By Daniel Trivellato, vice president of OT & IoMT solutions with Forescout Technologies Inc.
Operational technology (OT) has a mark on its back. Three industry trends suggest that 2023 will be a year of increased risk and exposure for OT. Digital transformation has widened the attack surface, while ransomware attacks, hacktivists and nation-state attacks have increasingly turned their attention toward OT environments…and there are a plethora of vulnerabilities in OT devices for attackers to exploit.
Moving into the new year, cybersecurity teams need to be aware of these trends, so that they can best mitigate the risk of attack.
Critical-infrastructure protection has been top of mind since a ransomware attack on Colonial Pipeline led to gas shortages, panic-buying and price spikes in some US states. However, OT cybersecurity extends beyond just the critical-infrastructure sectors—every industry has implemented examples of OT, including building automation systems that power up server rooms and control lighting, ventilation and access to our offices and sometimes homes. Let’s consider some examples…
#1: Increased attack surface—connectivity is key
Digital-transformation trends, such as increased remote connectivity and the proliferation of IoT devices, have introduced a variety of new access points for attackers to enter and move around the network. These new devices blur lines between historically well-defined perimeter networks and increase the attack surface of organizations.
OT devices typically rely on outdated operating systems and firmware versions with vulnerabilities that are rarely (if ever) patched—either because of their age or because of the difficulty of doing so. Both OT and IoT devices are usually not built or configured with security as a priority (e.g., insecure protocols, default username/password), opening up to easy exploitation. Supply-chain vulnerabilities, such as Log4J, compound this with third-party risk.
#2: Cyberattacks flow to OT environments
There is a long history of cyberattacks targeting OT environments, originating with Stuxnet and building frequency with Industroyer, Triton and Industroyer2. The Colonial Pipeline ransomware attack resulted in the voluntary shutdown of the company’s OT environment in order to isolate the attack. Ever since then, cyberattacks have been targeting OT environments with unprecedented sophistication for espionage, disruption and financial gain—sometimes all of the above.
Some of these cyberattacks are carried out by state-sponsored actors, such as Sandworm (Unit 74455 of Russia’s GRU), specifically targeting OT environments in the electric power sector of their adversaries—oftentimes Ukraine, in the case of Sandworm. Other state-sponsored actors have started leveraging vulnerable IoT devices to gain initial access into OT environments. This is the case of TAG-38, a Chinese actor potentially linked to RedEcho, which exploited IP cameras in seven Indian State Load Dispatch Centers that control electricity dispatch in specific states. State-sponsored attacks will continue into 2023 with a new arsenal of tools, such OT/ICS-specific malware.
In the past months, hacktivist groups such as GhostSec (an anti-ISIS group) and One Fist (a pro-Ukraine group) have emerged amid international geo-political strife and started targeting critical-infrastructure organizations, in many cases exploiting OT protocols and exposed IoT devices.
Besides the state-sponsored and hacktivist incidents mentioned so far, OT attacks are now also part of ransomware campaigns in different forms. For instance, some attacks pivot from the IT to the OT networks and encrypt SCADA systems, others focus on exfiltrating sensitive OT data, and others cut remote monitoring or access to distributed physical locations. A well-known example of data exfiltration is Cl0p’s attack on UK’s South Staffordshire Water, where the attackers exfiltrated credentials, networking details and SCADA screenshots from the victim.
The stage is set for an explosion of attacks using OT/IoT devices—either as the initial attack vector or the ultimate target—because organizations have increased connectivity to their IT network while simultaneously struggling with the complexities of OT security management. OT environments have plenty of easy-to-exploit targets.
#3: OT vulnerabilities ripe for the picking
Vulnerabilities in OT and IoT devices, their firmware, operating systems and software libraries further illustrate how the complexity of OT environments makes them so difficult to secure. Newly discovered vulnerabilities cause ripples throughout the supply chain.
For example, Project Memoria collected more than 100 vulnerabilities in the TCP/IP stack over 18 months, affecting more than 250,000 devices. The TCP/IP stack is the foundation for internet communication, yet these vulnerabilities enabled remote-code execution, denial of service, and so forth.
Furthermore, OT:ICEFALL illustrates how insecure-by-design practices (e.g., weak encryption/authentication) can propagate OT vulnerabilities, even in the presence of so-called “secure by design” standards.
Resolve to mitigate OT security risks
We have entered a new era where cyberattacks on OT environments will continue to increase, but it is not all doom and gloom. Cyberattacks are not fully automated and take days to reach their goals, giving security teams time to respond. Furthermore, many cyberattacks have become commoditized by ransomware-as-a-service (or the like), which means hundreds of similar attacks are occurring; this is actually beneficial for security researchers because it means that most tools, techniques and procedures (TTPs) are well-known and documented.
This is not to say that cybersecurity teams can take it easy. The trends we’ve illustrated of increasing complexity, increasing attacks and widespread vulnerabilities require organizations to prioritize their OT security with visibility, compliance and segmentation.
· Visibility is the first step for making sense of the complexity of OT environments. You can’t prevent a risk you don’t see and you can’t stop a threat that you can’t detect. Visibility must extend beyond devices to network communications, where controls can detect anomalous behavior.
· Next, compliance establishes what should or should not be trusted in the network, making it possible to plan mitigating controls for devices that do not meet compliance requirements.
· Finally, network segmentation enables the enforcement of security and compliance policies by limiting the network communication of devices.
Organizations need to be aware of the growing risk of cyberattacks on OT environments, so that they can better manage their complexities. Network-monitoring solutions are useful for establishing all of these practices, as well as for monitoring for potentially malicious behavior and threats.
