Let’s find out what gives OT security experts the creeps. Most of the times, the issues are associated with IT.
The duties of the Chief Information Security Officer (CISO) change and expand along with the industrial Internet of Things (IIoT) and operational technology (OT). The CISO must eliminate threats posed by warehouse systems, networked machinery, and smart devices dispersed over hundreds of workstations. Maintaining safety in industry, oil and gas facilities, public utilities, transportation, civic infrastructure, and other areas is necessary for managing those security concerns.
By 2025, analysts estimate that there will be some 21.5 billion IoT devices linked globally, greatly expanding the attack surface. CISOs require novel mitigation techniques for IIoT and OT risks since embedded devices frequently lack patches, which differ in important ways from information technology (IT) vulnerabilities. The organization’s leadership team and board of directors (BoD) need to be aware of the distinction. IIoT and OT are now at the forefront of cyber threat management due to costly production disruptions, safety failures resulting in injuries or fatalities, environmental damage resulting in liability, and other potentially devastating scenarios.
Addressing 5 cybersecurity threats to OT security
Operational technology (OT) used to be a specialty network that IT professionals didn’t bother with, or maybe felt they didn’t need to. That made sense for a time since OT networks often operated on esoteric operating systems, were hidden by air gaps and were segregated from IT processes.
Then, because of improved performance, increased output, and ultimately financial benefit, organizations in every area related to energy and vital infrastructure began connecting to IT networks. Networking, remote control, and wireless communication were all the rage, and from an administrative standpoint, it made it logical for IT and OT to be combined. OT rapidly ceased to be the secure backwater that everyone had imagined it to be.
Also Read: How to get started with OT security
Organizations and authorities now have to deal with the cybersecurity consequences of this. Even though real-world examples of serious compromise are few and far between, attacks on Florida water treatment facilities and energy infrastructure in Ukraine serve as stark reminders that things may change drastically very quickly.
The number of OT-connected systems and devices is rapidly expanding, encompassing everything from telematics and robotics to personal technologies like the Internet of Medical Things, as well as supervisory control and data acquisition (SCADA), manufacturing execution systems (MES), discrete process control (DPS), programmable logic controllers (PLCs), and more (IoMT).
The challenge is how organizations should tackle the security problem anew when doing nothing is not an option as isolation is eroding as these systems are connected to regular IT networks. Established security vendors have filled the void by adding more layers to their systems, but experts have also started to appear on the scene.
What steps could organizations take to better handle the OT security issue?
1. Security Flaws in IT
Attackers now have a wide range of targets to choose from if they want to take advantage of software flaws in OT. In the past ten years, this category of flaws has risen quickly from absolutely nothing to a list that is no longer manageable to recall off the top of one’s head. For begin, Armis’ white paper on the subject says the following:
- URGENT/11 impacts billions of commercial and medical devices in July 2019
- Ripple20 TCP/IP vulnerabilities affect more industrial equipment as of June 2020.
- The OT/ICS “Perfect Storm” is predicted by the NSA and CISA for July 2020.
- Westrock’s main OT systems were targeted in January 2021.
- Control mechanisms of the Oldsmar Water Treatment Facility were broken in February 2021.
- NAME: WRECK vulnerabilities impacting OT devices were found in April 2021.
- MSFT reveals vulnerabilities impacting OT devices in Bad: Alloc in April 2021.
- Colonial Pipeline infrastructure closure in May 2021
A new vulnerability in Schneider Electric Modicon PLCs, which might allow an authentication bypass leading to remote code execution on unpatched equipment, was revealed by Armis in July 2021. The most major actual assaults against SCADA and ICS OT to date, including Stuxnet and Triton, have all been conclusively linked to state-sponsored espionage.
The last firm on our list, Colonial Pipeline, is telling since it was an ordinary ransomware assault on the IT system that compromised its invoicing capabilities rather than the OT network itself which caused the company’s operations to be halted.
Therefore, there are two issues here, the largest of which is the connection between OT and IT, which is detrimental to the former. OT equipment flaws are a secondary source of vulnerability that is exploited only under certain conditions.
Depending on the OT context, there are a variety of hazards associated with basic IT issues like credential theft.
The ICS environment won’t be in danger from a compromised credential or RDP since there are so many layers of segmentation in place; just because you enter the IT environment doesn’t imply, you’ll also enter ICS. However, by just seeing someone’s network, we may determine who has considered this problem and who has not.
