Organizations that operate industrial facilities have a responsibility to monitor and mitigate security attacks to maintain the safety of their plant. The problem is that industrial control systems have become more connected, and it is getting vital to regularly prioritize the risks of severe attacks. Addressing weak points in ICS and OT security is not an easy task which requires a holistic understanding of the network environment. In this article, you’ll know why OT security matters and why OT security assessment is more important than ever before.
Table of Contents
What is OT security?
Operational Technology (OT) is hardware and software that monitors and manages processes and physical equipment such as valves, temperature sensors, gas sensors, etc. within industrial processes. It includes a variety of Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA) systems, and industrial internet-connected devices extending to the Industrial Internet of Things (IIoT). SCADA systems allow organizations to control their industrial processes and directly interact with pieces of equipment from a central location. OT is used in several industries including energy, pharmaceutical, aviation, electronics, transportation, and chemical.
According to the “The State of Industrial Cybersecurity” (2019) report by Kaspersky, 70% of organizations surveyed consider an attack on their OT infrastructure. As the use of OT increases, the need to secure these systems to support continuous uptime and safety has never been more critical.
A cyberattack on an OT environment can have devastating and far-reaching consequences beyond financial losses which may include prolonged outages of critical services and even the loss of human life. OT was presumed to have a minimum risk profile with respect to cyberattacks, however, in a digitally connected world, this assumption doesn’t hold true anymore.
Differences between IT and OT security
One major constraint for industrial companies towards protecting industrial systems is a misunderstanding of the difference between IT and OT security. Here’s a rather simplistic way to think about it.
IT stores, retrieves, and transmits data whereas OT uses that data to monitor, control, and operate physical devices, processes, and events. In IT, the confidentiality of data is a key concern whereas in OT the safety of equipment and processes is the main concern.
IT is dynamic, that it has many moving parts and it means that IT has an incredible number of exploit variants. Hence, IT incidents are more frequent. By contrast, OT has a lower number of gateways, making it comparatively safer. OT is engineered for prescribed actions based on content which means things only happen one way. If given a certain input, OT always produces a specific output again and again.
Another difference between IT and OT security concerns security patching. Since IT components progress so fast and have relatively short life spans, IT security updates happen frequently which doesn’t work the same way in OT. In fact, patching OT components require complete shutdowns and are rarely updated. It is true that many OT systems are “insecure by design” and would be at risk from a sophisticated attacker even after vulnerability patching.
The differences outlined above make it clear that IT and OT have different security priorities and different goals for the maintenance of their systems. 80% of organizations surveyed see the expanding interconnectedness of OT and IT as a challenge. This is a result of the digitalization of OT which can expose industrial systems that might not be properly secured to cyberthreats.
Why does OT security matter?
As a society, we all depend on operational technology for a wide range of critical industrial processes. The growing costs of industrial machinery and the serious devastation that an attack could deliver for the economy are crucial factors to consider for organizations that want to boost the protection of their industrial networks.
Considering the increasing cybersecurity risk exposure, OT systems have become a more lucrative target to hack attacks. This interest is noticeable in the growing availability of productized exploit kits and new monetization opportunities such as ransomware particularly developed to hack industrial systems.
3 main OT security attack vectors
When it comes to defining the attack surface, 3 technology perspectives have to be examined.
- Network attack surface: it presents exposure related to ports, protocols, channels, services, network applications and firmware interfaces. Depending on the organisation’s infrastructure, cloud servers and data could also be included.
- Software attack surface: its surface is comprised of the software environment and its interfaces. The software attack surface is calculated across a number of different types of code, such as applications, email services, configurations, databases, executables, web pages, mobile device OS, etc.
- Human attack surface: one of the important strengths of highly secure organizations is their emphasis on delivering security awareness and safety principles to their employees, partners, supply chain and even their customers.
Remember: the most important steps toward protecting your systems are taken before a threat is detected. There should be no compromise on OT security, but you can’t secure what you can’t see, and you can’t manage what you don’t know.
Major OT systems attacks of all times
According to the IBM X-Force Threat Intelligence Index report (2020), events in which threat actors targeted Industrial Control Systems (ICS) and similar OT assets increased over 2000% since 2018. Most of the attacks were centered on using a combination of known vulnerabilities within SCADA and ICS hardware components, and password-spraying attacks using brute force login tactics. This type of attack is effective because many users use simple and predictable passwords, so make sure you are aware of password security best practices. Below we outlined the 3 biggest cyber attacks in history against OT systems.
