Industry Trends

OT Infrastructure Attacks – The Risk is Real

By Joe Robertson | July 07, 2020

Industry Perspectives

Operational Technology, or OT, is a critical network segment used by businesses that produce goods or deal in physical processes. Industries like manufacturing, chemicals, oil and gas, mining, transportation, and logistics all use specialized technologies to run things like assembly floors, production yards, and energy grids. The control, monitoring, and management of these systems have been progressively automated over the last few decades, and the specialized systems that perform these tasks are variously called Industrial Control Systems (ICS), Supervisory Control And Data Acquisition (SCADA), or simply OT.  

The networks where these OT systems operate have traditionally been separated from the corporate Information Technology (IT) environment, as well as from the internet, often separated by an air gap. They are even usually managed by operations staff rather than IT. And for good reason. Production floors can generate millions of dollars an hour for companies, and communities rely on critical infrastructures that provide things like clean water and energy. When these systems go down, even for a few minutes, it can cost hundreds of thousands of dollars and even put workers and surrounding communities at risk.

Put simply, IT is about managing data, OT is about making stuff. And because these OT systems were completely isolated, the OT world felt immune to the hacking that has been a fact of life for IT environments. 

But recent OT attacks have changed that sense of immunity. 

Cyberattacks on these systems, and on OT infrastructures in general, are increasing, and they are causing real damage. We can probably date the first true OT attack to Stuxnet a decade ago. This was a truly air gapped system – meaning it had no connectivity to external networks – but it was breached nevertheless. In 2017, the NotPetya ransomware disrupted production and shut down offices. That same year, the Trisis/Triton malware aimed at damaging safety instrumentation in oil and gas production equipment. And 2020 has seen the appearance of the Ekans, or Snake ransomware, which specifically targets ICS systems.  

The Air Gap is Dissolving

First, it was never true that air gapping resulted in pure security, although isolation did make OT systems harder to hack. Gaining physical access has always been possible through social engineering tools, like leaving an infected USB stick in the parking lot, or even just walking in the door with a clipboard, a hardhat, and an air of confidence. 

Secondly, if you think your OT environment is air gapped, you are probably wrong. Maintenance access to industrial machines, remote updating of ICS tools, or remote firmware updates all leave potential back doors into the OT environment that you probably aren’t even aware of. 

But most significantly, IT and OT networks are coming together, exposing OT to attacks via the IT world. Combining data with production allows businesses to respond faster to market changes and remotely manage and control systems. But these business advantages come with real risks. New malware aimed specifically at OT equipment uses reconnaissance and delivery components that exploit the IT environment and its network connections to gain access to industrial control systems. 

For example, the Trisis/Triton malware has components aimed directly at a safety and monitoring system used by petrochemical plants. It is an OT-specific attack. But the processes, procedures and techniques it uses to make its way into that safety system are pure IT cyberattack reconnaissance and delivery methods.

IT/OT Convergence Is Real

Despite the added risk to OT networks, IT/OT convergence is happening because it makes financial and operational sense.  Operations teams are implementing sophisticated control systems that use software and databases that run on IT systems. Things like WiFi-enabled thermostats and valves can be monitored and controlled remotely over the IT infrastructure And CFOs don’t like the costs of separate networks or the separate teams needed to run them. 

Bringing together the IT and OT worlds offers a greater process and business efficiency. So convergence is happening, and we need to acknowledge that it increases cyber risk in a number of ways.  

First, it expands what is called the “digital attack surface,” which is a fancy way of saying that hackers have a lot more devices to target. The number of web servers, branch offices, remote and home workers, and IoT devices is exploding, and each is a potential path into the IT network, and ultimately into your OT environment. Likewise, many OT systems now connected to the IT network may be older, sensitive systems that can be much easier to exploit.

Not only that, threats have become increasingly sophisticated. Just as companies are undergoing digital transformations and developing versatile software, attackers are using the same techniques to create highly complex and versatile malware. Their attacks use a variety of mechanisms to infiltrate your IT—and increasingly, your OT environment, while evading your security tools. 

And speaking of security tools, there are now so many of them that managing threats has in some ways become more difficult than ever.  Surveys have shown that most good-sized enterprises have between 30 and 90 different security tools, from almost as many vendors. They have different management consoles and require trained personnel to understand them. In too many cases the security staff doesn’t have the time to deal with all of them. Cyber threats can literally get lost in the noise and confusion.

And finally, regulations governing cyber breaches and the protection of personal information have increased the complexity of security even further for IT and OT managers. There are general standards, such as PCI-DSS (Payment Card Industry Data Security Specification), GDPR (General Data Protection Regulation), and the NIST (National Institute of Standards and Technology) Framework that organizations need to understand and follow. There are also industry-specific standards and regulations from a variety of organizations, such as the International Standards Organization (ISO) and the American National Standards Institute (ANSI), that govern how and where security needs to be applied.  

You are a Target. Don’t Be a Victim

Stated bluntly, your OT environment is an attractive target—and if it hasn’t been attacked yet, it will be.

In many cases, when it comes to ICS or SCADA systems, there has been a huge under-investment in security.  There are many reasons for this, but regardless of why, it is a situation that needs to be corrected. Whether or not your organization is converging IT and OT, you should protect your OT with a few security best practices: 

  1. Recognize that the risk to your organization is growing and commit to taking action.
  2. Put tools in place that provide broad visibility into the OT network, as well as IT. This includes discovering and inventorying devices, ensuring you control access to only authorized staff, and gaining visibility into applications and traffic.
  3. Employ a strategy of segmentation. Integrate gateways with strict policies between the IT and OT environments, and do the same between different levels of your OT network. The goal is to ensure that each system and subsystem is doing its job, and only its job. Segmentation prevents an attack in one spot from propagating everywhere.
  4. Replace an open, trust-based access model with a zero-trust access strategy. Put access controls in place that authenticates users, restricts them to only those systems they need to do their jobs, and then monitors them while connected to the network. This needs to be applied to everyone, but is especially important for contractors and vendors.
  5. Use automation to help analyze activities and speed up your response. Put in place tools that log activity, analytics that search those logs looking for abnormal behaviors, and security systems that can respond to detected threat. Given the speed at which today’s attacks can occur, automation and orchestration are essential for identifying threats and taking action in seconds or less.
  6. Establish processes for auditing and testing systems in case of a breach, and build playbooks for back-up, recovery, and restoration.

Nothing and no one can guarantee that no attack will ever get through your defenses. But without an effective defense strategy in place, you are sure to be attacked and suffer.

There are many tools designed to defend your IT and OT from different types of attacks and different stages of an infiltration. Look for an integrated suite of tools - whether software, hardware, or both – especially those that are designed for the unique challenges of OT environments. This approach will provide you with the greatest security. 

Security tools that can pass threat information amongst themselves, coordinate a response, and be managed as a unit will simplify your security without compromising it. A good example is the Fortinet Security Fabric, which is an open, multivendor ecosystem designed to provide the benefits of a holistic security posture. 

Learn how Fortinet can help you extend security and maintain compliance in any ICS/SCADA-connected environment.