The convergence of IT and OT has come so far that – in a recent blog post – the SANS Institute recommended dropping the “IT/OT” nomenclature entirely. Judging by the state of OT today, it’s a reasonable suggestion: over 65% of industrial control systems (ICS) are linked to enterprise or third-party networks, shrinking the “air gap” which has historically defended them.

This connectivity hasn’t come without a cost – on the contrary, OT systems have never been more vulnerable than they are now. According to SANS, the percentage of control systems that experienced three or more incidents increased from 35.3% in 2017 to 57.7% in 2019. We’ve written about quite a few of them, from the BlackEnergy malware which took down swaths of the Ukrainian power grid in 2015 to the Triton attack which hit industrial facilities in 2019.

By now, everyone knows that organizations with OT infrastructure are at risk. In our last blog post, we talked about the top ICS risks that organizations should watch out for in 2020. In this post, we’re zooming out to explain the nature of OT risks more generally and strategies for beating them.

The Threat-Sources Behind OT Attacks

From the perspective of technology, it’s easy to understand why OT is more vulnerable than ever: integration with IT generally means more attack vectors. But just who is targeting OT systems, and what’s enabling them? There are three primary threat sources:

• Insider threats – insider threats come in one of three shades: the careless insider compromises an organization through lack of digital hygiene, the unwitting insider is manipulated through social engineering, and the malicious insider deliberately sabotages their own organization for spite or profit. A significant percentage  of OT security incidents involve insiders.
• Targeted attacks – thanks to the dark web and the increased availability of advanced hacking tools, the number of hackers with the chops to successfully target an organization has risen. According to SANS, growth in OT attacks is largely attributable to foreign actors who are motivated by destruction or disruption.
• Malware – since Stuxnet hit Iranian uranium enrichment processing in 2010, malware targeting OT systems has become alarmingly effective. It is often – but not always – connected with a targeted attack. Triton malware is stealthy and manages to bypass multiple security controls; strains of ransomware capable of infecting ICS have also been discovered.

The Risks of An OT Attack

Attacks on control systems can accomplish many things, none of them good. Limiting the scope of risk to those that directly impact an organization, they include:

• Data theft – exposing operationally significant data to intruders and leaking proprietary information like intellectual property.
• Disrupt operations – leading infrastructure to function improperly or even shut down. This may cause significant risk to human life and safety within operating facilities.
• Financial loss – with the rise of ICS ransomware, an OT attack can directly rob an organization. Beyond that, the cost to remediate any incident may be high, and extended periods of disruption can cause a loss in revenue.

Beyond an organization’s people and bottom line, it goes without saying that OT systems control a nation’s infrastructure meaning that any security incident can potentially affect millions of people.

Dealing with OT Risks: Three Steps

The principles behind OT risk management are not difficult to understand. They share many things in common with – and overlap – the risk management strategies used in IT for decades. Risks to OT permeate through an organization and must be addressed at every level of the enterprise.

1. Implement Perimeter Security

Malware targeting OT – wherever it originates – must spread through the IT chain connected with control systems. Beginning with the devices closest to OT, secure these networks using traditional methods and work towards routers and other peripherals at the edge of your organization.

• Use vulnerability analysis to find and prioritize areas of weakness. Validate those weaknesses using penetration tests and remediate according to the level of risk.
• Take inventory of the IT chain, and – wherever possible – reduce the number of routes to OT by eliminating unnecessary connections or devices.
• Invest in personnel training to raise awareness of cyber hygiene and prevent social engineering attacks.

In general, lack of collaboration between OT and IT drives the risk of IT/OT convergence: bringing these teams together can ensure that there is no conflict of interest between OT and the rest of an organization’s infrastructure.

2. Solidify OT Architecture

In an ideal world, organizations would build OT from the ground up following validated architecture plans reviewed and approved by security professionals and the appropriate regulatory authority. In reality, existing OT often predates modern security concerns and total redesign may be prohibitively expensive. Nevertheless, changes can be made to improve the security of OT architecture:

• Move away from legacy or open-source protocols: legacy protocols may not receive patches when new vulnerabilities are discovered. Open-source protocols are well understood by attackers and make for easy targets.
• Adopt a zero-trust policy towards IIoT, segmenting SCADA and ICS networks with perimeters to reduce the lateral mobility of attackers.
• Adopt air gaps wherever possible: air-gapping is still the most reliable way to protect OT. If integration with IT is not necessary or mission critical, reverse it, or consider data diodes to limit bi-directional traffic.

3. Incident Response Strategy

In the event of a successful OT attack, organizations can mitigate harm significantly by developing a robust incident response strategy. In summary, the plan should include steps to:

• If possible, isolate the affected systems to prevent further harm, identify the threat source and remove it.
• Record and document an ongoing attack for later analysis and review.
• Reduce harm by resetting affected systems’ passwords and user profiles.
• Inform stakeholders and implement measures to prevent future incidents.

During an attack, every second counts and knowing what to do ahead of time can make a world of difference. For more detail, check out our recent blog post on disaster recovery and response.

The Need for Expertise

When it comes to preventing OT attacks, no method of security is more reliable than cyber threat hunting which allows organizations to discover and eliminate attack vectors before they are exploited.

Unfortunately, threat hunting requires expertise, and – with the scarcity of available ICS security expertise – that’s hard to come by. Fortunately, some of those experts are employed by Securicon. With years of education and experience in critical infrastructure, nobody is better equipped to discover vulnerabilities and maximize safety in modern OT systems. To learn more, contact us today