Looking Back and Forward: Critical Takeaways for Operational Technology Security

By Rick Peters | December 02, 2020

This is a summary of an article written for Industry Today by Rick Peters, CISO for Operational Technology, North America at Fortinet. The entire article can be accessed here

While IT threats tend to dominate the spotlight, threats targeting supervisory control and data acquisition (SCADA) systems and other industrial control systems (ICS) are equally significant. The recent 10th anniversary of Stuxnet serves as a reminder of this, demonstrating that operational technology environments remain vulnerable, and are still perceived as excellent targets by sophisticated cyber attackers. 

As noted in Fortinet’s State of Operational Technology and Cybersecurity Report, 74% of OT organizations have experienced a malware intrusion over the past 12 months. This can be attributed to several factors, including the prevalence of legacy systems, some of which are 20 to 30 years old, and infrequent updates that leave networks exposed to known vulnerabilities. Another trend of note is that threat actors are now likely to employ post-intrusion obfuscation and advanced anti-analysis techniques once they gain access to the network. Such practices make it challenging for IT teams to determine the methodology, origins, and intent of an attack, thereby making it more difficult to prevent future attempts.

Considering the evolving nature of these operational technology system intrusions, we must give them the attention they deserve, performing a holistic analysis of the tactics employed and using that intelligence to advance future cybersecurity defense strategies.

Stuxnet Evolves: EKANS 2019

Stuxnet made headlines back in 2010 when it was discovered that a malicious computer worm was – rather unconventionally – targeting SCADA systems. The code was much larger and more sophisticated than any of its predecessors; at over 500 kilobytes, it easily made its way into Windows machines and networks, replicating several times before seeking out the final SCADA target. 

What was so unique about Stuxnet was its ability to compromise programmable logic controllers (PLCs), which are industrial digital devices often ruggedized and adapted for the control of manufacturing processes.  In this instance, the PLCs enabled the automation of electromechanical processes, such as those that take place in industrial or mechanical plants. As Fortinet’s Rick Peters explains, “Stuxnet’s precision was instrumental in the evolution of threats to, and security of, OT.”

Leading into 2020, OT networks are still commonly preyed upon by cybercriminals. Take EKANS ransomware, which emerged in December 2019, as an example. As noted in the latest Fortinet Threat Landscape Report, EKANS was found to be heavily obfuscated and was written in the GO programming language, which requires more extensive, manual analysis and is therefore difficult to detect. The use of this ransomware is especially troubling when considering the costly impact to vulnerable OT systems and the future of operational technology security – that adversaries might be broadening the focus of this methodology to target OT environments. And it has only continued to evolve: A variant discovered in June 2020 was found to be capable of disabling the host’s firewall, in addition to more predictable ransomware behaviors like encrypting files and leaving a ransom note. 

IT and OT Convergence Security

EKANS is far from the only malicious ransomware recently identified to have been targeting OT networks. Many other sophisticated attacks have been recorded since Stuxnet, perhaps due to the increase in potential vulnerability brought on by the digital transformation of OT networks that are now connected to the Internet. Amid the convergence of IT and OT networks, the air gap once needed to isolate cyber-physical assets has been minimized. Cyber criminals have also gained the ability to move laterally (east-west) from IT to OT networks, enabling them to silently expand their presence across the environment. 

ICS and SCADA systems have thus become more promising targets for cyber criminals involved in terrorism, espionage, and cyber warfare – and, unfortunately, that threat landscape continues to grow. 

“Many, if not most, OT environments are like islands that have been isolated for eons. Their “ecology” has grown up in isolation because the air gap between the OT network and the rest of the IT environment has protected it like a wide ocean protects the species on a remote island. As a result, many OT systems have “evolved” over the decades. They use very old technology and have little or no internal security, and as a result, are vulnerable. Interconnecting with an IT network opens up OT to the predatory world of cyberattacks and malware for which it is unprepared. 

- Joe Robertson, Securing Operational Technology in a Dynamic Landscape, Fortinet

Security professionals must pay close attention to OT systems, not only in factories and manufacturing plants, but in critical infrastructure, that includes: Power plants, water treatment systems, oil rigs, and even traffic control systems that are susceptible to compromise, putting national security in danger should an attacker successfully penetrate the network. 

Notable Operational Technology Security Threats in 2020

During the first six months of 2020, two notable OT threat developments, in particular, caught the eye of the research team at FortiGuard Labs. The following were noted in the latest threat landscape report:  

  1. In January, according to Fortinet's FortiGuard Labs, a surge of activity was detected across IPS sensors in the United States, Germany, and Brazil. This surge primarily involved Modbus TCP servers and programmable logic controllers (PLCs) and had the potential to leak critical data and information. Ultimately, Modbus-related detections made up the majority of threats targeting OT systems during this timeframe. While some of these triggers may not have been malicious, they’re worth continued attention. An attack infiltrating the SCADA network could cause serious losses via access to the Modbus controller. 
  2. In May, researchers discovered Ramsay, an espionage framework built to collect and exfiltrate sensitive files within highly restricted or air-gapped networks – characteristics that define a small percentage of OT environments. While it’s difficult to determine how long Ramsay malware has been active, some experts have tied the threat to an older APT entity, Darkhotel. More research still needs to be done, but it seems that hackers see the obvious value in Ramsay’s targeting potential.

Maintaining Operational Technology Security & Tightening Defense Strategies

Since Stuxnet was discovered, cyber criminals have only become more sophisticated and committed in their efforts to compromise OT networks. The upward trend in OT attacks only increased after the onset of the COVID-19 pandemic. In order to cope, organizations must begin to develop a more proactive defense strategy that seals off OT environments, leveraging up-to-date threat intelligence and constantly analyzing and revising their tactics. One way to get ahead of attackers is by leveraging the MITRE ATT&CK knowledge base. Start testing your current security controls against the latest intrusion techniques to ensure you can protect against or, at least, detect them. Note instances where gaps are uncovered and use this data to prioritize future improvements. 

It’s also important that OT security solutions integrate with threat protection in corporate IT environments: These solutions must not only cover the data center but the cloud and network perimeter. By applying general cybersecurity best practices, your organization will gain visibility and control alongside automated at-speed analytics detection within the OT environment. 

“Adopting an ecosystem approach to OT security minimizes complexity while reducing operating expenses, compared to broad integration of discrete point security solutions in siloed IT and OT environments.” 

Rick Peters, The Aftermath of Stuxnet, Industry Today

By implementing strategies such as these, organizations can take an active approach to counter cyber adversaries targeting OT environments – one that centers on visibility, control, and automated awareness, as well as the ability to avoid latency, enable scalability, and achieve rapid analysis to bolster the safety and productivity of OT systems.