How to Protect Your Operational Technology (OT) in 2023

Posted on
OT Security
OT Security

Oil and gas, manufacturing, energy distribution and critical infrastructure – what do all these industries have in common? Aside from their indispensability, they all rely on operational technology (OT) such as industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.  

Collectively, these technologies control the world we live in, and OT-directed attacks can have a devastating impact. In contrast to traditional Information Technology based attacks, these Cyber-Physical attacks affect machinery and processes that have real world impacts to the industries and people they serve. 

In 2021, we were reminded of this fact by the Colonial Pipeline attack, which nearly crippled gas supplies across the Eastern U.S. More recently, 9 out of 10 organizations reported that cyberattacks impacted their production or energy supplies within the last 12 months, with 56% seeing disruption lasting 4 days or longer. 

Thanks to a combination of factors, OT-directed attacks – and traditional cyberattacks that impact OT systems – are steadily increasing, with government agencies increasingly taking notice. But why is this happening and how can you protect yourself in 2023? In this article, we’ll answer both questions. 

OT Security Trends 

OT threats have been on the rise for years, and while the factors behind this rise have largely remained consistent, they are being accelerated by larger trends affecting the IT landscape and business world in 2023.

1. OT Talent Gap

With the need for cybersecurity talent growing faster than the supply, ISC2 reported that global organizations were facing 3.4 million unfilled cyber positions in 2022.  

This gap continues to impact OT worse than other fields, as OT environments are filled with a combination of specialized and legacy systems. According to one expert, there were fewer than 1,000 ICS cybersecurity experts around the world only five years ago, and improvements have not kept pace with OT threats.

2. Supply Chain Issues Driving IT/OT Convergence

IT and OT have been converging for long enough that SANS Institute recommended dropping the IT/OT nomenclature several years ago: today’s industrial environments are dependent on IT infrastructure, which makes OT systems vulnerable to IT-directed attacks.  

With continued supply chain issues and economic downturn projected in 2023, organizations are being pushed to maximize efficiency, meaning an influx of industrial IoT (IIoT), cloud apps and other Internet-facing surfaces that drive OT threats.

3. Geopolitical Conflict

Given the critical role that OT plays in supporting national industry and infrastructure, it is a common target for nation-state actors and politically motivated advanced persistent threat groups (APT) groups.  

According to one study, hacking and reconnaissance against government bodies accounted for 48% of Internet traffic monitored across all public-sector organizations in 2022. As geopolitical conflict increases around the world, politically motivated cyberattacks of all types can be expected to rise even higher.

4. OT-Directed Attacks

In the past, OT threats have tracked IT threats closely, with many OT security incidents occurring as a side effect of malware or traditional cyberattacks. Now, threat actors are increasingly optimizing their attacks for ICS and SCADA devices, including systems from specific manufacturers.  

Last April, the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory with several federal agencies warning that APT groups had developed a malicious ICS framework known as “PIPEDREAM,” tailored for devices found throughout OT environments. 

The Impact of OT Threats 

Attacks on control systems can accomplish many things, none of them good. Limiting the scope of risk to those that directly impact an organization, they include: 

  • Data theft – exposing operationally significant data to intruders and leaking proprietary information like intellectual property. 
  • Operational disruption – leading infrastructure to function improperly or even shut down. This may cause significant risk to human life and safety within operating facilities. 
  • Financial loss – with the rise of ICS ransomware, an OT attack can directly rob an organization. Beyond that, the cost to remediate any incident may be high, and extended periods of disruption can cause a loss in revenue. 

Beyond an organization’s people and bottom line, it goes without saying that OT systems control a nation’s infrastructure meaning that any security incident can potentially affect millions of lives for the worst. 

Protecting Your OT Systems 

Faced with the prospect of cyberattacks on critical infrastructure, the government is focusing more attention on OT than ever before. It is only a matter of time before businesses – particularly government contractors – are required to follow regulations to protect their OT systems. But there’s no reason they can’t start now.

