Previously, many believed that attacks on an isolated OT infrastructure (Operational Technology) were practically impossible, since everything works in a special network, separate from the corporate environment and the Internet. However, the malware Stuxnet, NotPetya, Triton (Trisis) and Snake (Ekans) have changed the mindset about this. We will assess the risks for OT networks and analyze the protection methods.
Introduction
Operating technology , or OT, is a critical network segment used by businesses that manufacture goods or engage in physical processes. Industries such as manufacturing, chemical, oil and gas and mining, transportation and logistics use specialized technologies to manage facilities: assembly and production sites, energy systems. Control, monitoring and management in the relevant area have been gradually automated over the past few decades, and specialized complexes that solve these problems are represented by industrial control systems (ACS), dispatch control and data acquisition (SCADA), or simply OT.
The networks in which they operate have traditionally been separated from the corporate information technology (IT) environment and from the Internet, often delimited by the “air gap”. They are usually run by operational personnel, not IT specialists – and for good reason. Manufacturing facilities can generate millions of dollars per hour for a company, and for ordinary citizens, infrastructure that provides clean water and energy is simply vital. When these systems fail, even for a few minutes, it can cause hundreds of thousands of dollars in loss and even put workers and people living nearby at risk.
Simply put, IT is about data management and OT is about making things. And because OT systems were completely isolated, the world of operating technology felt immune to the hacking that had become an everyday fact in IT environments.
But recent attacks on OT have changed the way things are.
The number of cyberattacks in these systems and in OT infrastructures in general is growing, and they cause real damage. Probably the first such attack took place ten years ago, when the Stuxnet worm struck objects in the Iranian nuclear program. It was an “air-gap” system, meaning it had no connection to external networks, but it was hacked nonetheless. In 2017, NotPetya ransomware activity interrupted production and closed offices. In the same year, the Trisis / Triton malware compromised security in oil and gas equipment. And in 2020, the Ekans ransomware (aka Snake) appeared , which is specially designed for ICS.
Role of “air gap” in OT safety
First, the “air gap” never provided complete security, although the isolation did make it difficult to break into the OT system. Gaining physical access has always been possible with the help of social engineering tools, such as leaving an infected USB stick in a parking lot or confidently entering an organization’s premises disguised as an employee . Second, if you think that your OT environment is separated by an “air gap”, then you are probably wrong. Maintenance access to industrial machines, remote ICS tooling or firmware updates all leave potential vulnerabilities in the OT environment that you might not even be aware of. But most importantly, IT and OT networks are merging, exposing operational technologies to attacks across the information world. Combining data with manufacturing allows companies to more quickly respond to market changes and remotely manage and monitor systems. However, these business benefits come with real risks. The intelligence and boot components of new malware specifically crafted for OT hardware use the IT environment and its network connections to gain access to industrial control systems. For example, members of the aforementioned Trisis / Triton family contain components designed specifically for monitoring and safety systems in petrochemical plants. This attack is directed specifically at OT. But the processes, procedures and methods that are used to infiltrate these systems are nothing more than intelligence and delivery methods from the arsenal of IT cyberattacks.
Risks and implications of IT-OT convergence
Despite the added risk, IT and OT convergence is still happening – simply because it makes financial and operational sense. Operations teams are implementing complex management systems using software and databases that run on IT systems.
Devices such as Wi-Fi-enabled thermostats and valves can be monitored and controlled remotely through the IT infrastructure, and the CFO usually doesn’t like the costs of individual networks or individual groups needed to run them.
The convergence of the IT and OT worlds provides greater process and business efficiency. Thus, convergence is underway, and we must admit that it increases cyber risks in a variety of ways. First, it expands on what is called the “attack surface“. Simply put, hackers have many more target devices. The number of web servers, branch offices, remote and home workers, IoT devices is growing rapidly, and each of these entities is a potential entry point into the IT network – and ultimately into your OT environment. Likewise, many OT systems that are now connected to the IT network can be outdated and much easier to hack.
Moreover, cybercriminals are inventing more and more sophisticated ways to implement threats. Just as companies go through digital transformation and develop generic software, attackers use the same techniques to create highly complex and versatile malware. Their attacks use various mechanisms to penetrate the IT environment (and increasingly into the OT environment), as well as bypass the company’s defenses. And when it comes to security tools, there are so many of them now that threat management is in some ways more difficult than ever. Surveys have shown that most large businesses have between 30 and 90 different tools of this kind from almost all vendors. These products have different management consoles and require trained personnel to understand them. In too many cases, security personnel do not have time to delve into the specifics of each tool.
Cyber threats can literally get lost in this confusion. Finally, regulations governing cyber breaches and protecting personal information have further complicated the security process for IT and OT managers. There are general standards such as PCI DSS (Payment Card Industry Data Security Specification), GDPR (General Data Protection Regulation) and NIST Cybersecurity Framework (National Institute of Standards and Technology Institute for Cybersecurity) that an organization must understand and adhere to. There are also industry standards and regulations from various global and local regulators, such as the International Organization for Standardization (ISO) or American National Standards Institute (ANSI), that dictate how and where safeguards should be applied.
Key OT protection methods
To put it bluntly, your OT environment is an attractive target, and if it hasn’t been attacked yet, it will certainly happen in the future. In many cases, when it comes to process control systems or SCADA, there is a huge deficit in investment in security. There are many reasons for this, but regardless of them, the situation needs to be corrected. It doesn’t matter if your organization integrates IT and OT, you must secure operational technologies with several key security techniques, listed below.
- Recognize that the risk to your organization is growing and take action.
- Install tools that provide a broad view of the OT network as well as IT. This includes device discovery and inventory, as well as access control (including to applications and traffic) for authorized personnel only.
- Use a segmentation strategy. Implement gateways with strong security policies between IT and OT environments, and between different layers of your OT network. The goal is for each system and subsystem to do only its own job. Segmentation prevents an attack from spreading from one location to the entire system.
- Replace the trust-based open access model with a zero-trust access policy. Install access controls that authenticate users, allow them to interact only with the systems they need to do their job, and then control them when they connect to the network. This principle should be followed for all actors, but it is especially important to apply it to contractors and suppliers.
- Use automation to help analyze actions and speed up your response. Implement activity logging tools, analytics to find abnormal behavior in logs, and security systems that can respond to a detected threat. Given the speed at which modern attacks can occur, automation and orchestration are essential to identify threats and take action in seconds.
- Establish processes for auditing and testing systems in the event of a breach, and create rules for backup and recovery.
Nothing and no one can guarantee that no attack will ever get through your defense. But without an effective strategy, you are bound to be attacked and hurt.
There are many tools designed to protect your IT and OT from different types of attacks and at different stages of penetration. Look for an integrated set of tools (whether software, hardware, or both) – especially those that address the unique challenges of OT environments. This approach will be the most reliable.
Security tools that can share threat intelligence, coordinate a response, and be managed as a whole will simplify your security without compromising it. A good example is the Fortinet Security Fabric , an open, multi-vendor ecosystem designed to take advantage of a holistic security regime.
The days of illusion are long gone, now specialists and OT operators have to face real cyber threats. On the other hand, there is an opportunity to prove yourself, protecting your organization as much as possible from attacks by malicious objects like Stuxnet. To do this, you will have to analyze the risks and pay attention to the nuances listed in our material, but the result will be worth it.