In the security world, operational technology (OT) has long been “the land of the forgotten,” taking a backseat in priority to IT network security. This is no longer tolerable, as adversaries and malicious actors increasingly target OT systems in attempts to extort enterprises or simply wreak havoc through equipment damage, environmental harm or loss of life.
OT network attacks are often targeted at industrial control system (ICS) networks and supervisory control and data acquisition systems, known as SCADA. These are the systems that control critical infrastructure—dams, water supplies, utility grids and more. OT network attacks have been on the rise in recent years, with the newest research showing exploits increasing in both scale and number throughout 2018. Beyond the more catastrophic impacts, Ernst & Young has found that the cost of downtime from a major OT network attack can exceed $8 million per day.
Traditionally, ICS networks and SCADA systems have been segregated from unsecure areas (corporate networks and the internet) through air-gapping and increased physical security. But in recent years, more of these systems have been brought online to cut costs, share operational information and improve efficiencies—thus increasing their exposure to IT networks as infection vectors. One of the best-known recent examples of this was NotPetya, a ransomware exploit which began by infecting enterprise IT networks and then spread to disrupt the OT networks of several large companies, including Merck and FedEx.
While many OT network attacks go unreported, the damage caused by cyberattacks reveals the vulnerabilities of ICS networks and SCADA systems. This has led to an increased awareness among organizations to better monitor and protect both their IT and OT networks. Some keys for doing this include:
Start by looking more closely at the IT network: Threats targeting OT networks often originate on IT networks, meaning security teams must gain better visibility into IT traffic and anomalies to protect the OT network. In many cases, this means moving from a reactive approach to a “threat hunting” stance by scouring networks to detect and isolate advanced threats that have evaded more conventional solutions.
Focus on OT system threats: In the past year, at least three new, major ICS-targeting threat activity groups have been identified. Many threats within the broader group have deployed “living off the land” techniques that help them avoid detection. One advantage of OT-network based threats is there are far fewer in number than IT network-based threats, making the task of guarding against them more manageable, but arguably still not scalable by humans alone. Additionally, because malicious actors are often looking to maximize disruption within different market segments (such as gas and electricity), organizations should pay close attention to OT network threats that others in their industry are experiencing.
Merge and integrate your IT and OT security intelligence, in order to avoid compartmentalized views: Just as IT networks often spread infection to OT networks, the reverse can be true—an attack on an ICS network or SCADA system can quickly pivot to the IT network and compromise the sensitive data that may reside there. Consider an OT network attack at an oil refinery that enables an adversary to gain access to customer credit card information that is gathered further downstream at a gas station. There are numerous examples across industries of threats running bi-directionally, and unless an organization has a comprehensive, holistic view of both their OT and IT network environments, it is nearly impossible to track threats as they transcend realms.
Make OT security an equal citizen: ICS networks and SCADA systems run critical infrastructures, yet they often rely on aging software and obsolete hardware that can be difficult to patch, which leaves them vulnerable to exploitation. Patching these systems is critical, though it can be extremely expensive and difficult. Consider the nature of the infrastructures being patched—many of these run mission-critical services 24x7, and interrupting service to install a new security patch may not be feasible.
Further frustrating the situation is the fact that even with extensive patching, many OT networks are insecure by design, as many of the systems within them lack basic authentication procedures. This does not obviate the need for patching, rather it speaks to the need to address OT network systems strategically and methodically, limiting patching to only those systems where easier approaches (such as whitelisting) may not be available.
Encourage and nurture “chameleons”: The security industry needs more chameleons—individuals who have a deep understanding of both IT and OT network security issues, who can see how security threats originating on one side might impact the other and serve as a glue bonding both teams together to identify and remediate threats. This is a rare skillset requiring expertise in different disciplines like mechanical engineering and computer science, but is perhaps one of the most exciting opportunities available for the next generation of security professionals—and the colleges and universities that are preparing them for the workplace of the future.
New forms of malware originating on both IT and OT networks are being discovered all the time, and no industry is spared from the repercussions that can impact critical ICS networks and SCADA systems and IT networks and assets. In this fast-changing world, organizations running OT networks must have a comprehensive, holistic view of the end-to-end IT/OT security picture; otherwise, they are only addressing half of their threat surface area and leaving themselves vulnerable to significant, costly attacks.