1. Adopt ICS Security Frameworks

With IT-directed attacks still accounting for a large number of OT threat incidents, securing your IT and network perimeter is a first step towards protecting OT. Organizations can start by complying with standards like the National Institute of Technology (NIST)’s Cybersecurity Framework (CSF) 

They can also implement guidelines developed specifically for industrial environments, such as the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP).

2. Treat OT as a Separate Domain

Despite IT and OT convergence, organizations are increasingly shifting the primary responsibility for OT security from IT managers to OT operators. As a SANS Institute survey reports: “organizations are realizing the enterprise IT and ICS/OT environments are not the same. They not only have different types of systems, but also have technologies that are not directly cross-compatible.”  

Ultimately, increased communication between IT and OT professionals can help to bridge knowledge gaps. While 72% of cybersecurity professionals can’t tell whether a disruption originated from IT or OT, a much larger number of professionals with a combination of IT and OT expertise can.

3. Promote More Secure Authentication

Poor identity management and authentication practices – such as weak passwords and lack of two-factor authentication – continue to threaten systems within an OT environment and on the periphery.  

Now more than ever, it’s vital for organizations to educate their employees on the importance of secure passwords, and update applications with most-secure configurations, which may include 2FA and support for biometrics.

4. Develop an Incident Response Strategy

In the event of a successful OT attack, organizations can mitigate harm significantly by developing a robust incident response strategy. In summary, the plan should include steps to: 

    • If possible, isolate the affected systems to prevent further harm, identify the threat source and remove it. 
    • Record and document an ongoing attack for later analysis and review. 
    • Reduce harm by resetting affected systems’ passwords and user profiles. 
    • Inform stakeholders and implement measures to prevent future incidents. 
  • During an attack, every second counts and knowing what to do ahead of time can make a world of difference. For more detail, check out our blog post on disaster recovery and response. Additionally, consider joining industry organizations such as Incident Command System for Industrial Control Systems (ICS4ICS), which focuses on an OT based emergency management framework.   

The Need for Expertise 

When it comes to defending against OT attacks, no method of security is more reliable than proactive risk management, threat hunting and vulnerability assessment conducted by experts at the intersection between IT and OT. 

Unfortunately, experts are hard to come by, especially for ICS, SCADA, programmable logic controllers (PLCs) and other OT systems. Fortunately, many are employed by Securicon. With years of experience with critical infrastructure – and the ability to implement NERC CIP guidelines – no one is better equipped to find vulnerabilities and promote safety in modern OT systems. To learn more, contact us today. 

Improving the Reliability of Power Delivery Systems

Posted on

cyber security, us power gridA recent poll found that an overwhelming majority of Americans (92%) agree on one thing: the power grid needs better protection. This point of view is understandable. The day before New Year’s 2017, researchers discovered that foreign hackers had infiltrated an internal computer at Vermont utility Burlington Electric.

Thankfully, the attackers did not manage to access the company’s Industrial Control System (ICS) which might have allowed them to wreak havoc on the facility; nevertheless, it raised public concern about the possibility that future attackers might have more luck (or competence).

After all, elsewhere in the world public utilities have already proven susceptible to cyber-terrorism. In 2015, hackers overwrote the firmware on critical devices across 30 power substations in the Ukraine, leading to a loss of power for 230,000 civilians. And recently, as the U.S has gradually shifted to a “Smart Grid” which uses smart equipment to connect power distribution centers, concerns are mounting that the technology will create more security holes.

Proposals and Controversy

It’s clear that there’s an issue, but the answer isn’t so obvious. Earlier this year, the Senate Committee on Energy and Natural Resources attempted to advance a bill that sought – among other things – to retrofit the power grid in order to prevent cyberattacks. According to the bill’s authors, using older forms of power management could make the grid less dependent on devices with security vulnerabilities.