In addition, in the few instances where segmentation has not been successfully done, programmable logic controllers (PLC) may communicate to printers and there is no role-based access control. Anyone with access to a VPN could essentially access any network location.
What are the main channels from IT to OT for infection? According to Norton, “Infected laptops belonging to maintenance engineers, USB sticks, an unauthorized wireless device, or even a malevolent insider” are among the causes of infection.
2. OT appliances don’t execute antivirus
It may seem apparent, but OT devices cannot run a traditional security client for several reasons related to their architecture and history. As a result, an agentless strategy must be used to obtain visibility on what is happening on an OT device via different methods. The strategy used by various organizations suggests looking straightforward enough: observe network activity without interfering with production.
It functions essentially as a network TAP in OT contexts. It develops an inventory based on the network traffic it is passively monitoring. In addition to having the assets, we need to monitor their usage to create a profile of behaviors.
Ironically, the OT team may refuse to allow the IT department to clear up malware that was identified running on an OT device if they are concerned about service disruption. Organizations frequently observe old infections in OT settings.
3. Asset blindness
The additional advantage of using an agentless strategy is that it provides organizations with complete insight into the devices that are often linked to their networks for the first time. It’s an amazing realization that some organizations have no means of knowing for sure that rogue devices aren’t out there, despite the regulated nature of OT settings.
Organizations may ask crucial questions like, “Why do we have two of these devices when we have no record of acquiring them?” after this asset database has been developed. Or “Why are these devices making an effort to connect to a website?”
The problem is that it’s not as simple as it seems to recognize gadgets. Frequently, it requires a combination of several forms of traffic to determine what a device is. The gadget can be discovered when it emits some kind of beacon since it is always monitored.
This is complicated by the fact that certain PLCs are less “chatty” than others, making identification more difficult. For instance, “Rockwell PLCs interact more frequently than Siemens PLCs. Finding those may be done by ensuring that you are listening constantly.” – Norton
Devices that only operate sometimes and could be missed by a routine asset inventory are known as “sporadic” devices.
4. SoC team
Given the expanding influence of the NIST Cybersecurity Framework and the UK National Cyber Security Centre’s Cyber Assessment Framework, it is governance necessary to ensure that security is as adequate as IT, but this cannot be done with the same resources (CAF).
In IT, there is usually a tier-one security team, comprised of SoC analysts that examine all alarms. That is not found in OT. The IT staff frequently gets in touch with the OT staff.
Because it makes sense, this has caused a convergence where OT security is taken over by IT operations. The issue is that IT professionals struggle to comprehend OT security concerns. What a security incident looks like in OT networks that are connected to IT but not to the Internet itself is the problem at the heart of this.
5. Nobody attends to OT people
You encounter the problem of not being heard in practically every technical specialty. OT is no different, albeit the repercussions could be more severe.
OT staff members frequently only have access to information on the devices connected to their network via an Excel spreadsheet. They do, however, have a greater awareness of how to maintain these networks and the operational hazards associated with other departments tampering with them. The ideal security practice won’t ultimately be to disregard their knowledge.
The OT team is likely to be considered an anomaly in terms of risk management and framework adoption because it is not normally a part of what the broader IT governance looks like. If you are an OT person, the problem is more with getting entirely absorbed by IT than with convergence with IT. In these situations, communication is quite helpful. Technology can assist close the communication gap between the IT and OT teams.
6. A changing risk environment
IIoT and OT are both regarded as cyber-physical systems (CPS), which means that they integrate the physical and digital worlds. This makes any CPS a valuable target for enemies looking to attack the environment or disrupt operations. These attacks are already taking place, as recent shreds of evidence demonstrate. Examples include the TRITON assault on a Middle Eastern chemical factory, which was meant to result in a significant safety catastrophe, and the strikes on the Ukrainian electrical infrastructure. A ransomware strain known as NotPetya nearly brought the world’s shipping capacity to a standstill in 2017 by paralyzing the powerful Maersk shipping line. Before returning to Russia and attacking the national oil business, Rosneft, it also spread to several other companies, including the pharmaceutical giant Merck, FedEx, and several European ones.
