Amid all the high-profile data breaches and ransomware attacks on IT systems in recent years, the threat to business-critical operational technology (OT) is still often underestimated. Yet attacking tech systems that interface with the physical world is the quickest way to achieve potentially devastating kinetic results. Ukraine, for example, has been on the receiving end of BlackEnergy and Industroyer attacks that successfully sabotaged its essential energy infrastructure.
The first was behind the first-ever blackout caused by a cyberattack in 2015, with the second one causing mass power blackouts for Kyiv residents the following year. In 2022, ESET researchers, together with CERT-UA, broke the news that they had identified a new variant of Industroyer that was scheduled to cut power for a region in Ukraine again but, fortunately, the attack was thwarted in time. Although relatively rare, these incidents highlight that no organization, especially those operating in critical infrastructure, can afford to dismiss the OT cyberthreat.
IT plus OT
Unlike IT, which is designed to manage information systems and apps, OT includes the software and hardware deployed to manage physical world systems. It’s commonly found in factories and industrial facilities, in ICS, supervisory control and data acquisition (SCADA) systems and programmable logic controllers (PLCs). However, sectors as diverse as transportation, utilities and healthcare are also packed full of OT.
Cybersecurity problems in the OT world began in earnest when what had once been air-gapped, purpose-built systems were enhanced with internet connectivity. Although this made them easier to manage remotely, it also exposed them to threats from all corners of the globe. At the same time, the old certainty of “security through obscurity” started to erode, as threat actors probed more OT systems and found it easier to locate information on their configuration and setup online. It also helps their efforts that Windows is often used in SCADA and other OT environments, as are more standardized components.
Unfortunately, the impact of such attacks could be serious, including destruction of critical infrastructure and sabotage of business processes. Last year, there were 68 cyberattacks that disrupted more than 500 physical operations, according to one estimate. That represents a 16% annual increase. Figures cited by McKinsey claim that the cost per incident of serious attacks can be as much as US$140 million. That’s not including potential regulatory scrutiny in the UK (NIS Regulations) and EU (NIS2).
The threat comes from both financially motivated cybercriminals and nation states. The latter are more likely to be biding their time for a geopolitical flashpoint. One such Chinese state-backed campaign uncovered last year was dubbed Volt Typhoon. In it, the threat actors were able to persist on critical infrastructure networks, with the aim of sabotaging key assets in the event of a military conflict.
Why OT security is hard to get right
OT systems tend to have a far longer lifespan than IT, which can cause compatibility and security issues. It’s also true that cybersecurity hasn’t always been a top priority in the industry. One report published in 2022 revealed 56 new vulnerabilities in OT products, with the authors slamming manufacturers’ “insecure-by-design” practices. The report authors even claimed that many of the issues they discovered were not assigned official CVE numbers, making it harder for asset owners to carry out effective risk management checks.
Internal OT teams also think differently about cybersecurity to their IT counterparts. While the latter are driven by supporting confidentiality – i.e., protecting data and assets – the former prioritize availability (accessibility) and safety. This can create challenges when it comes to patch and vulnerability management, if uptime is valued more than hardening exposed systems.
Among the other challenges of OT security, we can list:
- Presence of legacy, insecure communications protocols
- Long hardware lifespans, which can lead to software compatibility issues and force managers to run OT with outdated operating systems/software
- Legacy kit which is too old to fit with modern cybersecurity controls
- Security certifications which don’t recognize serious defects, giving administrators a false sense of security
- Security-by-design issues that aren’t reported or assigned CVEs, meaning they fly under the radar
- Siloed IT/OT teams, creating visibility, protection and detection gaps
- Insecure passwords and misconfigurations
- Weak cryptography
- Insecure firmware updates
Securing OT: putting the pieces in place
Ransomware is still among the biggest threats to OT systems, although data theft/extortion, destructive attacks, supply chain threats and even USB-borne malware could pose a risk to these systems. So how do you go about mitigating these risks? As always, a multi-layered strategy focusing on people, process and technology is the way forward.
Consider the following:
- Asset discovery and management: Understand all OT assets, how they function and their security/patching status.
- Continuous vulnerability and patch management: Periodically scan OT assets for vulnerabilities and run automated, risk-based patch management programs. Consider virtual patching in environments where taking systems offline to test and patch is tricky.
- Segment and separate networks: Ensure the OT network is kept air-gapped from the corporate IT network and is segmented to reduce lateral movement opportunities for threat actors.
- Identity and access management: Deploy multi-factor authentication, enforce least privilege policies and role-based access controls.
- Threat prevention: Deploy security solutions to prevent and detect malware and other threats.
- Data protection: Protect OT data at rest and in transit with strong encryption, and backup regularly to mitigate the impact of ransomware.
- Supply chain monitoring: Ensure all equipment and software suppliers, vendors and managed service providers (MSPs) are covered by a detailed supply chain assurance program.
- People-first security: Revisit security awareness and training programs to create a security-first culture.
A few years ago, Gartner warned that by 2025, threat actors would be able to weaponize OT environments to harm or kill humans. As AI makes it easier for hackers to select and compromise exposed targets, it’s more important than ever that IT owners double down on layered security. The recommendations made in this governance document have never been more important.