The duties of the Chief Information Security Officer (CISO) change and expand along with the industrial Internet of Things (IIoT) and operational technology (OT). The CISO must eliminate threats posed by warehouse systems, networked machinery, and smart devices dispersed over hundreds of workstations. Maintaining safety in industry, oil and gas facilities, public utilities, transportation, civic infrastructure, and other areas is necessary for managing those security concerns. By 2025, analysts estimate that there will be some 21.5 billion IoT devices linked globally, greatly expanding the attack surface. CISOs require novel mitigation techniques for IIoT and OT risks since embedded devices frequently lack patches, which differ in important ways from information technology (IT) vulnerabilities. The organization’s leadership team and board of directors (BoD) need to be aware of the distinction. IIoT and OT are now at the forefront of cyber threat management due to costly production disruptions, safety failures resulting in injuries or fatalities, environmental damage resulting in liability, and other potentially devastating scenarios. Addressing 5 cybersecurity threats to OT security Operational technology (OT) used to be a specialty network that IT professionals didn’t bother with, or maybe felt they didn’t need to. That made sense for a time since OT networks often operated on esoteric operating systems, were hidden by air gaps and were segregated from IT processes. Then, because of improved performance, increased output, and ultimately financial benefit, organizations in every area related to energy and vital infrastructure began connecting to IT networks. Networking, remote control, and wireless communication were all the rage, and from an administrative standpoint, it made it logical for IT and OT to be combined. OT rapidly ceased to be the secure backwater that everyone had imagined it to be. Also Read: How to get started with OT security Organizations and authorities now have to deal with the cybersecurity consequences of this. Even though real-world examples of serious compromise are few and far between, attacks on Florida water treatment facilities and energy infrastructure in Ukraine serve as stark reminders that things may change drastically very quickly. The number of OT-connected systems and devices is rapidly expanding, encompassing everything from telematics and robotics to personal technologies like the Internet of Medical Things, as well as supervisory control and data acquisition (SCADA), manufacturing execution systems (MES), discrete process control (DPS), programmable logic controllers (PLCs), and more (IoMT). The challenge is how organizations should tackle the security problem anew when doing nothing is not an option as isolation is eroding as these systems are connected to regular IT networks. Established security vendors have filled the void by adding more layers to their systems, but experts have also started to appear on the scene. What steps could organizations take to better handle the OT security issue? 1. Security Flaws in IT Attackers now have a wide range of targets to choose from if they want to take advantage of software flaws in OT. In the past ten years, this category of flaws has risen quickly from absolutely nothing to a list that is no longer manageable to recall off the top of one’s head. For begin, Armis’ white paper on the subject says the following: A new vulnerability in Schneider Electric Modicon PLCs, which might allow an authentication bypass leading to remote code execution on unpatched equipment, was revealed by Armis in July 2021. The most major actual assaults against SCADA and ICS OT to date, including Stuxnet and Triton, have all been conclusively linked to state-sponsored espionage. The last firm on our list, Colonial Pipeline, is telling since it was an ordinary ransomware assault on the IT system that compromised its invoicing capabilities rather than the OT network itself which caused the company’s operations to be halted. Therefore, there are two issues here, the largest of which is the connection between OT and IT, which is detrimental to the former. OT equipment flaws are a secondary source of vulnerability that is exploited only under certain conditions. Depending on the OT context, there are a variety of hazards associated with basic IT issues like credential theft. The ICS environment won’t be in danger from a compromised credential or RDP since there are so many layers of segmentation in place; just because you enter the IT environment doesn’t imply, you’ll also enter ICS. However, by just seeing someone’s network, we may determine who has considered this problem and who has not. Also read: Why IoT Security is Important for Today’s Networks? In addition, in the few instances where segmentation has not been successfully done, programmable logic controllers (PLC) may communicate to printers and there is no role-based access control. Anyone with access to a VPN could essentially access any network location. What are the main channels from IT to OT for infection? According to Norton, “Infected laptops belonging to maintenance engineers, USB sticks, an unauthorized wireless device, or even a malevolent insider” are among the causes of infection. 