Dragos' Dan Scali
With OT systems previously operating in isolated operational environments, they were relatively buffered from the kinds of cyberattacks that have long targeted IT systems. Now OT systems are more tightly entwined with IT systems and are highly connected to not only IT networks, but also the internet at large. For example, the Dragos 2021 Year in Review report found that in 2021, external connections to OT systems spiked upwards, more than doubling to 70%. This increase is likely due to the high demand for remote access in the wake of the COVID-19 pandemic.
This completely changes the risk dynamics for OT environments.
Cyber-criminals are taking advantage of the situation, increasingly targeting OT environments in this age of digital transformation. Threat actors are using traditional IT hacking techniques to access OT systems, causing disruption to processes directly, or using the OT networks as an access point for corporate IT networks. Attempts to disrupt operations, steal intellectual property, and affect the quality or safety of production are steadily increasing as more cyber-adversaries target critical infrastructure and industrial assets.
Recent high-profile attacks on converged IT and OT systems in industrial environments have demonstrated how severe the consequences of cybersecurity incidents can be. Over the last 18 months, industrial organizations have suffered high-profile cyberattacks that have included ransomware and other attacks against:
- A US water system where a cyber-adversary attempted to poison the water supply
- The IT systems of the largest fuel pipeline in the US that halted pipeline operations and resulted in gas shortages and panic-buying from customers
- A global beef supplier, resulting in the organization to paying an $11 million ransom
- A major tire manufacturer that resulted in a weeklong shutdown of factory production
The attacks are set to continue, as adversaries keep honing their tactics, techniques and procedures to target industrial organizations and infrastructure. Analysis of early activity in 2022 shows that 22 ransomware groups have been actively targeting converged IT and OT infrastructure. The activity has impacted a range of industries, with those in manufacturing, utilities, pharmaceuticals, and food and beverages all experiencing attacks.
Coordination, cooperation and ultimately integration of IT and OT security can help to prevent or reduce the likelihood of these kinds of cyberattacks. However, it’s important to note that as interconnected as IT and OT systems can be—and while there are similarities in how cyber-risk is managed in these systems—IT and OT cybersecurity are inherently different.
It isn’t simply a matter of copying and pasting an IT-security strategy into OT environments. OT has a different mission, different systems, different threats and a different impact on organizations than IT. Safety, environmental impact, process availability and intellectual property are key for OT. Plus, many of the basics of IT security simply do not apply. For example, vulnerability and patch-management are fundamental to IT security, but much less important for OT because many of the vulnerabilities in OT don't necessarily threaten the ultimate safety or mission of that OT system.
These challenges are making it difficult for industrial organizations to bridge the gap between IT and OT cybersecurity. Most companies are just beginning to bridge that cybersecurity gap between IT and OT systems. Industrial firms should be on the lookout for advice and standards offered up by industry organizations and consortiums to help them do just that, which helps them take full advantage of the experience and work done by peers and OT security specialists who work on the bleeding edge of this field.
Fortunately, top industrial organizations have been working together to address today’s OT cybersecurity challenges. Through the formation of the ISA Global Cybersecurity Alliance under the International Society of Automation, 50 companies and organizations have come together to accelerate the expansion and use of the ISA/IEC 62443 industry standards. The series of standards was created to provide organizations with technical specifications and procedures that can be mutually understood and provide guidance on how businesses can best protect their organizations at the industrial layer.
Without addressing industry standards, IT/OT security vulnerabilities—like the recent Log4j vulnerability—are just waiting to be leveraged by cyber criminals. In December 2021, a vulnerability was discovered in the Log4j software that allowed remote-code execution in many applications through web requests and without authentication, ultimately leaving both IT and OT systems at risk of a cyberattack. The severity of this vulnerability and more sophisticated variations of Log4j exploits will emerge with a higher likelihood of directly impacting OT networks.
Additionally, threat intelligence from this year indicates that the attack tooling the bad guys are using to target industrial organizations is getting more and more specialized to not only target connection points or overlap between IT and OT systems, but also to specifically disrupt OT functionality. A new tool called PIPEDREAM manipulates a wide variety of industrial-control programmable logic controllers (PLC) and industrial software, including Omron and Schneider Electric controllers, and can attack ubiquitous industrial technologies including CODESYS, Modbus and Open Platform Communications Unified Architecture (OPC UA). These capabilities make the tool capable of affecting a significant percentage of industrial assets worldwide.
Clearly, now is the time to make IT and OT security integration a corporate priority. Increased collaboration—driven by intentional and thoughtful strategy that’s influenced by the risks and consequences to industrial process—will be the only answer to the cybersecurity challenges of the future. Experienced security professionals and business stakeholders see the meeting of these challenges as a foundational element of securely achieving digital transformation. In fact, many in the industrial space say that cybersecurity is a major market differentiator for organizations as they deploy transformative technological capabilities.
In order to get started in this process, experienced security pros within industrial organizations suggest five ways to get IT and OT to start working together to protect industrial organizations:
- Create cross-functional teams of IT and OT subject matter experts to bridge the cultural divide between operational engineers and IT technologists.
- Hold regular board meetings to discuss security safeguards and bottom-line ramifications, including measures like implementing industry-adopted standards and best practices across the enterprise.
- Ensure enough budget and personnel to improve visibility and detection of threats and vulnerabilities across all environments.
- Map out threat-driven and consequence-driven scenarios most likely to affect high-priority OT assets.
- Leverage partners and third parties to bridge internal gaps in specialized OT security knowledge, visibility, or people power—and tie it to the business problem.
Dan Scali is the senior director of strategy at Dragos
