For decades, industrial asset owners haven't considered their industrial control systems (ICS) and operational technology (OT) environments a significant security risk. But in recent years, as they sought to unlock business value through digital transformation, ICS/OT environments steadily became connected to enterprise IT networks to optimize efficiencies and facilitate data sharing with the outside world via the internet.
This ongoing convergence of IT and OT networks has opened up a new attack surface that has become ripe for bad actors. Everyone from nation-state advanced persistent threat groups to ransomware gangs have looked to target OT/ICS networks.
For proof, we need look no further than the Cybersecurity Advisory recently sent by the U.S. government by the U.S. government agency CISA, warning that the People's Republic of China state-sponsored group Volt Typhoon has been seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the U.S.
CISOs, whose scope includes the ICS/OT environments that critical infrastructure uses, must have deep understanding of both IT and OT environments. While IT security primarily focuses on protecting data and maintaining confidentiality, integrity, and availability, OT security has additional challenges, such as ensuring the continuous, safe operation of physical equipment and processes. This dual charge often means that CISOs must adapt and apply cybersecurity strategies in ways that defend without disrupting critical infrastructure and operations.
Most OT attacks begin with a compromise of the IT network
It's not simple to launch an attack on an OT network. These attacks require intricate planning and extensive reconnaissance. A highly-skilled adversary aiming to interfere with or alter an industrial process must first gain access to the OT network.
Spear-phishing attacks are widely-used to target employees for login credentials and remote workstation access. Some of the most high-profile cyberattacks that use purpose-built OT malware, such as Triton, BlackEnergy, and Industroyer, were executed precisely this way.
Volt Typhoon has been observed targeting the personal emails of important network and IT staff. They have also excelled at exploiting known or zero-day bugs in internet-facing devices such as routers, VPNs, and firewalls to get a foothold in the IT network.
IT network compromise gets followed with concealment
After securing initial access to the targeted environment, adversaries must maintain it long enough to gather the right information. This requires mapping the network, figuring out how to pivot to the OT systems, learning about the industrial control processes, and determining how to bypass the security controls to execute their final objective.
Take the Volt Typhoon example: the threat actor employs living-off-the-land techniques to great effect, avoiding detection and maintaining prolonged access to the target's IT environments -- in some cases, as much as five years. Once in the network, they conduct pre-exploitation reconaissance of the target's network, harvest credentials, achieve full domain compromise, gain elevated access, and get access to the target's OT assets.
Maintaining basic cyber hygiene of IT networks with vulnerability scanning, patching policies, and multi-factor authentication can go a long way toward reducing exposure and mitigating attack vectors to prevent access in the first place. However, these practices require careful consideration for OT networks.
For example, active scanning often creates issues in OT environments because there's nearly zero tolerance for impacting downtime and uptime in industrial operations. Patching in OT environments becomes more complex as it affects system availability and downtime, which can disrupt operations, lead to significant financial losses, or even pose safety risks.
Take engineering workstations and human machine interfaces (HMIs). They often run commercial operating systems such as Windows and Linux with known Common Vulnerabilities and Exposures (CVEs). The Common Vulnerability Scoring System helps security teams prioritize CVE risks and guide patching and mitigation strategies in IT security. However, in OT, different dimensions of risk exist beyond the business criticality of an exploited flaw. Teams need to take operational and physical ramifications into account. Some OT environments have intertwined the HMI component with the OT devices, making it nearly impossible to patch the IT component.
The need for continuous IT/OT visibility
The integrity of OT networks relies on vigilant, ongoing security management. CISOs must take full cybersecurity assessments that evaluate the traditional security controls of IT networks, while also encompassing the unique aspects of industrial systems and OT networks.
The attack surface of the integrated IT/OT network has different gaps and weak points that teams need to address compared to looking at each network in isolation. It can also require different security controls. It's essential to have visibility into how an integrated IT/OT ecosystem responds at each stage of an attack to identify and remediate points of "spill-over" from one network to other other during an attack.
Teams need to gain visibility into the combined IT/OT environment and continuously test security controls across the IT network through the OT demilitarized zone and the critical OT operations control layer. CISOs must do the following:
- Maintain an OT focus. Work with intrusion detection systems designed for OT environments and recognize their unique protocols and network traffic patterns. Threat-hunting teams in OT need specialized knowledge and training in industrial control systems like SCADA, PLCs, DCSes, and OT network protocols (like Modbus, DNP, or Profibus) that are not commonly found in IT networks
- Employ continuous monitoring tools. This would include breach and attack simulation platforms and security information and event management systems. These tools allow for real-time analysis of security alerts generated by applications and network hardware. Others can test security controls by continuously running simulated attacks based on an adversary's tactics, techniques, and procedures to proactively test and validate the efficacy of security layers from the IT to the OT layer.
- Segment networks. Aim to isolate and protect sensitive OT environments from potential threats in IT networks. Performing lateral movement simulations can identify the locations of weakness in segmentation and access controls. Test these at different times during production operations and across various network segments to gain an enterprise view of potential attack paths and prioritize bugs without disrupting the business. Segmentation doesn't need to impede the flow of essential information. Regular cross-departmental meetings, joint training sessions, and integrated cyber policies can help synch efforts across IT and OT networks.
Constant vigilance and proactive measures are crucial for cybersecurity in IT/OT networks. In these critical systems, cybersecurity does not mean just protecting information: it's about ensuring the operational integrity and safety of the infrastructure society relies upon.
Avishai Avivi, chief information security officer, SafeBreach