2. OT appliances don’t execute antivirus It may seem apparent, but OT devices cannot run a traditional security client for several reasons related to their architecture and history. As a result, an agentless strategy must be used to obtain visibility on what is happening on an OT device via different methods. The strategy used by various organizations suggests looking straightforward enough: observe network activity without interfering with production. It functions essentially as a network TAP in OT contexts. It develops an inventory based on the network traffic it is passively monitoring. In addition to having the assets, we need to monitor their usage to create a profile of behaviors. Ironically, the OT team may refuse to allow the IT department to clear up malware that was identified running on an OT device if they are concerned about service disruption. Organizations frequently observe old infections in OT settings. 3. Asset blindness The additional advantage of using an agentless strategy is that it provides organizations with complete

230,000 – This is the number of people affected by a single successful SCADA attack. Attackers successfully intruded Ukraine’s power grid using BlackEnergy 3 malware in 2015. The attack left 230,000 people and more stranded without power for over 6 hours. The SCADA systems were left non-functional, forcing the workforce to restore the power manually. This attack on the SCADA system set alarm bells ringing across the globe, exposing the weak cybersecurity posture of critical infrastructure. But what are SCADA systems in the first place? The acronym SCADA stands for Supervisory Control and Data Acquisition. Ranging from power plants to railways and water treatment plants to air traffic controls, applications of the SCADA system are vast and deep. Using SCADA systems (software), one can control processes in real-time and obtain data from sensors, devices, and other associate equipment. In short, SCADA systems help an organization manage and operate an industrial plant efficiently. Also read: How to get started with OT security SCADA systems find uses across industries, infrastructure, facility processes, and others. Computers, GUI, networked data communications, and proprietary software make up a typical SCADA system. Thanks to SCADA systems, one can quickly identify a non-functioning part in an industrial plant with over 10,000 functioning parts and numerous connections. SCADA Structure: SCADA system works on collecting data and then relaying commands through the architecture to control a process or a machine. A typical SCADA system involves various collection points, administrative computers, field controllers, communication infrastructure, software, a human-machine interface, and many more. Administrative Computers: These form the core structure of a SCADA system. The administrative/supervisory computers send all the control commands to the respective machines and devices. The administrative computers harvest all the data collected in a SCADA-enabled system. Depending on the complexity of the SCADA system, the administrative computer(s) can be one or multiple, often forming a master station. Exclusive Human-Machine interface systems propel the interactions between these computers and the workforce. Field Controllers:  These come in two forms: Communication Infrastructure: This deals with establishing a secure connection between the SCADA system, RTUs, and PLCs. Communication connection comes in two forms: Most of the infrastructure is modular, and the data passing through them is often unencrypted in both Field and IT communication infrastructure. The primary design objective of these systems is easy troubleshooting and ease of implementation, emphasizing reliability over security. A manufacturer-specific or industry-defined protocol is adopted while establishing the communication infrastructure. The PLCs and RTUs can operate autonomously based on the latest command received from the administrative system. Human Machine Interface (HMI) System: The administrative system can comprise a single computer to a master station comprising over ten computers. The data ranges from simple flow diagrams of processes to complex schematic diagrams of the entire plant. An operator can access graphics, data charts, and other graphical data displayed on the system using a mouse, keyboard, or touch. The HMI system presents the status of every process, component, and plant-related aspect in an interpretable manner. Evolution of SCADA Systems SCADA systems have come a long way since beginning in the early 1960s. Over the 60 years, SCADA systems have transformed from monolithic to IIoT-based systems. As per the industry standards, the Fourth Generation of SCADA Systems is in use. Shortly, the fifth generation of SCADA systems will enter industrial spaces. SCADA Generation Category Features First Generation (1960s to mid-1970s) Monolithic RTUs incorporated at industrial sites directly connected to minicomputer systems.Low RiskIndependent system Second Generation (Mid 1970’s to late 1980s) Distributed Security risk elevated from low to moderate Availability of proprietary LAN  networks Smaller computers and greater computing power Multiple systems connected via LANLack of interoperability due to vendor lock-in practice Third Generation (Late 1980s – 1990s) Networked The emergence of Ethernet and fiber optic.Improved interoperability  Scalability of SCADA systemSecurity risk heightened Less operating costs Fourth Generation 2000s