A VOIP phone, a business printer, and a video decoder were used by a Russian state-sponsored attack in 2019 as access points into corporate networks from which they sought to raise privileges. Distributed denial-of-service (DDoS) assaults, in which a computer system is overloaded and brought down by an onslaught of traffic, have even been used by attackers to get into corporate networks.
7. The existing model
The Purdue Enterprise Reference Architecture (PERA), often known as the Purdue Model, has served as the de facto organizing framework for enterprise and industrial control system (ICS) network operations since the 1990s. PERA separates the company into different “Levels,” each of which represents a subset of systems. A “demilitarized zone” (DMZ) and a firewall are examples of security measures between each level.
Traditional methods limit Level 3 access from Levels 4, 5, and 6. (and the internet). The lowest two Levels (machinery and process) must maintain their data and communications within the organization’s OT, and only Layer 2 or Layer 3 can communicate with Layers 4 and 5.
The Purdue Model’s recommended hierarchical data flow is no longer followed in our IIoT age. Edge computing has increased the danger of system vulnerability since intelligent sensors and controllers (Levels O, 1) may now interface with the cloud without going through firewalls.
Bringing an organization’s IIoT/OT into full compliance for the cloud age may be accomplished by modernizing this model with Zero Trust principles at Levels 4 and 5.
8. A renewed process
Idaho National Labs (INL) developed a new technique known as consequence-driven cyber-informed engineering (CCE) to address the particular dangers that the IIoT and OT present. Contrary to conventional cybersecurity techniques, CCE prioritizes consequence as the first part of risk management and plans for any effects in advance. According to CCE, your company, whether public or private, should give priority to the following four steps:
- Identify your “most crucial” operations: Focus on safeguarding essential “must-not-fail” operations whose failure might harm safety, functionality, or the environment.
- Map your environment: Analyze all the digital routes that attackers may use. Understand who has access to what, including suppliers, maintenance personnel, and remote employees, and identify all of your linked assets, including IT, IoT, building management systems (BMS), OT, and smart personal gadgets.
- Identify vulnerable paths: Determine attack paths to your most important systems by analyzing vulnerabilities, including potential social engineering techniques and physical access to your premises.
- Mitigate and shield: Consider methods that will enable you to “engineer out” the cyber hazards that pose the greatest dangers. Create segmentation policies based on zero trust to keep IIoT and OT devices apart from other networks. Reduce the number of internet-accessible entry points and patch vulnerabilities in likely attack paths.
9. Assembling the idea into real terms
A return on investment (ROI) for any new software or hardware is in the best interest of your leadership and Board of Directors. Typically, the ROI they want and anticipate is more sales. However, a quarterly statement frequently cannot show the returns on security software. Therefore, cybersecurity experts must provide a convincing argument. The following are some obvious advantages of purchasing IIoT/OT cybersecurity software that you may use in the boardroom:
- Prevent security or establishment expenses: Security lapses at industrial sites for transportation, mining, oil, or other industries can have far worse repercussions than an IT compromise. It is possible to lose lives, and the expenses associated with hazardous cleanup, legal responsibility, and brand harm can total hundreds of millions of dollars.
- Reduce downtime: Downtime results in actual financial losses that affect everyone, from plant employees up to shareholders, as the NotPetya and LockerGoga assaults proved.
- Restrict IP addresses: Numerous businesses, including those in the high-tech, defense, energy, and pharmaceutical sectors, invest millions of dollars in research and development. Million-dollar losses might also result from their intellectual property being taken by rivals or hostile nations.
- Avoid regulatory penalties: Pharmaceuticals, oil and gas, transportation, and the healthcare sector are among the severely regulated industries. They risk receiving hefty fines as a result of an IIoT/OT security breach resulting in property damage or human fatalities.
10. A Forward Step
Today’s CISO is responsible for all aspects of digital security, including IT, OT, IIoT, BMS, and more, to secure the digital estate. This calls for an integrated strategy that incorporates people, processes, and technology. Among the items in a decent starter list are:
- Give the IT and OT teams the freedom to embrace their shared objective of aiding the organization.
- Bring your IT security personnel to the location so they may learn how OT processes work.
- Show OT staff how visibility improves security and efficiency for the cybersecurity team.
- Bring OT and IT together to identify common problems.
We are giving away threat intelligence for free for the next 2 weeks. Find out how you can sign up and try out our threat intelligence feeds
Find out what is lurking in your network. Go for a comprehensive 3-layer threat assessment now