Securing OT Networks Against Rising Attacks

istock 670370606

Operational Technology (OT) networks play a critical role in manufacturing, defense, emergency services, food and agriculture, financial systems, and critical infrastructure, just to name a few. OT networks and devices include supervisory control and data acquisition (SCADA) systems and industrial control systems (ICS). They might be deployed anywhere – inside an automated manufacturing floor, outside a chemical processing plant managing valves and switches, on a rig in the middle of the ocean, or out in the arctic monitoring oil and gas pipelines. OT systems often perform simple yet essential tasks, such as monitoring a valve and shutting it off when a certain value is triggered. As a result, they can perform their tasks with little change for years. Which also means they sometimes run on aging operating systems and obsolete hardware using home grown applications. Since the goal for an OT system is to run exactly as designed, even patches are only applied if they do not hinder the process of the OT system.

These systems have traditionally been kept separate from IT networks, and are even often owned, managed, and operated by a different team inside the organization. That’s because OT systems are often tasked with monitoring and managing the highly sensitive processes associated with critical infrastructure. The other is that these systems can be notoriously delicate. Something as benign as an active system scan can cause these devices to fail. And any failure or compromise can have serious if not catastrophic results.

However, new requirements being driven by digital transformation, such as smart environmental control systems, just in time manufacturing, and interactive systems tied to Big Data have begun to change all of that. In addition, companies are looking for productivity improvements and cost savings by implementing changes such as optimizing plant operations, deploying a more flexible operating environment, or establishing a more proactive inventory control system that requires real time online data. 

As a result, many of today’s OT systems are transited or tunneled over corporate networks, leverage common internet protocols, run on general-purpose hardware and mainstream operating systems, and are increasingly connected via wireless technologies. Which also makes them targets for cybercriminals looking to steal data or proprietary processing systems, or simply to cause havoc.

In the Q3 2017 Threat Landscape Report, the FortiGuard Labs team identified a number of new attacks targeted at ICS, which generally lie much further under the radar than those targeting widespread IT aplications. For instance, the most prevalent ICS-related detection in Q3, according to our sensors, was reported by nearly 1 in 100 firms. However, this seemed to be an anomaly as no other ICS exploit even crossed the 1 in 1,000 threshold. Since then, however, FortiGuard has seen a steady uptick in ICS exploit activity and our intelligence operations suggest these under-the-radar attacks might be climbing higher on attackers’ priority lists.

Case in point are the recent revelations around the Triton (Trisis) attack. Triton targets safety instrumental systems (SIS), and is very sophisticated in nature, especially with regards to its ability to cover its tracks and thwart forensics. SIS are designed to protect assets and ensure a safe and stable environment within a plant, and Distributed Control Systems (DCS) allow a plant operator to control industrial processes within their environment. In order to control costs and simplify ease of use, many plants are moving towards integrating DCS and SIS machines, making these systems a tempting target of attack.

Fortunately, in the case of Triton, plant operators were able to discover the attack because safety mechanisms put the SIS into failsafe mode as a precautionary measure when the attack caused the SIS system to behave in unexpected ways. However, we can’t rely on this sort of serendipity to protect us. This attack is especially concerning because our analysis of Triton indicates that it was designed to cause physical damage. Scenarios for achieving this include hijacking the SIS to terminate processes, run in an unsafe state, and even manipulate other DCS controls. To cover its tracks, Triton is able to overwrite the malware itself with garbage data to thwart forensic analysis.

As OT-focused threats evolve, the ability of this sort of malicious malware to obscure its presence, especially if combined with intelligent swarmbot technology designed to actively discover vulnerabilities and test and share exploits, could have catastrophic results. It would also make it even more difficult for law enforcement and forensics to determine the cause of an OT compromise or failure, making it difficult to prevent similar attacks in the future.

That’s because, unfortunately, far too many OT networks fall into two categories: those designed without any security, and those with inadequate protections in place. Part of the reason for this is that, until recently, there was no real evidence that there was any need to protect fully isolated OT systems against cyber threats. But integration with IT has led to the advent of new threat technologies like SHODAN and devastating breaches like STUXNET. The Ukrainian Electrical Distribution and Transmission cyberattacks along with others have made it clear that there is an urgent need to protect OT systems, especially for critical infrastructures.

Securing OT networks requires an integrated approach that includes identifying assets, etablishing user identity and Role-Based Access Controls, segmenting OT systems and devices, actively monitor lateral traffic, identifying and isolating vulnerable or compromised devices, encrypting communications, secure industrial IoT devices, establish vulnerability identification and patch management protocols, employing active behavioral analytics, deploy ruggedized devices where needed, and ensuring compliance with standards such as NERC v5, FERC, IEC-62443, ISA-99, ISO 27001.

Doing this requires a security approach that transcends traditionally separate and isolated security devices. OT networks can cover huge amounts of real estate and span a variety of network segments. Protection requires broad, integrated, and automated security systems that can see and respond to threats immediately, anywhere across the extended network. Today, the most effective approach does not involve deploying more of the traditonal security devices and platforms that limit visibility, collaboration, and control. What’s needed is a security fabric.

The bottom line for OT managers and critical infrastructure owners is being able to provide the energy, food, pharmaceuticals, water or other services that consumers require without interruption. Which also means that security cannot afford to get in the way of making that possible, and tools that do are likely to be ignored or bypassed. The ROI on cybersecurity for OT has to be continually weighed against the costs of not being able to produce an end product in the event of a catastrophic cyber incident. And given the rise in OT-focused threats, that seems to be more a matter of when than if.


Copyright © 2018 IDG Communications, Inc.