OT Security Risks Are Worse Than Ever: Here’s How You Fight Them

security risks,
security risks,

The convergence of IT and OT has come so far that – in a recent blog post – the SANS Institute recommended dropping the “IT/OT” nomenclature entirely. Judging by the state of OT today, it’s a reasonable suggestion: over 65% of industrial control systems (ICS) are linked to enterprise or third-party networks, shrinking the “air gap” which has historically defended them.

This connectivity hasn’t come without a cost – on the contrary, OT systems have never been more vulnerable than they are now. According to SANS, the percentage of control systems that experienced three or more incidents increased from 35.3% in 2017 to 57.7% in 2019. We’ve written about quite a few of them, from the BlackEnergy malware which took down swaths of the Ukrainian power grid in 2015 to the Triton attack which hit industrial facilities in 2019.

By now, everyone knows that organizations with OT infrastructure are at risk. In our last blog post, we talked about the top ICS risks that organizations should watch out for in 2020. In this post, we’re zooming out to explain the nature of OT risks more generally and strategies for beating them.

The Threat-Sources Behind OT Attacks

From the perspective of technology, it’s easy to understand why OT is more vulnerable than ever: integration with IT generally means more attack vectors. But just who is targeting OT systems, and what’s enabling them? There are three primary threat sources:

  • Insider threats – insider threats come in one of three shades: the careless insider compromises an organization through lack of digital hygiene, the unwitting insider is manipulated through social engineering, and the malicious insider deliberately sabotages their own organization for spite or profit. A significant percentage  of OT security incidents involve insiders.
  • Targeted attacks – thanks to the dark web and the increased availability of advanced hacking tools, the number of hackers with the chops to successfully target an organization has risen. According to SANS, growth in OT attacks is largely attributable to foreign actors who are motivated by destruction or disruption.
  • Malware – since Stuxnet hit Iranian uranium enrichment processing in 2010, malware targeting OT systems has become alarmingly effective. It is often – but not always – connected with a targeted attack. Triton malware is stealthy and manages to bypass multiple security controls; strains of ransomware capable of infecting ICS have also been discovered.

The Risks of An OT Attack

Attacks on control systems can accomplish many things, none of them good. Limiting the scope of risk to those that directly impact an organization, they include:

  • Data theft – exposing operationally significant data to intruders and leaking proprietary information like intellectual property.
  • Disrupt operations – leading infrastructure to function improperly or even shut down. This may cause significant risk to human life and safety within operating facilities.
  • Financial loss – with the rise of ICS ransomware, an OT attack can directly rob an organization. Beyond that, the cost to remediate any incident may be high, and extended periods of disruption can cause a loss in revenue.

Beyond an organization’s people and bottom line, it goes without saying that OT systems control a nation’s infrastructure meaning that any security incident can potentially affect millions of people.

Dealing with OT Risks: Three Steps

The principles behind OT risk management are not difficult to understand. They share many things in common with – and overlap – the risk management strategies used in IT for decades. Risks to OT permeate through an organization and must be addressed at every level of the enterprise.

1. Implement Perimeter Security

Malware targeting OT – wherever it originates – must spread through the IT chain connected with control systems. Beginning with the devices closest to OT, secure these networks using traditional methods and work towards routers and other peripherals at the edge of your organization.

  • Use vulnerability analysis to find and prioritize areas of weakness. Validate those weaknesses using penetration tests and remediate according to the level of risk.
  • Take inventory of the IT chain, and – wherever possible – reduce the number of routes to OT by eliminating unnecessary connections or devices.
  • Invest in personnel training to raise awareness of cyber hygiene and prevent social engineering attacks.

In general, lack of collaboration between OT and IT drives the risk of IT/OT convergence: bringing these teams together can ensure that there is no conflict of interest between OT and the rest of an organization’s infrastructure.

2. Solidify OT Architecture

In an ideal world, organizations would build OT from the ground up following validated architecture plans reviewed and approved by security professionals and the appropriate regulatory authority. In reality, existing OT often predates modern security concerns and total redesign may be prohibitively expensive. Nevertheless, changes can be made to improve the security of OT architecture:

  • Move away from legacy or open-source protocols: legacy protocols may not receive patches when new vulnerabilities are discovered. Open-source protocols are well understood by attackers and make for easy targets.
  • Adopt a zero-trust policy towards IIoT, segmenting SCADA and ICS networks with perimeters to reduce the lateral mobility of attackers.
  • Adopt air gaps wherever possible: air-gapping is still the most reliable way to protect OT. If integration with IT is not necessary or mission critical, reverse it, or consider data diodes to limit bi-directional traffic.

3. Incident Response Strategy

In the event of a successful OT attack, organizations can mitigate harm significantly by developing a robust incident response strategy. In summary, the plan should include steps to:

  • If possible, isolate the affected systems to prevent further harm, identify the threat source and remove it.
  • Record and document an ongoing attack for later analysis and review.
  • Reduce harm by resetting affected systems’ passwords and user profiles.
  • Inform stakeholders and implement measures to prevent future incidents.