SCADA and IoT integrated system Equipped with IoT, Cloud computing, and big dataSSL and TLS have improved security posture while exchanging data between the SCADA systems and external networks.Better interfaces on handheld devices Greater interoperability SQL database support Web-deployable The next generation of SCADA systems will have cloud computing at their core. Researchers expect the new SCADA systems to optimize resource management (at peak surges and low demand) and enhance security protocols. Even without in-depth knowledge of software, one can design complex applications using RAD (Rapid Application Development) and the upcoming new-age SCADA systems toolkit. What makes SCADA so effective? The vast industrial expanses make it very difficult for physical monitoring. We need a reliable and efficient system to automate recurrence processes and constantly get the status of everything in an industrial expanse. SCADA has been rightly serving this purpose since its inception. From data collection to setting up alarms, SCADA plays a crucial role in improving an industrial expanse’s productivity, maintenance, and functionality. SCADA Architecture: SCADA systems run through 5 levels from Level 0 to Level 4. They form five of the six levels described in the Purdue Enterprise Reference Architecture, followed by enterprise integration. The dissemination of levels helps us understand SCADA systems better and define each security policy for each level. SCADA System Levels Description Level 4 Planning and Logistics Scheduling of production processes Managing ongoing processes Level 3 Production Control Level Made up of administrative systemsData aggregation from Level 2 systemsReporting to ongoing production is produced Executing alerts and other region-wide functions Level 2 Plant Administrative Level Data aggregation from level controllersIssuing commands to respective level controllers It consists of supervisory and administrative systems Level 1 Direct Control Level Comprises local controllers – RTUs and PLCs Accepts data inputs from sensors Actuator receive commandsDirect interaction with field devices Level 0 Field Device Level Includes sensors that forward data Includes actuators that control processes SCADA Security Framework: We can confidently say SCADA systems have opted for a reliable and straightforward framework for smooth functioning. SCADA systems were relatively safe, given that they were greatly restricted to on-site locations before the internet exploded. Every security framework of SCADA should be able to meet specific objectives. These help build a strong posture contributing toward a

When LockBit 3.0 was launched in June, the group touted it as the most powerful encryptor ever built. The launch also led to a 17 percent rise in cyber incidents directly linked to the encryptor. The new variant brought in new features such as more payment options across cryptocurrencies, new monetization options, and more means to recover or destroy data as per the outcome of negotiations with the victim. The files were not just encrypted but exfiltrated as well to put additional pressure on the victim. A typical attack begins with the victim’s device being infected and the files being encrypted with a jumbled extension. The process of data encryption is done at a rapid speed with multiple tasks being done in parallel. The infection becomes apparent with the wallpaper of the victim’s machine being changed to a ransom note. In case the ransom is not paid on time, the victim’s data is then put up for sale on the Dark Web and other forums. Sample of LockBit 3.0 Ransome Note At the time of writing this blog post, we did come across an APAC enterprise that was successfully targeted by the LockBit 3.0 group. The ransom note asked the victim to pay $10000 to extend the deadline by 24 hours, $500000 to destroy all information, and a similar amount to download the data at any time.  LockBit 3.0 was much in demand in Ransomware as a Service market. Which explains the sudden and steep rise in LockBit 3.0-linked attacks.    The group even ran a bounty program to incentivize the detection of bugs in its code. LockBit operators were keen on preventing non-group members from obtaining the decryption tool. Since it was first detected in the wild in mid-June, LockBit 3.0 has been reported consistently from over 33 honeypot locations of Sectrio indicating its prevalence and global presence. It even outcompeted rivals such Hiveleaks and Blackbasta in infecting maximum victims since launch as documented by Sectrio’s threat researchers.  For a while, everything seemed to be going the way of LockBit 3.0 developers until an alleged disgruntled developer threw a spanner in the works by releasing the code of the encryptor which subsequently made its appearance on Twitter at least a couple of times. This will enable other ransomware groups to build on the encryptor (or modify it) and launch new and more stealthy variants. What’s next for LockBit 3.0 and other ransomware groups? New ransomware groups could theoretically launch their operations with these modified variants. Such variants could also be re-engineered in academic or research labs and in case these variants are accidentally or deliberately released into the web in the future, then the chain of attacks linked to LockBit 3.0 will continue to worry cyber defenders for months or even years.

