Evolving OT security (again) for post-COVID operations

Aug. 3, 2020
While your workers were away from your facility, hackers were hard at work.

Amid the global pandemic, organizations (particularly those in the industrial sector) have had to adjust to a variety of new remote and hybrid working models. Many of these organizations were forced to completely overhaul operations to meet supply chain demands, while others had to maintain manual operations with scarce employee resources. Some even had their production lines shut down, leaving operations and systems idle. 

Perhaps you fit into one of these camps. 

These scenarios have introduced new cyber-threats to the operational technology (OT) that supports industrial environments and, in some cases, critical infrastructure. Unfortunately, the risks to these environments have never been greater. According to a study from Ponemon and Siemens, 56% of the organizations surveyed from the global utilities sector reported at least one attack that involved loss of information or business interruption in the last 12 months. 

As many organizations now chart a path toward reopening, the threats don’t disappear. Security teams must, yet again, readjust their approach to OT security to meet the new demands of the shifting workforce. 

Risks in converged environments as staff returns to work

Industrial organizations that had portions of the staff work remotely must stay vigilant of security risks as we return to normalcy. The attack surface expands any time organizational devices leave a secured network to operate in a potentially insecure home network. The risk grows even greater when considering the ripple effect in industrial environments as organizations embrace IIoT and interconnected devices…convergence between IT and OT environments that boosted efficiency and efficacy, but also brought along new attack vectors. 

As staffs return to work, malware and other threats can easily travel back with them, ultimately exposing OT environments to attacks. This is because working in remote, potentially insecure home networks can expose company devices to new vulnerabilities that can then be connected to the corporate IT and OT networks. If a vulnerability gets exploited, OT devices can be directed to perform unauthorized actions. In a production-line scenario, this can result in imperfect or lost products. In a critical-infrastructure environment, this can mean loss of power or water to an entire city, for example. 

Vulnerabilities facing limited and autonomous workforces

We are beginning to see the “skeleton crews” that operated during social distancing now return to regular headcounts, often in a staggered fashion. This adjustment in workflow can lead to mishaps, and without full visibility into anomalies and changes to assets and devices in the environment, vulnerabilities can unknowingly persist. Consider the growing trend of largely autonomous facilities—with the minimal numbers of staff present, any oversight can lead to downtime and loss of revenue, time and customer trust. In an autonomous environment, visibility, security and control of systems is critical so that uptime is maximized, and products meet specific standards. Securing these innovative devices is no longer a nice-to-have…it’s a must.

Exposure in kickstarting idle environments

As some industrial facilities shut down during the pandemic, their OT environments were left idle, which poses serious risks if unmonitored. Without real-time monitoring of potential high-risk vulnerabilities, dangerous blind spots can thrive in the network, leaving an organization exposed.

As teams return to work and these OT systems are brought back online, an influx of data can overwhelm security teams, causing them to miss vulnerabilities that had crept in while they were away. This risk is even higher for organizations using dated security solutions with static visibility, or ones that are not purpose-built for industrial environments. Leveraging purpose-built solutions means that organizations can take advantage of tailored functionality and relevant threat intelligence designed for the environments in which they operate. 

We see threats facing this sector often, such as the recently discovered Ripple20 vulnerabilities. These flaws are present in a TCP/IP software library that exists in sensitive devices, such as those found in industrial-control applications, medical devices, power grids, oil and gas, and more. In theory, a bad actor could have begun to exploit this while staff was out of office in order to take control of internet-facing devices, including those leveraged as part of IIoT. It is critical that organizations returning to normalcy have solutions to help address these scenarios in order to act quickly.

Critical components of industrial-grade security 

During these unprecedented times, industrial-security teams have grappled with unprecedented security challenges. As we gear up for operations to resume, it’s imperative these teams are equally as prepared.

To ensure the security and uptime of distributed and complex industrial environments, organizations must have the following:

  • Unified visibility of IT/OT infrastructure: Organizational-security teams should have a bird’s eye view across IT and OT networks while also leveraging drill-down capabilities for granular device information, such as serial numbers, operating systems and firmware. 
  • Employee security training: Employees must undergo regular cybersecurity training. These training sessions should explain zero-trust policies and ways to identify warning signs for security risks. They should highlight common attack vectors, such as phishing attacks, suspicious links and attachments and unknown files or devices (such as USBs), all of which can contain malicious code or files.
  • Audit trail: Configuration-control capabilities capture snapshots of changes in critical OT devices such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), etc., leaving a trail of breadcrumbs that informs security teams of users on the network, actions taken, and whether there were any interruptions as a result. 
  • Active and passive monitoring: A combination of active monitoring, which queries devices to ensure they are working properly and takes dormant devices into account, as well as passive monitoring, which monitors network traffic, provides a comprehensive, 360-degree view to eliminate blind spots.

By investing the necessary time and resources to fortify the security of OT now, organizations can be sure of their continued uptime, efficiency and safety and we push into a promising future.

Michael Rothschild is senior director of OT solutions at Tenable