Contributed to this research: Adam Laurie and Sameer Koranne.

Given the accelerating rise in operational technology (OT) threats, this blog will address some of the most common threats IBM Security X-Force is observing against organizations with OT networks, including ransomware and vulnerability exploitation. IBM will also highlight several measures that can enhance security for OT networks based on insights gained from the X-Force Red penetration testing team and X-Force incident response’s experience assisting OT clients with security incidents. These include a focus on data historian and network architecture, such as domain controllers.

OT is hardware and software that controls industrial processes, such as heavy manufacturing equipment, robotics, oil pipeline or chemical flows, electric utilities and water and the functionality of transportation vehicles.

Typically, OT networks are segregated from information technology (IT) networks at organizations that have both. Email, customer transactions, human resources databases and other IT are separated from technologies that control physical processes. Even so, typical threats against IT networks have the potential to affect OT networks, particularly if segmentation is not effective or engineers decide to shut down the OT network as a precaution after an attack on the IT network, such as ransomware.

Threats to OT networks are arguably more dangerous than threats to IT networks because of the physical outcomes that can result, such as passenger vehicle malfunctions, explosions, fires and potential loss of life. A cyberattack with these outcomes becomes, in effect, a physical weapon.

Ransomware Prevails

Of all the attack types X-Force observes against OT organizations, ransomware is the leader. In fact, nearly one-third of all attacks X-Force has observed against organizations with OT networks in 2021 have been ransomware — a significantly higher percentage than any other attack type.

In many cases, ransomware attacks affect only the IT portion of a network. Yet, these IT infections can still have tremendous consequences for operations governed by OT networks. Research by X-Force and Dragos in late 2020 found that 56% of ransomware attacks on organizations with OT networks affected operational functionality in cases where the scope of impact was known. In many of these cases, OT networks were probably shut down as a precaution to prevent ransomware from spreading to OT networks or negatively affecting operations. This was the case in the high-impact ransomware attack on Colonial Pipeline that resulted in gasoline shortages in several U.S. states in May 2021.

In other cases, however, ransomware does make its way over to the OT portion of the network. Ryuk is the ransomware strain most commonly observed by IBM as attacking the OT network.

Ryuk Ransomware on OT Networks

In the fall of 2019, Ryuk ransomware actors hit at least five oil and gas organizations in what appeared to be part of a targeted campaign aimed at OT — specifically oil and gas — entities.  At least one of these organizations was a natural gas compression facility at a U.S. pipeline operator as reported by the U.S. Coast Guard, according to a report by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and analysis by Dragos.

Maritime Safety Information Bulletin issued by the Coast Guard on Dec. 16, 2019, indicated that segregation between the pipeline organization’s IT and OT network was insufficient to prevent the attacker from reaching the OT environment. The report stated that after infecting the organization’s IT network, “the virus further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations.” The bulletin further indicated that the attack disrupted camera and physical access control systems and resulted in the loss of “critical process control monitoring systems.”

X-Force Incident Response has similarly observed Ryuk affiliates cross over into OT networks in attack remediation and investigations, using methods similar to those observed by the Coast Guard.

In February 2021, a report by the French government noted that newer Ryuk variants have worm-like capabilities and can replicate autonomously across an infected network. X-Force malware analysis of a Ryuk malware sample in June 2021 substantiated these findings, similarly revealing these worm-like capabilities in newer Ryuk variants. X-Force analysis of Ryuk malware showed that samples were packed in loaders similar to those used in Emotet and Trickbot campaigns, and Emotet has been known to worm into OT networks in the past.

It is possible that the new worm-like characteristics of recent Ryuk ransomware samples will give the group a higher likelihood of worming into OT networks in future ransomware operations, particularly if robust segmentation is not in place.

Vulnerability Exploitation

X-Force Incident Response data reveals that, in 2021, vulnerability exploitation is the primary method attackers are using to gain unauthorized access to organizations with OT networks. In fact, vulnerability exploitation has led to a staggering 89% of incidents X-Force has observed at organizations with OT networks so far this year, where the initial infection vector is known.

In 2021, X-Force has also observed threat actors exploit CVE-2019-19781 — a Citrix server path traversal flaw — to access networks at OT organizations. This was the most exploited vulnerability X-Force observed in 2020. The ease with which threat actors have been able to exploit this Citrix vulnerability and the level of access it provides to critical servers make it an entry point of choice for multiple attackers. We strongly recommend remediating this vulnerability if your organization has not done so already.

Zero-Day and Supply Chain Risk

In some cases, OT organizations became victims of the Kaseya-linked ransomware attack, where exploitation of a zero-day vulnerability and a supply chain-esque operation became the initial infection vectors. In the Kaseya case, Sodinokibi/REvil ransomware operators exploited a zero-day vulnerability in Kaseya’s VSA software (now known as CVE-2021-30116) to deliver a ransomware attack. This attack leveraged attack techniques that are more common to advanced nation-state actors — namely, exploitation of a zero-day and a supply-chain propagation technique — which are uniquely difficult to defend against.

In a separate supply chain attack, multiple OT organizations reached out to X-Force for assistance in determining the extent to which the SolarWinds supply chain attack may have affected them. For some of the OT organizations impacted by the SolarWinds attack, original equipment manufacturers (OEMs) were the entry path, underscoring how attackers seek to exploit relationships of trust built between vendors and clients. The OEMs had access to the OT client’s network to perform remote maintenance — and were using compromised SolarWinds software across those remote connections.

