Skyrocketing cyber and operational risk from the ever-expanding overlap between information technology (IT) and operational technology (OT) networks is forcing many organizations to assess and improve their cybersecurity postures to meet the challenges of the Fourth Industrial Revolution. With the exposure of legacy OT devices to the Internet, and new attacks specifically built for them, industrial control system (ICS) network protection is now commanding board level attention. The reality is that the failure of an ICS network controlling critical infrastructure like an electricity grid, oil rig, or emergency response services could have catastrophic results.
Our experience with monitoring and securing OT networks in the field has revealed 4 unique challenges that the IT-OT convergence is creating for critical infrastructure companies:
Increasing Cyberthreats Targeting OT/ICS Networks
The presence of newer, IP-connected devices in OT networks makes them vulnerable to Internet-based threats and is a major contributing factor to the rising tide of cyberthreats targeting OT systems. Additionally, many companies are now using third-party vendors as a cost-effective alternative to onsite staff to patch, update, and repair their systems. Unfortunately, the remote desktop protocol (RDP) used for remote access is incredibly vulnerable to exploits, and adversaries will often leverage this to gain access to the corporate network and compromise OT devices. The end result is that networks with proprietary systems and legacy technologies, once isolated from the Internet, now require protection from traditional IT cyberthreats.
Cyber adversaries are constantly working to create innovative attacks capable of shutting down critical OT networks. There’s a new breed of attack wreaking havoc in networked OT infrastructure that combines methods like ransomware, wipers, bricking capabilities, botnets, data exfiltration and network reconnaissance tools, which we refer to as “disruptionware”. This category of malware includes the LockerGaga ransomware, Triton/Trisis, and BlackEnergy. All three of these were about more than just preventing access to systems and data. The goal was specifically to suspend operations and/or undermine safety by freezing an industrial process that controls the critical infrastructure services that so many depend on.
Disruptionware’s high success rate and minimal required effort make it an attractive tool for any malicious actor, from novices to nation-state sponsored attackers. Consider the results of a corporate sabotage that leverages disruptionware. An organization seeking to win a lucrative contract could launch an offensive against a competitor’s network by encrypting their OT network, freezing operations and causing disruption.
Because disruptionware typically originates in an IT network, it’s important to implement tools and procedures to monitor both IT and OT environments. If your organization is compromised, network monitoring tools can track the movement of a threat on your network to provide valuable data that helps reduce mean time to respond (MTTR).
The Internet of Things (IoT) Explosion
A 2018 Forrester report revealed that 100% of organizations now have IoT technologies connected to their ICS networks. This is a big deal since many of these IoT devices are consumer-grade technologies that are 1) mostly unmanaged 2) come from a multitude of vendors 3) use non-standard operating systems 4) support a diversity of often insecure protocols, and 5) may dynamically connect to other devices inside or outside the organization’s network. Additionally, bad security practices like default or simple credentials, unencrypted traffic and lack of network segmentation remain common.
Our research team has done extensive testing on how vulnerabilities like unencrypted protocols and misconfigurations in IoT devices can be exploited, which you can read more about here. They found that devices ranging from video surveillance systems to smart lighting could be used as an entry point to pivot into the broader organizational network. They also demonstrated how the very common MQTT protocol can be used to infiltrate a network to gather information like available assets and their location, configuration information and even sensitive information like credentials.
Long story short, IoT devices provide a slew of entry points for an adversary and are relatively simple to use to enter a network. As the scale and diversity of IoT devices grow, monitoring and controlling them should become a critical focus of an organization’s cybersecurity plans.
Increasing Workloads for SecOps Teams
The mounting pressure to bulk up OT cybersecurity has resulted in security leaders at many critical infrastructure organizations investing sizeable amounts of money into the latest and greatest cybersecurity tools. Security operations centers that were once intended to monitor primarily IT systems are now responsible for overseeing the security of their entire OT infrastructure, as well.
Keeping up with the large amounts of data that these OT network security tools can generate is a tough task for overloaded security teams to keep up with. Many analysts are now responsible for thousands of devices, and alerts indicating potential areas of risk like changes in communication behavior and insecure protocol communications are a daily occurrence. Manually piecing together all of this information is incredibly time-consuming, and new vulnerabilities affecting OT devices are coming out with increasing frequency, adding to the problem.
Choosing the right security tools can lessen this burden. Sometimes organizations are using many disparate tools that cause them to have to manually analyze data, when they could be using additional features within tools they already have. Using something that offers visibility and control for IT and OT networks from one interface can help reduce the burden of piecing together security and operational alerts from separate tools. A tool that regularly updates its CVE database and offers impact-based risk scoring can help further automate risk analysis.
Complex Compliance Fulfillment
Maintaining compliance with regulatory standards like the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) standards and the European NIS Directive is more important than ever as standards become more stringent and penalties larger. This is underscored by the $10 million fine issued by NERC CIP this year, the largest public fine in its history. Most, if not all, regulatory compliance standards require comprehensive asset visibility and management as a foundation.
To achieve this many organizations implement manual compliance processes, sending staff to perform site visits and map assets as best they can, while compiling this data for their reports. Despite these costly and labor-intensive efforts this process is tedious and error-prone, and the possibility of being fined for non-compliance remains relatively high. Automating asset inventory and management, as well as the required reporting for audits, can help reduce an organization’s compliance burden.
Understanding how your IT and OT networks interoperate can help holistically manage risks to OT infrastructure and is increasingly vital to help minimize the potential for disruption. In a recent SANS State of OT/ICS Cybersecurity Survey, increasing visibility into OT/ICS networks was stated by respondents as the number one business priority for 2019.
Want to learn more about how industry risk experts feel about the IT/OT convergence conundrum? Watch the short video below to hear Jack Jones, Chairman of the FAIR Institute, and Guarav Pal, CEO of StackArmor, weigh in on how to effectively address the unique risks posed by IT-OT convergence, including:
- Understanding how IT and OT networks interoperate to identify critical areas of risk.
- Quantifying risk for IoT and OT devices that cannot be traditionally scanned.
- Gaining deeper visibility into IT, IoT and OT networks to be able to see and protect the “crown jewels” of your enterprise.