There’s some truth to this. The F.B.I reports that numerous attempts have been made to infiltrate nuclear power stations across the U.S; however, these efforts are never fruitful for the simple reason that vulnerable devices are strictly forbidden from being connected to any vital control mechanisms. Unless a malicious operator is physically present at the station, nothing – in theory – can be sabotaged.

Challenges

The security community, however, has largely received the Senate’s bill with disappointment, complaining that it will take the U.S power grid backwards at a time when its modernization is more important than ever. James Scott from the Institute for Critical Infrastructure Technology (ICIT) appreciated that solutions were being raised, but also opined,

Legislation that eschews modern systems in favor of antiquated technologies is a step in the wrong direction because it amounts to significantly crippling the U.S. energy sector instead of addressing the threats.”

A second problem is that the U.S – along with the rest of the world – is trying to reduce dependency on fossil fuels and seek out better ways to produce power, while managing current resources more efficiently. To this end, the Department of Energy (DoE) established the Smart Grid Investment Grant (SGIG) to fund Research and Development (R&D) initiatives in power delivery systems throughout the country.

The Southern Company, an Atlanta-based beneficiary of this grant which serves power to nine million customers, has used that money to fund research in:

  • 21st century coal
  • Natural gas
  • Carbon-free nuclear programs
  • Sustainable energy

Opponents to a security strategy that depends on rolling back infrastructure worry that vital R&D initiatives like Southern’s would be thwarted. New technologies may be vulnerable to security risks, but they are also crucial to the DoE’s efforts to push the U.S power grid in the direction of sustainability and environmental friendliness.

Better Practices, Better Reliability

Some experts are less concerned about the possibility of a crippling cyberattack on the U.S power grid for the simple reason that better security practices and infrastructure have made it much safer over the years.

ICS expert Robert M. Lee has worked with power delivery systems in the U.S for many years, and closely studied the Ukrainian attack in 2015. When asked, he expressed optimism about security measures that are already deployed:

“Our regulations and our industry trends have gotten our architecture to a pretty decent place. The passive defenses probably need some work, but we’re getting there.”

Regulations to which he referred presumably includes the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) requirements which apply to public utility operators throughout the country. Areas it addresses include

  • Regular risk analysis of protected assets
  • Policies to monitor, access and alter configurations for those assets
  • Firewall protection and monitoring for security-related events

NERC-CIP is regularly updated, meaning it changes as new technology presents new risks.

Calling in The Experts

For massive utility players like Southern Company, handling this legislation and ensuring regular compliance means hiring experts who can meet minimal requirements while also going the extra mile. And there aren’t many – Lee adds, “There are less than 1,000 ICS cybersecurity professionals worldwide.

But as the field grows, specialized Infosec providers are able to meet the most pressing needs. Southern turned to Virginia based Securicon, which has a long history of working with the Department of Defense (DoD), and the company was able to implement

  • Tiered-access authentication systems to manage data, Operational Technology (OT) and resources
  • ICS zoning and segmentation to protect control systems while providing secure access to partners and collaborators
  • Creation of specialized architectures, policies and procedures uniquely tailored to Southern Company’s needs

Securicon’s solution has brought Southern into alignment with the latest NERC-CIP requirements, ensuring that its new technology initiatives will remain secure for the long term, and that its existing systems will stay protected from intrusion. No system will ever be completely invulnerable to attack, but the overhaul meets a high bar for safety and reliability.

More importantly, it proves that viable solutions are available to the American public’s mounting concerns regarding the future of the power grid which do not entail crippling R&D progress. As more public utilities take it upon themselves to confront vulnerabilities, legislation can help to ensure that their efforts will become the rule and not the exception.

To that end, ICS professionals and security specialists play a vital role in preventing disasters and moving the U.S power grid in a positive direction. For now, at least, one part of it is as reliable and safe as it has ever been.

Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!