- APT attack against a steel mill located in Germany (2014): German steel plant Suffered massive damage from targeted attacks. The incident was confirmed by the Federal Office for Information Security (BSI) of the German government in a security report. This attack appeared to especially target operators of industrial plants which caused components of the plant controls to fail. SANS Institute found that the criminals targeted on site personnel and obtained access to the steel mill network through a spear-phishing attack. It was probable that the email contained an attached file that, once clicked, activated the malicious code within the mill’s production systems. The attack resulted in an incident where a furnace could not be shut down in the usual way and the furnace was in an undefined condition which led to significant damage to the whole system.
- The first-of-its-kind attack on Ukraine’s power grid (2015): Ukranian electricity distribution company Kyivoblenergo’s SCADA systems were attacked. As a result, 30 substations were disconnected for 3 hours and nearly 230000 customers lost power. The initial part of the attack was believed to exploit an updated version of the BlackEnergy malware. The malicious code was delivered via emails with malicious files, targeting specific people within the different energy organisations with the aim of gaining administrator credentials and access to the energy substation networks. What made this attack notorious was that the hackers were skilled and stealthy strategists who thoroughly organised their assault over several months, first conducting their inspection to study the networks and extract operator credentials, said Wired.
- A coordinated cyber assault against a small dam north of New York City (2016): Hackers tied to the Iranian government were charged in a series of cyberattacks on several financial organisations and a dam outside New York City. The group has repeatedly obtained access to the control system of the Bowman Avenue Dam, a small flood-control structure in Rye Brook, which is 30 km north of New York City. Having such access allowed the hacker to get information about the dam’s operations, such as its water level and temperature. In fact, this assault has threatened US economic well-being and its ability to compete fairly in the global marketplace.
OT security framework and regulations
Organizations need to ensure their OT holds a solid framework of policies and guidelines to boost their security posture and meet best practice security standards. OT security frameworks provide companies with comprehensive guidance which addresses topics like risk management, system development, documentation protection, incident response, disaster recovery, and etc.
In some countries, there are no industry-wide regulations for OT cybersecurity. Hence, the NIST cybersecurity framework for OT is widely acknowledged as useful since it was developed to protect the most demanding critical infrastructure assets. This framework provides structure to today’s cybersecurity by assembling standards, guidelines, as well as practices that are working efficiently in the industry today. That said, general IT standards are not that appropriate for OT environments.
The EU legislated its NIS Directive in 2016 on the security of network and information systems, which included critical infrastructure components. Another important step by the EU was to develop a report named “Mapping of OES Security Requirements to Specific Sectors“. This report provides the security measures for the operators in the business sectors, including energy (electricity and oil), transport, banking, financial market infrastructures, health, and digital infrastructures.
Another noteworthy security framework is developed by the International Society of Automation that is called the Industrial Automation and Control Systems (IACS) framework. It examines how and why OT and ICS need unique types of protection against cyber threats, helping users understand how to evaluate the security of industrial automation and control systems. The ISA/IEC-62443 was developed to protect industrial automation and control systems throughout their lifecycle. This standard takes a comprehensive approach because not all risks are technology-based, that the staff responsible for control systems should have the necessary training and knowledge to ensure security. It stresses the importance of applying risk-management methods whenever handling both processes and technical features and addressing all facets of security as part of an integrated framework.
OT security assessment
Why do organizations need OT security assessment in the first place? Ongoing assessment of OT operations allows the detection of events that even if not malicious can reveal the need for protection improvements and detect any process vulnerabilities. The assessment must comprise of the following:
- OT asset identification : it includes all hardware, software, as well as integration points between systems and between OT and IT systems.
- Vulnerability assessment: it entails identifying, evaluating, monitoring and reporting on software insecurities and misconfigurations of endpoints. In fact, this is a complicated area, requiring manual effort along with the involvement of several systems.
- Threat landscape model: it requires the identification of the security requirements of mission-critical system or processes. Based on that model, organizations may understand the actions that can be taken to mitigate each threat and verify the success of actions taken.
Assessing OT security risks will yield a number of benefits. Firstly, it will give a thorough understanding of various OT devices and their functionality. Secondly, this assessment will help the organization discover threats to its OT environment and prioritize remediation efforts using a consequence-led approach.
Final words on OT security assessment
Digital technology combined with industrial expertise could achieve a 20% performance increase. Nevertheless, with a growing number of interconnected devices helping to manage operations comes greater security needs. Companies need to completely understand what’s happening in their networks to secure them. Given the unique nature of OT networks, companies should invest in OT security assessment to detect security threats and act with greater precision to maximise business operations.
Do not forget to check back often for our weekly blog posts and the latest updates. Knowledge increases your success rate, hence why not to start with the following blog posts: How to Protect Yourself Against Mobile Malware and Mobile Banking Security. In case you are a great fan of visual information, here is what you need to consume: Cyber Security Infographic: Cyber Attacks [June 2021]