Examples such as these highlight the significant risk to OT organizations from supply chain operations.

Defending OT Networks: Don’t Forget Data Historian

When it comes to OT network security, X-Force Red penetration testers have indicated that data historian often provides a reliable pathway into an OT network. Compromising data historian often can create opportunities to compromise the OT network. Thus, security teams should be careful not to overlook data historian when identifying and shoring up potential weak points in their OT network.

A data historian is a type of time-series database designed to efficiently collect and store process data from industrial automation systems. It is used widely for OT networks, industrial control systems (ICS) and supervisory control and data acquisition (SCADA) networks. Data historian was originally created for — and continues to be used most commonly for — identifying, diagnosing and remediating problems that might lead to costly downtime.

Adversaries that are able to gain access to data historian then have access to data, analysis and information on control systems at that organization — useful for reconnaissance and further attack planning. In addition, data historian can provide a pathway from the IT network into the OT network, if the data historian is dual-homed. Further, data historian tends to have extensive connections throughout OT networks, which can give an attacker an array of potential options for moving throughout an OT environment.

OT organizations can better secure data historian by creating historian security groups, carefully defining who has access to these groups, closely monitoring accounts with access to ensure they are not stolen or abused and implementing strong authentication measures. Organizations can also use electronic signatures and electronic records to demand authentication whenever a change is made to data or configurations in data historian. In addition, placing the historian in a demilitarized zone (DMZ) can help segregate it from the OT network while still providing access from the IT network.

It is not uncommon to find companies creating and using ‘enterprise’ data historians hosted within the IT infrastructure. With aggressive cloud adoption strategies and an increase in Industrial Internet of Things (IIoT) devices, companies have started implementing or moving these enterprise historians to cloud environments. Typically, these historians aggregate the data from site- and plant-specific data historians. This approach provides scalability and seamless integration with cloud-based storage and applications for secure information sharing, where needed. However, companies must ensure that they store the data safely without creating an opening for an attack.

MITRE has provided several additional risk mitigation measures to help secure data historian servers/databases, and IBM recommends reviewing those and implementing as many as possible.

Additional Measures for Securing OT Networks

Securing OT networks is more critical than ever. OT network defenders can implement a range of measures to decrease the chances of encountering a cyber incident on their OT network. Some of these measures are aimed at decreasing the risk of a ransomware attack — including Ryuk attacks — while others can assist in preventing a range of different attack types with the potential to weaponize OT networks.

  • Strictly segregate OT and enterprise IT networks, ideally creating an industrial DMZ (iDMZ) as advised in ISA/IEC 62443 guidance. Ensure any dependencies between the OT and IT environment are known and well-documented. Reduce the dependencies between different operational environments using micro-segmentation. The networks and systems should be architected in such a way that it is possible to physically unplug or isolate an environment or system from other environments and maintain full operations. Disable internet access from OT domain controllers, servers and workstations that do not need public access; ideally, internet-connected services should be located in the iDMZ.
  • Filter network traffic to enhance the defense of OT and ICS networks, prohibiting ICS protocols from traversing the IT network, prohibiting communications with known malicious IP addresses, and monitoring communications between the OT and IT environments.
  • Decrease opportunities for domain administrator account compromise by using only the absolute minimum number of domain administrator accounts, locking down domain administrator accounts on domain controllers to prevent credential harvesting and removing local administrator rights for all accounts.
  • Ensure robust security monitoring capabilities through the implementation of an OT security operations center (OT SOC) that collects and correlates the security information from OT and IT networks using an OT intrusion detection system (IDS), application logs collected and stored in a SIEM solution or a managed detection and response (MDR) service.
  • Include impact to OT in a ransomware emergency response plan. CISA recommends considering the full range of impacts to OT that a cyberattack might have, including loss of view, loss of control and loss of safety. Carefully distinguish between events requiring a shutdown of the operational environment and those that do not.
  • Defend against phishing attacks — a common infection vector for Ryuk ransomware — by implementing an email security software solution, including banners on all external emails, sharing with employees real-world phishing techniques and their ultimate effect, disabling macros as default and using behavioral-based antimalware solutions to detect commodity malware strains such as TrickBot, QakBot and Emotet.
  • Invest in incident response preparedness and training for your team. X-Force has observed that preparedness is a significant differentiator between organizations that recover relatively quickly and easily from ransomware attacks and those that do not. Creating and drilling an incident response plan can assist your team in developing the muscle memory to respond appropriately in the critical moment. Additionally, have site-specific or OT security cyber incident response plans and preparedness. Every OT environment is unique, with different products and systems. As OT organizations plan for independent emergency response plans, they should seek to craft a site-specific incident response plan.
  • Test your security controls using safe penetration testing. Penetration testing of the live productive OT environment is not recommended. However, safe opportunities should be explored, such as during factory acceptance tests (FAT), site acceptance tests (SAT) or turnarounds (maintenance).
  • Leverage dark web analysis or Shodan to monitor for compromised assets. Maintaining awareness of any compromised devices on your network — or information attackers could use to compromise your network — can assist in taking proactive measures as necessary. Shodan can assist in identifying devices discoverable by conducting scans from the internet and routine monitoring of dark web marketplaces for information about your organization can assist in staying ahead of potential threat actors.

more from Energy & Utility