In April 2021, the U.S. government announced a new effort to protect industrial control systems (ICS) from cyberattacks. For the cybersecurity community, the announcement may come as no surprise. Vulnerabilities in critical infrastructure such as ICS and the operational technologies (OT) that run them have made frequent headlines.
From public water system threats to research to proposed legislation, ICS security remains a top-of-mind issue in the public and private sector. If the OT that run critical infrastructure systems are compromised, it could have devastating consequences. Power grids and pipelines are considered OT systems inside the ICS environment. Some experts argue that bank vaults, machine sorting technologies, conveyor belts and automated heating, ventilation and air conditioning systems are also OT. They’re called critical infrastructure for a reason. Operational technologies are the backbone of global processes that run our daily lives, which is why understanding the threats to them and vulnerabilities exposing them is so important.
Expert Opinion: How to Secure Critical Infrastructure
One of the featured presentations at the IBM Think 2021 virtual conference on May 11 and 12, delivered by Tenable Vice President of Operational Technology Security Marty Edwards and X-Force Red Hacking Chief Technology Officer Steve Ocepek, will discuss the threat landscape of the OT environment. As a precursor to their talk, we interviewed Edwards and Ocepek about OT security, the various attack paths against OT, vulnerabilities that are enabling attackers to succeed and how organizations can reduce the risk of an OT compromise.
Register for Think 2021
Question: It seems like the OT security conversation has gained speed during the past couple of years. How do you think the threat landscape against the OT environment has shifted?
Ocepek: We have always seen high-profile OT breaches make headlines, although it was more about systems being taken down with ransomware. Nowadays, we see more compromises around hacktivism and nation-state attacks, some of which have crippled systems. Those nation-state attacks have catapulted the world into a collective consciousness about the importance of OT security.
Edwards: To add to that, in the beginning, OT systems were often buried in an environment. People didn’t know they existed, which includes attackers, hackers and researchers alike. Once people started paying attention to them, vulnerabilities were discovered and published, and exploit toolkits were created. Now you have mainstream tools that can be used against OT systems. The operating systems are also more mainstream. When it comes to specific threat actors, I still see a significant increase in criminal groups launching ransomware attacks against OT environments. They tend to exploit known vulnerabilities and have built commercial ransomware toolkits. Nation-state attackers are also flexing their muscles to show adversaries what they are capable of executing. The security industry’s detection capabilities have also improved, which has led to an increase in publicly disclosed nation-state types of events.
Which kinds of vulnerabilities are enabling OT attackers to succeed?
Edwards: If you look at the CVEs [common vulnerabilities and exposures] published for OT, for the most part, the security community would say they are low-hanging fruit. An attacker could point a fuzzer at an industrial controller and most likely find known vulnerabilities that are easy to exploit. Hard-coded maintenance passwords are another common area of weakness. The passwords are typically easy to guess, such as the manufacturer’s name, or they are printed in the manual for anyone to download. Usually, you don’t find a hard-coded password in a commercial IT device, but it’s common to find in OT. The OT security mindset lags behind the IT security community by at least ten years.
What is a typical attack path for an OT compromise?
Edwards: It’s tough to generalize, although there are two primary paths. The attack paths we saw from water system intrusions, for example, were executed by leveraging unprotected systems with direct internet connectivity. The other path is a stage-one implant that is placed on the enterprise or commercial IT network through phishing or waterholing. An attacker gains access to the corporate systems used by an OT engineer, through methods such as phishing, and then pivots through credentialed access into the OT environment. In other words, attackers can use IT as a springboard to compromise OT. The reverse can also be true. We have seen attackers compromise weakly protected OT and IoT [Internet of Things] environments to access corporate networks and data.
Another attack vector, unfortunately, is that many technologies are connected to the internet unprotected. Attackers only need a search engine to find them. If I know there is a vulnerability exposing an industrial controller, I can go to a search engine, type in the controller’s name, and retrieve IP addresses for all controllers that are connected to the internet.
What are attackers’ objectives when compromising the OT environment?
Edwards: At one end of the scale, it’s script kiddies playing around with new exploit kits for fun. They want to see what they can do. At the other end, it’s disgruntled employees who have a vendetta against a company and want to hurt it. From a criminal perspective, extortion and ransomware will not go away any time soon. That’s the biggest-growing motivation. When it comes to intellectual property, if you think about it, the OT system contains a recipe for whatever product is being made. The engineer workstation that controls the system has the recipe in it, which can be a cause of industrial espionage.
I think nation-states are trying to develop and test their capabilities in a controlled manner. They are building their arsenals for later deployment.
How can organizations protect OT without risking bringing down a vital system?
Ocepek: Visibility is key. Understanding where the vulnerabilities exist, and which ones are most important to remediate first is critical. If it’s too risky to patch, there are compensating countermeasures that can be effective; for example, segmenting the vulnerable device from the rest of the network or creating alerts in SIEM [security information and event management] and other detection tools so that they can rapidly detect an attack against the device. Whichever route organizations prefer to take, it’s important to note that doing nothing shouldn’t be an option. In most cases, there is a way to minimize the risk of a compromise.
Edwards: That’s a good point. For a long time, OT teams have said, ‘I can’t patch, so I don’t need to know if I am vulnerable.’ Boards are now holding security leaders accountable for knowing and proving they have reduced the number of critical vulnerabilities in their environment. It’s not acceptable to not know. So, if they can’t fix a vulnerability, it should still be on their risk register as something that should be mitigated.
An important first step is to gain visibility about your asset inventory. Know what you have, because you can’t protect what you can’t see. The most common question I receive from CISOs is, ‘How do I know what I have for OT?’ Start with the fundamentals. Create a solid asset inventory, and don’t make it a point-in-time exercise. It’s important to continuously analyze networks for which devices are presently connected to them and their protocols. Then, cross-reference those devices with known vulnerabilities, which are typically in the National Vulnerability Database.
Also, use detection technologies to see if new devices are being added to the network and look for ports that shouldn’t be there. Lastly, monitor the configuration of devices. Are people making changes to the logic that is running in certain devices? If so, were those changes approved, or is it a disgruntled employee making the change?
You can access their presentation about critical infrastructure and operational technology at the IBM Think 2021 virtual conference on May 11 and 12 here.
Associate Partner, X-Force Red