What keeps OT security specialists up at night? It’s mostly problems from the IT world, says Andy Norton, European Cyber Risk Officer at Armis.
Operational technology (OT) used to be the specialist networks nobody in IT bothered with, or perhaps thought they didn’t need to. For a while, that seemed reasonable; OT networks were usually isolated from IT operations, sat behind air gaps, and ran on obscure operating systems.
Then organisations across every sector of energy and critical infrastructure started connecting to IT networks due to performance efficiencies, production boost and, ultimately, monetary gain. Networking, remote management, and wireless connectivity were all the rage and it made sense for IT and OT to be one from an admin point of view. Pretty soon OT stopped being the safe backwater everybody had assumed it was.
Organisations, and increasingly regulators, must now live with the implications of this for cybersecurity. Although examples of severe compromise remain largely hypothetical, there have been several real-world attacks from energy infrastructure in Ukraine to water plants in Florida to underline that if things went south, it could happen very suddenly.
At the same time, the number of OT connected systems and devices is surging, covering everything from supervisory control and data acquisition (SCADA), manufacturing execution systems (MES), discrete process control (DPS), programmable logic controllers (PLCs), telematics, robotics, and even personal technologies such as the Internet of Medical Things (IoMT).
With isolation disappearing as these systems are connected to mainstream IT networks, the question is how organisations should approach the security problem anew when doing nothing is not an option. Established security vendors have added extra layers to their platforms to fill the gap but there has also been a smattering of specialists entering the market, including Armis.
So how should organisations break down the OT security problem in order to better manage it? The Guru decided to ask Armis’ European cyber risk officer, Andy Norton for his thoughts.
Vulnerabilities, especially in IT
If attackers want to exploit software vulnerabilities in OT, they now have plenty to aim at. This class of weaknesses has grown rapidly in the last decade from almost nothing to a list that’s no longer compact enough to reel off from memory. Armis’ own white paper on the topic mentions these for starters:
- July 2019: URGENT/11 affects billions of industrial and medical devices
- June 2020: Ripple20 TCP/IP vulnerabilities affect more industrial devices
- July 2020: NSA and CISA warn of the OT/ICS “Perfect Storm”
- January 2021: Westrock core OT systems attacked
- February 2021: Oldsmar Water Treatment facility control systems breached
- April 2021: NAME:WRECK vulnerabilities discovered affecting OT devices
- April 2021: MSFT discloses Bad:Alloc vulnerabilities affecting OT devices
- May 2021: Colonial Pipeline infrastructure shutdown
In July 2021, Armis disclosed a new vulnerability the company discovered in Schneider Electric Modicon PLCs, which could allow an authentication bypass leading to a remote code execution on unpatched equipment. So far, the most significant real-world attacks on SCADA and ICS OT have all been reliably connected to nation state espionage; for example, Stuxnet and Triton.
However, the last on this list, Colonial Pipeline, is revealing because what disrupted the company’s operation was an everyday ransomware attack on the IT system that affected its billing capability, not the OT network itself.
So, there are really two problems here, the biggest of which is the interconnectedness of IT and OT – to the latter’s detriment. Vulnerabilities in OT equipment are a second layer of weakness which can only be exploited in specific circumstances.
The risks of common IT problems such as theft of credentials varies a lot depending on the OT environment. Norton gives the example of oil and gas.
“A compromised credential or RDP will not be a risk to the ICS environment because they’ve implemented so many layers of segmentation – just because you get into the IT environment, doesn’t mean you are necessarily going to get into ICS. But just by visualising someone’s network, we can see who’s thought about this issue and who hasn’t.”
Equally, he admits in the few cases segmentation has not been implemented properly, “programmable logic controllers (PLC) can talk to printers and there is no role-based access control. If someone compromised a VPN, they could basically go anywhere on that network.”
What are the top routes to infection from IT to OT? Norton cites “Infected laptops belonging to maintenance engineers, USB sticks, an unauthorised wireless device, or even a malicious insider.”
OT devices don’t run antivirus
It sounds like an obvious point, but for a variety of reasons to do with their design and history, OT devices can’t run a conventional security client. Consequently, gathering visibility on what is happening on an OT device must be done by alternative means using an agentless approach. Armis’ approach sounds simple enough – monitor network traffic passively without affecting production.
“In OT environments, it’s basically a network TAP. It passively listens to all the traffic on that network and builds an inventory based on that. Not only do we have the assets, but we look at the activity of those assets as well to build a profile of behaviours,” says Norton.
Ironically, where malware is discovered running on an OT device, the OT team might not let the IT department clean it up because they’re worried about a service outage. “We routinely see old infections in OT environments.”
Asset blindness
This agentless approach has the added benefit that it gives organisations full visibility on what devices are connected to their networks, often for the first time. It’s an extraordinary discovery; despite the controlled nature of OT environments, some organisations have no way of knowing with any certainty that rogue devices aren’t out there.
“Once this asset database has been created, organisations can ask important questions, such as why have we got two of these devices when we have no record of purchasing them? Or why are these devices trying to talk to a website?” said Norton.
The catch is that identifying devices is not as easy as it sounds. “Often it takes multiple types of traffic to build a decision about what a device is. Because we’re continuously listening when that device sends out a beacon of some sort, we will capture it at that point.”
One complication with this is that some PLCs are less ‘chatty’ than others, which makes identification harder. For example, Rockwell PLCs communicate more frequently than Siemens PLCs, says Norton. “Making sure you’re listening 24×7 is a good way of finding those.”
A particular challenge are ‘sporadic’ devices which only activate at specific times and might be missed by a periodic asset inventory. That is why the Armis network TAP must remain turned on around the clock, he adds.
SoC team, what SoC team?
“There is a governance requirement to make sure that the adequacy of security is equivalent to that of IT, but you have to do that without the same resources,” he says citing the growing influence of NIST’s Cybersecurity Framework as well as the UK National Cyber Security Centre’s Cyber Assessment Framework (CAF).
Then we reach the punchline: “In IT, there is always a tier one security team, SoC analysts who look at all the alerts. That doesn’t exist in OT. Very often, it is the IT people who contact the OT people.”
This has led to a convergence in which IT operations take over OT security because that outcome seems logical. The problem is that IT people don’t understand OT security issues. Underlying this is the issue of what a security event looks like in OT networks which are connected to IT but not to the Internet itself.
Nobody listens to OT people
The issue of not being listened to is one you hear across almost every technology specialism. OT is no different, although the consequences might be more serious, according to Norton.
Often, the OT people will only know which devices are on their network because their Excel spreadsheet tells them this much. However, what they do have a better understanding of is how to keep these networks running, and the operational risks that come with other departments poking around. Ultimately, ignoring their expertise isn’t going to be the best security policy.
“The OT team is not typically part of what the overall IT governance looks like, so it is likely to be viewed as an outlier in terms of risk management and framework adoption. If you are an OT person, the issue is less about convergence with IT than being completely consumed by it. Communication can help a lot in these instances. IT and OT teams need to work together – and technology can help bridge this gap,” he concluded.