Oldsmar, a small city in the state of Florida, has a population of about 15,000. It was February 5th, 2021. At the Oldsmar Water Treatment facility, a vigilant employee noticed a spike in the levels of Sodium Hydroxide – or Lye. The levels of Lye were changed to 11,000 ppm from 100 ppm – a 10,000% jump. The hacker managed to infiltrate the critical infrastructure and release excess Lye into the water that serves the entire city. Public Utility systems without an upright security posture as far as Operational Technology is concerned, are vulnerable to such kinds of threats. The threats are real with attackers possessing advanced capabilities increasing at an alarming rate. Fears of security experts have come true, and they only compound with time. 2 in every 5 enterprises revealed that hackers targeted their OT device. Likewise, over 60% of respondents in a survey felt that the volume, complexity, and frequency of threats are likely to increase in the coming future. For an enterprise or an industrial unit, Operational Technology security is of paramount importance. In the case of infrastructure like power grids, it is a matter of national security. What is Operational Technology(OT)? The technology associated with the detection of a change or causes a change using hardware and software is defined as Operation Technology. This change can either be via direct control and/or monitoring of hardware like valves, sensors, I/O devices, switches, PLCs, actuators, switches, etc.), and software (customized and machine-specific). Along with the above-mentioned components, OT systems employ a wide range of control components that act together to achieve an objective. Unlike other information processing systems, any change in an OT network has its effect in the real world. Owing to this, safety and security are of paramount importance in OT systems conflicting with security design and operations frequently. Different types of OT systems: 1. Supervisory Control and Data Acquisition Systems (SCADA) The SCADA systems collect data from many Input-Output devices across a larger geography. Its architecture consists of computers, and networked data communications having a graphical user interface. Commands sent from the command control (using GUI) are executed by PID controllers and PLCs (Programmable Logic Controllers) at the endpoints. Electric Lines, Pipelines, railways, and power transmission often comprise SCADA systems. 2. Distributed Control Systems – DCS The DCS is seen in an environment having many control loops, offering both central supervisory equipment and local control level. It is seen in areas like refining, manufacturing, and power generation where high reliability and security are very important 3. Medical Systems On-site medical devices comprise in-hospital facilities like MRI scanners, infusion pumps, EKG/ECG Machines, defibrillators, and others. These run on age-old Operating Systems and proprietary protocols. Consumer medical devices comprise insulin pumps, artificial pacemakers, and prenatal monitors belonging to the class of IoT smart devices. 4. Physical Access Control and Building Automation Systems Every inch of an industrial complex – designing, fabrication, or manufacturing zone – needs to be protected. Right from HVAC systems, elevators, swipe cards, security cameras, biosecurity machines, and others, everything needs to be secured. OT Security without IoT integration: OT networks run off the grid – isolated from other networks – greatly limiting security vulnerabilities. Every process in an OT environment runs on proprietary control protocols. Critical infrastructure like transport, power distribution, healthcare, and others are an example of OT networks. In an event of an on-site security lapse, an intruder or a group of attackers may manage to get into the premises of an industrial workhouse. The threats arising from such events can be avoided by improving security and surveillance along with the deployment of multi-layered security. This is to ensure access to critical assets and control rooms is always restricted to unauthorized personnel even in an event of an on-site security lapse. Also read: Complete Guide to Cyber Threat Intelligence Feeds There have also been reports of identity card and swipe card thefts, giving unauthorized people access to OT infrastructure facilities. Did the adoption of IoT make OT systems more vulnerable? Smart transportation, smart power transmission, smart manufacturing – every ‘smart’ thing that is a part of our day-to-day lives is an upgrade of its cousin from the pre-internet days. Anyone associated – government, private contractor, or even an academician, wants to make an OT system more reliable, cost-effective, and efficient. To achieve this goal, the adoption of services like big data analytics and other enterprise software has been integrated with the OT networks. This means IT has been integrated with OT. This brought more misery than what OT systems have seen cumulated across the past 200 years. With the integration of Information Technology and the Internet of Things into Operational Technology, the security of the critical infrastructure that holds a nation has been put under scrutiny. To mitigate risks arising out of IT and IoT integration with OT, traditional security solutions along with strategies like