OT CYBER SECURITY 101: 4 FUNDAMENTAL ISSUES TO COVER WHEN PROTECTING YOUR BUSINESS
As Industrial Control Systems (ICS) continue to advance and integrate with IT, the risk of cyberattacks on OT environments grows.
While this technological development many industries are currently experiencing vastly improves their day-to-day operations, this shift has put ICS/OT infrastructures at significant risk.
The rapid digital transformation of industry has in fact left many organizations feeling unprepared for even the potential of cyber security threats, with many plants not having yet implemented security standards such as live threat monitoring and access control.
In fact, the average OT security protocol in many critical infrastructures is still worryingly under-developed; because security patching for OT components necessitates complete shut-downs of productions, it is done infrequently – creating an environment in significant risk of system breaches.
As per Microsoft’s insight into the state of ICS/OT security today, it continues to be an easy target due to several factors:
- Outdated operating systems
- Unencrypted passwords
- Remotely accessible devices
- Unseen indicators of threats
- Direct internet connections
In today’s blog we will go over some of these prevalent issues, and talk about how to best approach their prevention.
1. INSUFFICIENT INSIGHT
One of the first issues a company faces when looking to protect their OT from outsider influences is the fact that OT operates in a completely different way than industrial IT. Industrial operational technology is in fact based on fundamentally different components, that:
- Are screenless
- Communicate over protocols such as Ethernet and Profinet
- Lack security solutions such as firewalls and AV.
All of this contributes to ICS/OT often still being insufficiently monitored for threats – sometimes even to the point where CISOs and CSOs don’t even know the extent of assets they are in charge of! This, of course, creates an ideal environment for an experienced hacker to infiltrate the system through one of the unmonitored endpoints.
HOW TO COMBAT THIS ISSUE
- ICS asset inventory
Every security strategy implementation should start with covering your bases – meaning you should one hundred percent know about every single piece of equipment your production floor operates with. Any piece of OT that stays unaccounted for, represents a possible entry point for a third-party actor.
ICS/OT asset inventory solutions provide comprehensive lists of all hardware and software systems in your company’s possession, as well as patch statuses of all OS and vulnerability insights. Additionally, with ICS network and dataflow diagrams, you will have insight into how information flows from one end of your organization to the other.
Access to this data is incredibly valuable – keeping you up to date with your ICS/OT system and its daily operational flow and alerting you of any critical events that might occur within your network.
2. ABUSE OF USER PRIVILEGES
A surprising number of security issues arise because of an insider party – according to the 2021 Microsoft Vulnerabilities Report, 56% of Critical Microsoft vulnerabilities would be prevented by removing local admin rights from users.
But of course, this issue extends across all industry sectors, not just IT – from healthcare and public administration, to manufacturing and mining, where it is often key to gaining OT control through ICS infiltration.
And, while Verizon’s latest report informs us that privilege misuse has been steadily decreasing on the whole, the issue is still amongst the top five breach patterns for this year. Furthermore, over 30% of incidents of this kind take months or years to discover!
Misuse of user privilege is often accidental, but purposeful abuses still happen – many OT attacks take advantage of lack of user protocol in order to access and gain control.
This information alone presents a strong argument for increased network segmentation and enforcing tiers of ICS access control.
HOW TO COMBAT THIS ISSUE
- Access control
Access control is a crucial element of ICS/OT security. This strategy involves developing a tiered user system that determines which employee has access to what volume of information and system control.
Restricting access to ICS automatically means limiting the number of potential entryways for malicious actors to seize control over operational technology and use it to their own disruptive interests.
3. IOT BOTNETS
Infradata lists IoT botnets as the third most dangerous threat to operational technology today.
As IoT technologies become increasingly accepted in critical industries such as manufacturing and mining, they create new and unique security challenges for the ICS/OT environment due to their varying communication protocols, such as Wi-Fi, mesh networks, and NFC.
This problem is only exacerbated by the design of many of these IoT devices, which can have passwords built directly into firmware, or that were built without software upgrades and patching in mind. All this leaves industrial IoT devices susceptible to risk.
IoT-botnets are used to launch Distributed Denial of Service (DDoS) attacks. These types of cyber attacks interrupt connections between ICS components and overload them with requests – causing a temporary system shutdown.
HOW TO COMBAT THIS ISSUE
- Intrusion Prevention Systems (IPS)
IP systems inspect all information passing through the company network in real time.
IPS represents the next generation of cyber security solutions, building on its predecessor – the Intrusion Detection System (IDS). Unlike IDS, IPS are not passive, but in fact actively analize and even take action when a network intrusion is spotted.
These sets of actions encompass alarm systems, traffic blocks, and connection resets – all in order to localize and neuter the threat.
- Network Behavior Analysis (NBA)
Network Behavior Analysis systems, similarly to IPS, monitor network traffic and focus on detecting unusual actions.
Again, NBA conducts surveillance of live dataflow. This solution takes note of new and unusual activities or patterns, and flags any potential threat.
NBA also monitors bandwidth and protocol for any possible changes in order to spot malicious data sources or destinations.
As it focuses on detecting patterns in networking systems, when used over a longer period of time, NBA is also immensely helpful when it comes to general communications analysis and identification of system anomalies.
4. MALICIOUS ATTACKS
On our blog, we have previously profiled the infamous 2017 Triton case – an incident that has been called the first true cyber-physical attack on OT systems, and therefore especially worrying.
Triton targeted safety instrumented system (SIS) controllers – an action that, if executed properly, could have endangered not only infrastructure, but disrupted and threatened lives. An early example of this impact that industrial malware can have on the wider population would be Sandworm’s attack on a Ukrainian power grid in December of 2015, when more than 230,000 people lost electricity.
A 2019 survey by Fortinet found that 9 in 10 companies experienced at least one OT system intrusion – and the tempo of these attacks has not stopped increasing.
That’s why working to prevent any possibility of malware in your ICS is a critical point of any cyber protection strategy.
HOW TO COMBAT THIS ISSUE
- Next Generation Firewalls
There are many advantages to integrating NGFWs with other industrial cybersecurity solutions.
To begin with, NGFWs in general are considered more advanced than regular firewalls. While keeping and offering the same services as ‘old gen’ firewalls, such as IP mapping and static and dynamic packet filtering, NGFWs also deliver new protocols – the most important of which is being able to block malware from accessing a network.
These firewalls are also able to filter packets based on application, and can further use whitelists or signature-based IPS to identify unsafe applications. Furthermore, and importantly, NGFWs provide the option of continuous updates – eliminating the obligation to constantly search for new solutions in order to keep up with the changes in ICS/OT security.
Integrating Next-gen Firewalls with OT-specific security solutions enhances network visibility and control, allowing your security experts to quickly detect unauthorized changes to ICS devices. NGFWs can also merge with ICS asset discovery and tracking tools – allowing you to define protection protocols across both the IT and the OT environment.
- Endpoint Protection
Implementing endpoint security by maintaining is one of the best ways to protect your OT environment from being affected by ICS intrusions.
This solution prevents attacks on ICS by denying execution to any applications that have not been previously cleared as safe. Instead of monitoring for and blocking malware, endpoint protection goes the opposite way – allowing only trusted files into the system.
SECURITY SOLUTION INTEGRATION VS. SECURITY SOLUTION SEGREGATION
In the end, the best way to ensure your business is fully protected is not by addressing each of the issues mentioned in this article individually, but by implementing a “defense in depth” approach: an integrated solution for OT security.