During an attack, every second counts and knowing what to do ahead of time can make a world of difference. For more detail, check out our recent blog post on disaster recovery and response.

The Need for Expertise

When it comes to preventing OT attacks, no method of security is more reliable than cyber threat hunting which allows organizations to discover and eliminate attack vectors before they are exploited.

Unfortunately, threat hunting requires expertise, and – with the scarcity of available ICS security expertise – that’s hard to come by. Fortunately, some of those experts are employed by Securicon. With years of education and experience in critical infrastructure, nobody is better equipped to discover vulnerabilities and maximize safety in modern OT systems. To learn more, contact us today

The Difference Between IT and OT, and How They Are Converging

the difference between IT and OT
the difference between IT and OT

Every system is susceptible to failure or manipulation, and that is why all technology in the enterprise must be carefully secured. Depending on the type of technology, however, different approaches to security are required: guarding a computer with guns will not prevent it from being hacked. Likewise, anti-virus software will not protect a car.

At least, that’s how things used to be. More recently, the kinds of technology that support industry, business and personal productivity have started to converge on the level of software and networking, and security requirements are changing in response.

For instance: historically, the field of cybersecurity has applied exclusively to information technology (IT). Now, it increasingly applies to operational technology (OT) as well. So what is the difference between IT and OT, and how are they converging? In this article, we will explore that question.

What is IT?

IT stands for “information technology,” and the keyword here is “information”. According to Gartner, IT is:

“The entire spectrum of technologies for information processing, including software, hardware, communications technologies and related services.”

In the history of business, IT is very recent: prior to the existence of computers, it did not exist. Since then – and especially with the advent of the Internet – IT has increasingly become inseparable from business processes including decision-making and strategy, collaboration, sales and customer service.

Here are examples of the IT that an organization relies on every day:

  • Local and wide area networks
  • Data centers and data processing, including the cloud
  • Sales management software
  • Project management
  • Email and calendar

As time goes on, IT absorbs or consolidates more and more business functions, and today the majority of technology within an organization falls into the category of IT. But there are some exceptions, and OT is one of them.

What is OT?

OT stands for “operational technology,” and – as the name implies – it supports the operation of other systems. According to Gartner, OT is:

“Hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.”

This technology is critical in industrial applications that involve the use of heavy machinery, physical processes and fleets. Examples include:

  • Manufacturing
  • Transportation services
  • Public infrastructure
  • Energy production, transmission and distribution
  • Ventilation and heating

From a purely technological standpoint, the major difference between IT and OT involves information scope. According to Gartner, “IT does not include embedded technologies that do not generate data for enterprise use,” while OT does: but this distinction is beginning to disappear.

The OT/IT Convergence

While the term OT was invented relatively recently, what it refers to predates IT by many decades. Prior to the existence of microprocessors and programming environments, factories, utilities and production facilities still required technology to control operations.

Since the invention of IT, most OT assets have depended on Programmable Logic Controllers (PLCs) that use proprietary code and lack any networking protocols to connect or communicate with other devices.

Today, this physical isolation is quickly vanishing with the introduction of Remote Terminal Units (RTUs), Human Machine Interfaces (HMIs) and wide area Supervisory Control and Data Acquisition (SCADA) systems.

Gartner predicts that by 2020, 50% of OT providers will collaborate with IT leaders to provide IoT services that bring network connectivity into the OT environment. While these developments bring many advantages, they also bring added risk.

Pros and Cons

On one hand, the IT/OT convergence is bringing capabilities to organizations which they did not have before, driving more efficient processes and lower costs in many ways:

  • Enables real-time/edge data processing and analysis
  • Permits systems to be supervised, managed and adjusted off-premise
  • Allows fast software updates that fix problems quickly

On the other hand, OT is now exposed to network access, becoming vulnerable to the same issues that have plagued IT for years, leading to data breaches, espionage and hijacking. Moreover, OT allows attackers to cause significant damage:

With so much of our national infrastructure at risk, locking down OT should be an immediate priority for any organization. Fortunately, solutions exist, though they are not widely talked about.

The Need for Cybersecurity

In recent years, attention has been drawn to cybersecurity in many contexts as data breaches and cyberattacks achieve wide publicity, but OT remains dramatically underemphasized. A study conducted this year shows that 90% of OT organizations have fallen victim to a cyberattack within the last 24 months.

As OT and IT converge, the right approach to security mainly differs in emphasis: the fundamentals are the same. Strong authentication, encrypted network connections, persistent monitoring and audits, penetration and vulnerability testing are all tools that can keep OT systems safe.

The key for securing OT is to design and implement a series of cascading controls that use network security, operating system security, application and device security to ensure that no single weakness can allow a critical compromise. To protect your investment and keep your customers safe, choose a partner who can do it all.

Securicon’s risk management solutions are based on the industry standards for safety and professionalism. With years of experience in IT and OT critical infrastructure, we are here to protect your organization and ensure the highest quality of compliance. Contact us for more information on securing your IT and OT environments.