defense-in-depth, layered security mechanisms, and other sophisticated modern security systems should be deployed. Also Read: How to get started with OT security The OT systems have moved from the state of Complete Isolation to a state where complete isolation is impossible. While the integration between IT, IoT, and OT was bound to happen sooner or later, the threats and security vulnerabilities were to follow. Just like IT Cybersecurity went through some rough patches during its infancy some 3 decades ago and is still fighting with a positive spirit, hybrid-modern OT systems to are expected to continue. How OT Security differs from IT Security Operation Technology is industry-oriented and focuses on the manufacturing, production, and transmission landscape. A single failure in an OT system can hurt industrial operations directly leading to long non-production hours. There have been instances of fatal accidents in some cases. Though such incidents are of low frequency, they have a destructive effect, threatening national security at times. OT security puts Safety at the forefront, despite being non-dynamic. On the other side of the fence, IT Security deals with data flowing across various IT systems. IT security primarily is a business-oriented vertical driven by an enterprise landscape. An IT

With rising cyberattacks and inbound scans from sophisticated actors, security teams managing OT networks and assets are under immense pressure. In addition to SOC fatigue, there are also challenges associated with rising threats to OT infrastructure that could cause a shutdown or make critical equipment unavailable. In a study conducted by Sectrio’s threat research team in June 2022, we found many ports on OT networks easily accessible from outside. Because of a lack of network visibility and cyber hygiene, hackers can access networks and move laterally across infrastructures and locations. This is not just a dangerous trend but it can also severely dent the ability of such businesses to ward off cyberattacks in the future as they may already be hosting malware loaders and multiple stealthy malware that is either exfiltrating data or keeping the infrastructure available for attacks in the future. Investing in better cybersecurity practices and an OT security solution is thus imperative. But then, choosing such a solution should ideally involve a round of diligence. To help you we have identified a set of tips that can hasten the process of selecting an OT security solution with the right features, capabilities, and endurance. 9 vital tips for selecting the right OT security vendor 1. Does the vendor understand OT protocols? A vendor that understands and covers varied OT protocols could be considered as a mature vendor.   2. Is it a mixed bag solution? If the OT security vendor has chosen detection or mitigation exclusively from another vendor or vendors, then that is a huge red flag. Such a security solution would induce a detection and mitigation lag and the vector might just slip through the integration gaps. An ideal solution should have all modules coming from the same vendor. 3. Did the vendor acquire any other capability inorganically, recently? Lots of mergers and acquisitions occur in the OT security industry so be careful about any solution coming from a vendor that has acquired another security vendor recently as the integration of capabilities and features may not have been tested fully and be bug-free. The solution can however be considered after an extended POC  4. Do they offer asset discovery and vulnerability management? You will be surprised to know that many OT security vendors do not provide these capabilities as part of their core solution. This is a clear disadvantage as these are essential capabilities to ensure a robust security posture. 5. How do they get their threat intelligence? Only a few vendors offer native OT threat intelligence feeds. If a vendor is offering this, it should be considered a clear advantage. 6. Has the solution addressed unique security challenges that you can identify with? Read some of their case studies and check if the solution is addressing real problems rather than academic ones.   7. Ease of deployment and decision data accessibility. Is the solution modular and permits rapid deployment? Once you have selected the solution you would want it to integrate with your environment rapidly. The data dashboards should be clutter-free and permit decision-making across views. 8. Support for mixed environments The solution should be able to work across hybrid environments with various technologies and devices of all vintages   9. Do they offer comprehensive consulting and compliance services as well? Vendors that offer security services for specific end needs score high on the ratings as consulting services are often required to build a security roadmap and build OT security skills and knowledge in the workforce. With new compliance mandates getting added, businesses need to get help in configuring their workflows, processes, and systems for audit, reporting, or any other compliance need. Need help with selecting an OT security solution, talk to our solution experts to take the next steps here: Contact us Is your existing OT security solution failing you? Download the checklist to learn how to move on to a new solution with ease – Download checklist now