Ransomware attacks against operational technology (OT) are increasing, spurred on by the convergence of IT and OT networks and the accessibility of attack kits available on the dark web. Over the last two years, the range of targets that represent operational technology and critical infrastructure has grown. Some attacks have even been able to target OT systems by gaining access via compromised home networks and devices of remote workers.
FortiGuard Labs' Derek Manky and Fortinet’s operational technology CISO Rick Peters, offer their perspectives on current attack trends and how OT organizations can defend against them. For more detail about expected upcoming threats, read Fortinet’s FortiGuard Labs 2022 Threat Landscape Predictions.
Rick Peters: We've experienced a lot of growth in what I would characterize, not just as the attack surface, but the range of targets that represent operational technology and critical infrastructure. In terms of security, there's a sense of urgency that didn't exist before. When you start talking about the electric grid, when you talk about oil and gas, water, waste water, chemical manufacturing, these are the industries that are on the pointed end of the spear right now.
Whether it's organized crime or sponsored nation states, these bad actors aren't bashful when it comes to parlaying trade craft. And one thing that's common across all the subsectors of operational technology, is the dependence on legacy hardware and software that can be decades old. So, when you're considering the risks associated with advanced persistent threats, I think that's an important element to keep in mind.
Derek Manky: If we look at the state of security, the attack surface is absolutely expanding, and malware is being created to take advantage of that fact. We're also seeing a shift to advanced persistent cybercrime because cybercriminals are becoming more skillful and resourceful. And then there's also the connectivity problem. One of the things we highlight in the report is that the attack surface goes from the core to the edge, to space, literally, with low earth orbit satellites. We have a connected, integrated attack surface now, and cyber criminals are looking at how they can hit these targets.
If we look at the actual malware and platforms, a lot of OT devices are running on Linux or flavors of Linux, on different customized versions or kernels. These platforms provide a lot of attack opportunities, and we're seeing them start to develop a payload. So, we're seeing malware that goes beyond traditional Windows-based botnets.
And as Rick mentioned, a lot of older platforms and systems are still in place. They are still a concern, which is why we talk about keeping patches for these systems up to date, if they are available. But the fact is, sometimes the systems are so old or they're at their end of life and patches simply don't exist.
Although we do see exploits that take advantage of unpatched systems, thinking ahead, we need to focus on the interconnectivity that's happening because of the convergence of IT and OT technology. Platforms like Linux are in the crosshairs, but now we also have modern OT sensors and other technology out there as well.
For example, IT systems running on Microsoft Windows and other platforms are now connected to OT, and that poses a big threat. We saw this in the ransomware attacks that happened this year. Attackers weren't targeting OT environments directly, but targeting IT, and therefore leapfrogging or doing lateral movement into OT environments.
Looking ahead, you absolutely have to think about how technology is converging. With these connected systems, how do you do segmentation? How do you do all the proper security inspection in terms of a mesh architecture?
Rick Peters: Cybercrime is definitely a growing industry, and most organizations realize that they're a target and the need for a proportional response. But I think we need to have a way to translate all this work into something that's measurable to convince executive leaders that even if they're not seeing events occur right now, cybercrime is in fact a growing trend. Arguably it is better if we can be proactive and neutralize attacks instead of continually responding and reacting to events.
Derek Manky: I agree that being proactive is key. Every time we've investigated the costs of security readiness, the upfront cost of investment and security and proactive incident response planning is much less than the damage that occurs. In enterprise environments, the average cost of a data breach more than $4 million, but in OT, that number can get much higher because we start talking about manufacturing and supply chain concerns.
You need to ask "what if" questions like how much is it going to cost if a production line goes down for eight hours versus two days? It puts risks into perspective, and makes you realize that investing in security upfront is almost always much, much lower.
Derek Manky: With advanced persistent threats, cybercriminals are focused on trying to evade security, detection, intelligence, and controls using extremely clever malware that includes a lot of heavy obfuscation. These types of sophisticated ransomware and payloads are targeting and affecting OT environments.
The only way that you can possibly start to prevent that proactively is through behavioral-based detection with up to date, real time threat intelligence. Cyber criminals are spending their time on reconnaissance, finding ways to weaponize new technologies and evade controls. So, you need behavioral-based counter action that includes artificial intelligence and machine learning.
The reality is that criminals have full-blown business models and supply chains of their own. We track what they're doing on the dark web, for example, and we see the alpha or beta versions of new technology they're working on before it's actually released. It's like a game of chess. We need to understand what's in their toolkit and the actions they can take. Then with that information, we can have the relevant technologies and strategy in place for before they make their move.