Why OT Environments Are Getting Attacked And What Organizations Can Do About It

As usual, financial gain is the biggest motivation behind cyber hacks against operational technology. About 80% of OT environments were nailed by ransomware scams last year. Etay Maor, senior director of security strategy for Cato Networks, discusses how aging technology, infrequent patching made difficult by work stoppages, and limited security resources make OT systems vulnerable, and how organizations could mitigate these challenges.

Much has changed for operational technology (OT) in the past decade. The rising demand for improved connectivity of systems, faster maintenance of equipment and better insights into utilization of resources has given rise to internet-enabled OT systems, which include industrial control systems (ICS) and others such as supervisory control and data acquisition (SCADA) systems, distributed control systems (DCSs), remote terminal units (RTUs), and programmable logic controllers (PLCs).  

With everything becoming internet-facing and cloud-managed, the manufacturing and critical infrastructure sector (i.e., healthcare, pharma, chemicals, power generation, oil production, transportation, defense, mining, food and agriculture) are becoming exposed to threats that may be more profound than data breaches. GartnerOpens a new window believes that by 2025 threat actors will weaponize OT environments to successfully harm or kill humans. 

See More: Recovering From a Cybersecurity Earthquake: 4 Lessons Companies Must Learn

Why Operational Technology Environments Are Getting Attacked

According to SANS researchOpens a new window , there are four key reasons why cyber criminals attack OT and Industrial Control Systems (ICS) environments: Ransomware or financial crimes; state-sponsored attacks that cause wide-scale disruption like NotPetyaOpens a new window (credited for causing massive collateral damage and the world’s first power blackouts); attacks by non-state attackers for terrorism or hacktivism (e.g., Oldsmar, FL water treatment facility hackOpens a new window ) and attacks on devices and things that cannot protect themselves. Financial crime is the biggest driver, with 80%Opens a new window of OT environments experiencing a ransomware attack last year. 

What Makes OT Systems So Vulnerable To Attacks?

A number of reasons make OT/ICS environments vulnerable:

• Aging technology: Many OT systems were built decades ago when most devices were air-gapped and nobody was too concerned about cybersecurity, encryption or authentication. It is estimated that 71%Opens a new window of systems have outdated or unsupported operating systems, 66% have no automatic updates, and 64% have unencrypted passwords.
• Difficult or infrequent patching: While 65%Opens a new window of vulnerabilities have a patch available, it is extremely difficult for organizations to patch systems regularly due to the associated risk of downtime. Most critical infrastructure and ICS environments operate round the clock; they cannot be taken offline) or cannot risk applying untested patches that may have downstream ecosystem impacts or potential to disrupt the overall system. 
• Inherent vulnerabilities: The number of reported vulnerabilities in ICS environments is doublingOpens a new window every year.
• Remotely exploitable: Almost 70%Opens a new window of all operational environments have one or more remote access or external connections to third parties like internet providers, service providers and others.
• Weak passwords: OT devices lack strong authentication, and credentials can easily be guessed or brute forced by cybercriminals. Earlier this year, the CISA warned that cybercriminals were gaining access to internet-exposed UPSOpens a new window devices through unchanged default usernames and passwords. 
• Limited security resources: 47%Opens a new window of ICS organizations do not have an internal team dedicated 24×7 to managing OT/ICS incidents. There is also a lack of alignment between IT and OT security teams. 

How Can Organizations Prevent OT/ICS Cyber Attacks?

We need to fundamentally change our thinking in terms of how we build these systems and whether or not they should be so readily accessible. Here are best practices that can help:

1. Align security controls to the process, not to technology

Legacy cybersecurity approaches are predicated around protecting technology, but this approach becomes irrelevant with internet-facing OT. This can be easily demonstrated with the Purdue modelOpens a new window , where historically, information flows from level zero to level one to level two and back. It did not have to flow through a network but through machines connected to networks. Security teams have to lock these machines down to secure their infrastructure. Today, with the proliferation of ethernet on the manufacturing floor, any level can communicate with the external world; hence, this approach has become obsolete. Enterprises must instead follow a micro-segmentation approach where security can be layered on each functional area within the process to contain any attack.

2. Deploy granular access based on identities and applications

With more and more ICS networks embracing the benefits of the cloud, the perimeter is no longer the defensible position it once was. Studies show that Level 3Opens a new window of the Purdue Model (which processes data from the cloud or higher-level business systems) is affected by the most number of vulnerabilities. Moreover, the rise of remote work and the growing use of remote administration applications like VNCOpens a new window (virtual network connection) and RDPOpens a new window (remote desktop protocol) requires a strong identity access management solution that does not extend too much trust to authorized users. Leveraging SASEOpens a new window (secure access service edge), which converges SD-WAN (software-defined wide area networking) and SSE (security service edge) into a global cloud service, is one-way enterprises can manage, control and monitor the connectivity of data centers, branches and edges and implement a never trust, always verify approach.

3. Ensure everyone is a stakeholder

Industrial security is a team sport. You need vast experience and knowledge so many different disciplines: chemical engineering, process engineering, mechanical engineering, electrical engineering, human psychology, cybersecurity, industrial networking, traditional networking and cloud services. Since most threat actors tend to live off the landOpens a new window before they reveal themselves, it is important for security teams to have a pulse on not just cyber variables but also process variables and physical variables like temperature, pressure flow, movement, time, etc. 

Employees, vendors, partners, asset owners, engineering teams and operators are jointly needed to mitigate potential threats and deliver effective incident response effectively. 

Industrial environments must always be safe, secure, and operational. Safety should be treated as one of the most foundational elements alongside availability, integrity, and confidentiality. 

How are you protecting your OT environment? Share with us on  FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . We’d love to know!

MORE ON OPERATIONAL TECHNOLOGY

• Modern Strategies to Combat Cyberattacks on Operational Technology
• Defending Against Industroyer2 and Securing OT in a Connected World
• Operational Technology, IT and Cross Pollination of Opportunities and Risks