As usual, financial gain is the biggest motivation behind cyber hacks against operational technology. About 80% of OT environments were nailed by ransomware scams last year. Etay Maor, senior director of security strategy for Cato Networks, discusses how aging technology, infrequent patching made difficult by work stoppages, and limited security resources make OT systems vulnerable, and how organizations could mitigate these challenges.
Much has changed for operational technology (OT) in the past decade. The rising demand for improved connectivity of systems, faster maintenance of equipment and better insights into utilization of resources has given rise to internet-enabled OT systems, which include industrial control systems (ICS) and others such as supervisory control and data acquisition (SCADA) systems, distributed control systems (DCSs), remote terminal units (RTUs), and programmable logic controllers (PLCs).
With everything becoming internet-facing and cloud-managed, the manufacturing and critical infrastructure sector (i.e., healthcare, pharma, chemicals, power generation, oil production, transportation, defense, mining, food and agriculture) are becoming exposed to threats that may be more profound than data breaches. Gartner believes that by 2025 threat actors will weaponize OT environments to successfully harm or kill humans.
See More: Recovering From a Cybersecurity Earthquake: 4 Lessons Companies Must Learn
Why Operational Technology Environments Are Getting Attacked
According to SANS research, there are four key reasons why cyber criminals attack OT and Industrial Control Systems (ICS) environments: Ransomware or financial crimes; state-sponsored attacks that cause wide-scale disruption like NotPetya (credited for causing massive collateral damage and the world’s first power blackouts); attacks by non-state attackers for terrorism or hacktivism (e.g., Oldsmar, FL water treatment facility hack) and attacks on devices and things that cannot protect themselves. Financial crime is the biggest driver, with 80% of OT environments experiencing a ransomware attack last year.
What Makes OT Systems So Vulnerable To Attacks?
A number of reasons make OT/ICS environments vulnerable:
- Aging technology: Many OT systems were built decades ago when most devices were air-gapped and nobody was too concerned about cybersecurity, encryption or authentication. It is estimated that 71% of systems have outdated or unsupported operating systems, 66% have no automatic updates, and 64% have unencrypted passwords.
- Difficult or infrequent patching: While 65% of vulnerabilities have a patch available, it is extremely difficult for organizations to patch systems regularly due to the associated risk of downtime. Most critical infrastructure and ICS environments operate round the clock; they cannot be taken offline) or cannot risk applying untested patches that may have downstream ecosystem impacts or potential to disrupt the overall system.
- Inherent vulnerabilities: The number of reported vulnerabilities in ICS environments is doubling every year.
- Remotely exploitable: Almost 70% of all operational environments have one or more remote access or external connections to third parties like internet providers, service providers and others.
- Weak passwords: OT devices lack strong authentication, and credentials can easily be guessed or brute forced by cybercriminals. Earlier this year, the CISA warned that cybercriminals were gaining access to internet-exposed UPS devices through unchanged default usernames and passwords.
- Limited security resources: 47% of ICS organizations do not have an internal team dedicated 24×7 to managing OT/ICS incidents. There is also a lack of alignment between IT and OT security teams.
How Can Organizations Prevent OT/ICS Cyber Attacks?
We need to fundamentally change our thinking in terms of how we build these systems and whether or not they should be so readily accessible. Here are best practices that can help:
1. Align security controls to the process, not to technology
Legacy cybersecurity approaches are predicated around protecting technology, but this approach becomes irrelevant with internet-facing OT. This can be easily demonstrated with the Purdue model, where historically, information flows from level zero to level one to level two and back. It did not have to flow through a network but through machines connected to networks. Security teams have to lock these machines down to secure their infrastructure. Today, with the proliferation of ethernet on the manufacturing floor, any level can communicate with the external world; hence, this approach has become obsolete. Enterprises must instead follow a micro-segmentation approach where security can be layered on each functional area within the process to contain any attack.
2. Deploy granular access based on identities and applications
With more and more ICS networks embracing the benefits of the cloud, the perimeter is no longer the defensible position it once was. Studies show that Level 3 of the Purdue Model (which processes data from the cloud or higher-level business systems) is affected by the most number of vulnerabilities. Moreover, the rise of remote work and the growing use of remote administration applications like VNC (virtual network connection) and RDP (remote desktop protocol) requires a strong identity access management solution that does not extend too much trust to authorized users. Leveraging SASE (secure access service edge), which converges SD-WAN (software-defined wide area networking) and SSE (security service edge) into a global cloud service, is one-way enterprises can manage, control and monitor the connectivity of data centers, branches and edges and implement a never trust, always verify approach.
3. Ensure everyone is a stakeholder
Industrial security is a team sport. You need vast experience and knowledge so many different disciplines: chemical engineering, process engineering, mechanical engineering, electrical engineering, human psychology, cybersecurity, industrial networking, traditional networking and cloud services. Since most threat actors tend to live off the land before they reveal themselves, it is important for security teams to have a pulse on not just cyber variables but also process variables and physical variables like temperature, pressure flow, movement, time, etc.
Employees, vendors, partners, asset owners, engineering teams and operators are jointly needed to mitigate potential threats and deliver effective incident response effectively.
Industrial environments must always be safe, secure, and operational. Safety should be treated as one of the most foundational elements alongside availability, integrity, and confidentiality.
How are you protecting your OT environment? Share with us on Facebook Twitter, and LinkedIn . We’d love to know!
,MORE ON OPERATIONAL TECHNOLOGY
Read the full article here