Critical infrastructure is vital to the functioning of modern societies and economies, yet often these systems are not properly protected or are easily accessed and exploited, and thus remain a key target for threat actors. Although awareness around the severity of operational technology (OT) cyber risks is on the rise, the fact is, OT environments remain vulnerable.
In the first few months of the year, we’ve already seen news of several vulnerabilities in the sector exploited, such as the Florida water plant breach and most recently, the ransomware attack on Colonial Pipeline, one of the United States’ most critical fuel pipelines.
Given the longevity of the systems and technology implemented in industrial settings, security has historically been relegated to a second tier of priorities compared to uptime, reliability and stability. It comes as no surprise that 56 percent of the world’s gas, wind, water and solar utilities experience at least one shutdown or operational data loss per year, according to a Ponemon Institute report. That number has likely grown because of the pandemic, as many organizations weren’t prepared for remote management of critical systems. In fact, although leaders agree on the importance of remote access, Claroty reported last year that 26 percent of organizations struggled with the newly dispersed workforce and 22 percent did not have a pre-existing secure remote access solution that is secure enough for OT.
As OT environments continue to evolve in the face of new potential disruptions, it is time for leaders to prioritize security and understand implications so they can act to protect their organizations and nations’ critical infrastructure.
Understanding the New OT landscape
In the past few years, we have seen a convergence between OT and IT-based security infrastructures and processes. However, as we saw in the Colonial Pipeline attack, these integrated ecosystems have become considerably more difficult to secure, from misconfiguration, vulnerable hardware/software components and poor cybersecurity practices to the lack of visibility into connected assets and poor network segmentation.
Beyond the OT-IT environment convergence, the pandemic pushed many organizations to alter their cybersecurity processes to accommodate the new needs of remote work. However, adversaries quickly realized that targeting workers at home provided a viable path into OT networks, and turned to exploiting work from home, leveraging unpatched virtual private network (VPN) systems, interconnected IT and OT environments, and exploiting vulnerabilities in legacy Windows and OT systems.
OT has fast become a prime target for motivated and well-resourced threat actors who continue to redesign their tactics to penetrate new and enhanced security measures. In fact, 2020 saw a significant increase in exploitable vulnerabilities in OT. ICS-CERT advisories increased by more than 32 percent last year compared to 2019, and more than 75 percent of advisories were about “high” or “critical” severity vulnerabilities. Threat actors are also using ransomware campaigns to target OT environments because they understand how mission-critical these environments are. For example, if a pipeline carrying 45 percent of the United States’ East Coast’s fuel is shut down, it costs the pipeline operator millions of dollars per day.
The specialized and mission-critical nature of OT infrastructure technologies means that most security and threat intelligence solutions don’t have visibility into potential vulnerabilities, let alone the ability to defend against attacks.
Preventing and Mitigating Risks
So, what can be done to enhance security in today’s OT landscape? To protect, prevent and mitigate risks, there are several important steps organizations can take to improve their security posture.
- Implement a risk management program: OT is built around complex systems that oftentimes are not properly tracked in traditional asset management systems. Designing an effective OT security program requires a risk model that specifically maps the functional requirements of these systems while providing a holistic image of the potential real-world consequences of compromise. As part of the program, organizations that leverage the Purdue Model should ensure they’re documenting the number of traffic flows between levels, especially if the flow is across more than one Purdue level.
- Build a cyber incident response plan: If there was something we should have learned from the COVID-19 pandemic, it is that we need to be ready for anything. A comprehensive cyber incident response plan that includes both proactive and reactive measures is required to help prevent incidents and better allow the organization to respond if one does occur. Make sure to print the response plan and have it handy. What happens if the systems that store your incident response plan are encrypted or unavailable due to an attack?
- Protect third-party remote access: Organizations regularly rely on third-party vendors to complement their business; however, many do not have uniform cybersecurity policies and practices. Many OT sites even have third party vendors regularly conduct maintenance via remote access technology, which creates exploitable weaknesses in the operations chain. Establishing a supply chain management program that vets external vendors’ security standards and provides better control of third-party access is critical to reducing the risks third parties introduce.
- Enhance system monitoring procedures: It is no longer enough to simply build a network with a hardened perimeter. Securing OT systems against modern threats requires well-planned and well-implemented strategies that will allow defense teams to quickly and effectively detect, counter and respond to adversaries. At a minimum, corporate IT and OT domains should be physically and logically separated, networks must be segmented, and critical parts of the network isolated from untrusted networks, especially the internet. It is also important to deploy monitoring tools such as passive intrusion detection systems (IDS) specifically designed for OT environments. Passive systems are key because proactive systems may present false positive detection that could lead to downtime of critical systems.
- Develop informed security controls: To establish the required controls, we have to start with an asset inventory. Once the assets have been identified, organizations at a minimum need to implement the security features provided by device and system vendors. However, to deal with some critical vulnerabilities, we recommend turning on security features that apply Common Industrial Protocol (CIP) security controls, a fairly universal standard. Many PLC vendors also have physical switches on their appliances that prevent the changing of the PLC’ configurations, which should be used appropriately. We see many plants and OT sites with these switches always set to “config mode,” which allows for the PLC configuration to be changed (potentially by an attacker). These should be complemented with secure and hardened configurations (read/write protections, memory protection, etc.). Managing controls over time can be daunting and time intervals between OT system upgrades can be years long, so organizations need an effective change management program. The program should be able to identify compensatory controls that can be applied to remediate critical vulnerabilities that cannot be patched immediately. These controls can include a host monitoring system that detects and alerts when unauthorized changes are made to Human Machine Interfaces (HMIs), engineering workstations or to PLCs.
- Establish audits and security assessments: Finally, numerous factors affect the security of a system throughout its life cycle, so periodic testing and verification of the system are essential. Timely audits and assessments help eliminate the “path of least resistance” that an attacker could exploit.
About the Author:
Francisco Donoso is the Director of Global Security Strategy at Kudelski Security, a global cybersecurity services provider, where he previously worked as the principal architect building out the company’s global Managed Security Services (MSS) offerings. He has been on the forefront of research into the Equation Group’s post-exploitation tools and capabilities since their release by the Shadow Brokers and has spoken about this research at Derbycon, Thotcon, Microsoft Bluehat, and other conferences.