Critical Infrastructure Part 3: OT Security

In Part I of the Critical Infrastructure Series, we covered the importance of protecting the nation’s critical infrastructure (CI) Sectors, why they’re targeted, and how to defend against attack. In Part II, we described the Operational Technology (OT) ecosystem and the importance of its components. In Part III, we cover the threats, common vulnerabilities, and protections concerning the OT ecosystem.

IIoT / OT network and systems continue to be soft targets for adversaries¹.

Why OT Cybersecurity is Important

The OT ecosystem, which consists of industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, and distributed control systems (DCS) components, provides the backbone of the nation’s CI. Attacks on OT systems continued to escalate.

Attacks on OT systems (ICS, SCADA) have increased by over 2,000% between 2018 and 2020.³ Successful cybersecurity attacks on OT systems can have a significantly more significant business impact than their counterpart on the traditional IT infrastructure and systems. Cybersecurity breaches on OT systems can shut down a company’s manufacturing or production capabilities causing staggering financial losses until the systems can be returned online.

As the OT ecosystem grows, so does the attack surface and associated threat vectors. CI is digitally connected, both locally and worldwide, where attackers have a larger attack surface to exploit CI vulnerabilities. Additionally, the Internet and technologies have allowed attackers to use cyber tactics, techniques, and procedures to conduct cyber-attacks and, in some cases, overshadow physical attacks. However, don’t be swayed that those physical attacks are passe. Physical attacks and ransomware attacks on CI that affects system and facility availability continue to be preferred attack vectors for threat agents.

62% of OT sites have outdated Windows operating systems¹.

OT Systems and Networks: Slow to Upgrade

Many OT systems and networks tend to be more rigid and slow to upgrade, meaning that these systems are behind in cybersecurity updates and upgrades. Specifically, OT systems and networks are very complex to build and operate and extremely costly to acquire or upgrade OT technologies, equipment, and components. Consequently, the OT ecosystem is not upgraded or replaced as frequently or quickly as its counterpart on the IT side. Legacy OT is still in operation.

Also, software patching and hardware upgrades tend to be slow or non-existent due to the potential impact on system function and business operations. For example, a railroad SCADA system may be connecting to a central command center using an obsolete operating system, so the operating system is never upgraded from Windows XP or Windows 7. Sounds familiar, right? Yes, there are OT systems still operating on Windows XP and 7 platforms. Attacks on obsolete operating systems continue to be popular due to the high exploitable success rate.

64% have unencrypted passwords traversing IT and OT networks¹.

Issues With Network Hardening

As with IT networks, OT networks tend to be behind on secure baseline configurations. OT systems and networks also have the usual suspect vulnerabilities, such as unencrypted passwords stored and transmitted, unpatched operation systems, and critical applications accessible from the Internet, just to name a few. Remote access via commonly used protocols, such as Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH), continues to have exploitable vulnerabilities, which provides the capability to laterally move undetected from an IT network to an OT network. For example, the TRITON attack is considered the first ICS cyber-attack on safety instrument systems in a petrochemical facility.² The attacker used RDP to pivot from the IT network over to the OT network that successfully planted malware.

66% of OT sites are not updating Windows systems with the latest antivirus definitions².

Another issue with hardening is the lack of automatic updates on Windows systems with the latest antivirus definitions. Specifically, Windows is often the platform for ICS, such as workstations used as a central command center or program controllers, or human-machine interfaces (HMI) that control SCADA processes, to name a couple. While the IT side, for the most part, has gained control of endpoint device protection, on the OT side, there is a tendency to allow antivirus to run on Windows-based systems based on the fear that sub-millisecond response times may interfere with real-time OT operations.² While vendors are becoming certified for automated antivirus updates on OT systems; implementation continues to be slow.

OT Protection: What Can Be Done?

OT companies do not need to reinvent the wheel. These organizations must focus on the fundamental security requirements applicable to the IT and OT environments. Of course, this is easier said than done with respect to OT environments. CI companies are battling to balance security safeguards with ensuring that operations and services are not impeded or stopped.

How OT differs from IT is that the focus of OT security is to provide for enhanced prevention, detection, investigation, and mitigation capabilities. No organization can prevent attacks or compromises 100 percent of the time, but a good prevention capability will significantly reduce the probability of breaches. Most notable is the ability to detect and quickly investigate any abnormal behavior or breaches of OT systems and networks. The OT organization should have strong forensic capabilities that allow for timely and accurate characteristics of the attack.

IT systems and OT systems are converging and it hasn’t gone unnoticed.

Cybersecurity Vulnerabilities for OT Ecosystems

The rising trend of attacks on the OT ecosystem will continue to rise. Cybersecurity vulnerabilities related to OT that were detected in 2020 were 49% more than those detected in 2019.⁴ It is critical for OT organizations to have real-time visibility into their critical systems, along with the capability to communicate suspicious, (i.e., malicious) or abnormal (i.e., non-man made) activity in a timely manner. While the solutions to enhance the response process are technology-heavy, they do require mature and disciplined processes in place to ensure that security events or incidents are evaluated and that individuals within the organization make informed risk-based decisions.

The Cybersecurity and Infrastructure Security Agency (CISA) under the Department of Homeland Security (DHS) provides excellent resources and education for understanding more about securing ICS, SCADA, and DCS systems. If you are interested in learning more about how you can protect your OT systems and networks, please feel free to contact our experts for assistance at SecureStrux. We have cybersecurity professionals with experience conducting assessments and providing advisory services for OT environments.

Citations

1. CyberX, 2020 Global IoT/ICS Risk Report, 2020, retrieved from https://cyberx-labs.com/wp-content/uploads/2020/09/CYBX_2020_Risk-Report.pdf
2. Di Pinto, Alessandro; Dragoni, Younes; Carcano, Andrea, 2018, TRITON: The First ICS Cyber Attack on Safety Instrument Systems – Understanding the Malware, Its Communications and Its OT Payload, Black Hat USA 2018 – Research Paper
3. Bisson, David, Attacks Targeting ICS & OT Assets Grew 2000% Since 2018, Report Reveals, 2020, retrieved from Tripwire, Attacks Targeting ICS & OT Assets Grew 2000PC Since 2018 (tripwire.com)

Industrial Cyber, Ransomware, ICS incidents rule in 2020, IBM reveals, 2021, retrieved from https://industrialcyber.co/news/ransomware-ics-incidents-rule-in-2020-ibm-reveals/