In a wide range of asset-intensive industries, computerized systems known as operational technology (OT) networks are utilized to manage physical industrial activities.
They carry out an extensive range of duties, from keeping an eye on vital infrastructure to managing robots on a factory floor.
The hazards of cyber attacks on OT networks are increasing as critical infrastructure modernization projects pick up speed.
In the past, OT systems were isolated from the Internet, but as society becomes more digital, OT and IT are becoming more integrated.
This, however, also makes hundreds of millions of OT and Internet of Things (IoT) devices, including electricity and medical equipment, exposed to attacks.
The COVID-19 plague has revealed weaknesses in cybersecurity infrastructure and unlocked a slew of new difficulties, further blurring the distinction between the real and digital worlds.
Workforce shortages on-site are one such difficulty in the post-pandemic scenario.
One of the main causes of the staffing shortages at construction sites is that businesses are implementing split teams and hybrid work arrangements in response to COVID-19-related constraints.
Longer maintenance cycles and workarounds like contractor remote service assistance are frequently the result of this.
Risks associated with the supply chain have increased as a result.
Virtual Private Networks (VPNs) have become widely used by businesses to facilitate remote access.
However, this has a potential for becoming a double-edged sword because VPNs might be used by attackers to obtain unauthorized access to the company’s systems.
Attackers may disable vital infrastructure including water plants, fuel pipeline facilities, and power grids as a result of cyber attacks on OT systems, which can have catastrophic and extremely damaging effects.
This is why, according to the US Industrial Control Systems Cyber Emergency Response Team’s (ICS-CERT) Outlook Pulse Survey, business leaders see cybersecurity risk as the biggest threat to the expansion of their organizations over the next three years.
Three types of attacks on OT networks
Generally speaking, there are three types of attacks that organizations confront today: direct attacks, indirect attacks, and reconnaissance attacks.
All of these assaults may reveal weaknesses in vital supply lines, which could ruin an organization’s regular operations.
In dire circumstances, it might shut down a vital industry on which many people rely.
Direct Attacks: To harm a particular target OT system, direct attacks are
launched. Recent accidents at a power system in Europe and a water plant in the US are two instances of hackers utilizing remote connections to launch such attacks.
Once systems have been penetrated, attackers may introduce malicious software into the system, changing its control logic and causing it to malfunction.
An energy plant’s safety control workstation was remotely taken control of by malware known as Triton, this is what happened.
Investigators discovered that the first system to be infiltrated was an engineering workstation (EWS) for Safety Instrumentation Systems (SIS).
Then, utilizing UDP protocol, the EWS spoke directly with the SIS controllers. Four binaries that were embedded in a built Python script and two other files that were directed at a particular SIS controller were uploaded to the controllers.
This is how the SIS in this assault caused a system shutdown.
Indirect attacks: Additionally on the rise are indirect attacks.
Although they don’t directly affect OT systems, they could nonetheless have a negative impact on the environment, threaten the safety of processes, and even endanger human lives.
Recent examples include ransomware assaults on a US gasoline pipeline and an EU university hospital.
In both instances, activities were halted, resulting in significant damage, despite the fact that the initial targets of the hackers were IT systems rather than OT networks.
The criminal organization known as Malware-as-a-Service, which specializes in creating ransomware and selling it to partners in exchange for a cut, was connected to the gas pipeline attack (RaaS).
By using stolen credentials to access the organization’s IT system, this compromised security and released ransomware, which was reported to have affected by shutting down endpoints and leaking terabytes of private data, the company’s billing systems.
The corporation was forced to stop 5,500 miles of pipelines as it looked into the extent of the infection in its systems.
The disruption can be paralleled to the aftermath of natural disasters like hurricanes, which frequently force pipeline and refinery sections to shut down for days or weeks.
Reconnaissance attacks: Attacks that conduct reconnaissance do not immediately cause disruptions.
Attackers may skulk around a location in order to gather information, exfiltrate private information, and carry out cyber espionage.
The HAVEX attack, which was launched by an advanced persistent threat (APT) group, is one of the well-known examples.
A remote access Trojan (RAT) that was downloaded from OT vendor websites was used in this attack. Then, using Open Platform Communication (OPC), the RAT searched for devices on ports that are frequently used by OT devices.
The information gathered was transmitted back to the Control and Command (C2) server of the attacker.
The supply chain may be vulnerable to all three forms of assaults, as was noted in the preceding section.
Attackers may decide to focus on various stages of the system life cycle, including design, development, distribution, maintenance, and disposal, in order to disrupt supply networks.
Malicious information concealed within reputable or trustworthy items is frequently used to target supply networks.
This approach gives attackers a way to get to lots of targets.
One of the most well-known instances was malicious code being introduced into the source code immediately prior to the software patch’s final build.
More than 20,000 end users, including government agencies and commercial businesses, were affected by the contaminated updates.
Attackers may misuse trust in purchased software and hardware by compromising open-source code, compromising code signing, and hijacking updates.
More recently, an attack affecting more than 1000 businesses, including a significant Scandinavian grocery chain, attacked a managed security provider (MSP) platform vendor.
Segmenting OT networks
Organizations are becoming more aware of the necessity of segmenting their networks in order to safeguard OT systems as cyber threats increase in the tumultuous wake of the COVID-19 epidemic.
Many vintage OT systems are still flat networks internally even though the majority of OT systems have hardened perimeters with gateways, firewalls, and diodes.
After breaching initial entry points, this enables attackers to migrate laterally into other systems inside the network.
Network segmentation is therefore the typical method of addressing this problem.
Industrial automation and control systems (IACS) and operational technology (OT) security challenges are addressed by the Purdue Model and IEC 62443 Standards, which are shown in the diagram below.
Shifting towards zero trust in OT
The Purdue Model and IEC 62443 are both well-known frameworks, but the idea of zero trust is growing in acceptance.
And with good reason, considering the rise in incidences where attackers took advantage of the victims’ faith in purchased technology and software.
Assuming that authenticated identities or even the network itself may already be compromised — even if they aren’t — a zero-trust security architecture is a relatively new concept.
Every person, device, and contact is treated as a potential danger under this strategy, which necessitates constant verification of the validity of every connection and circumstance.
The following principles serve as the foundation for zero trust:
• Since all zones are regarded as untrusted, the distinction between trusted and untrusted zones is eliminated.
• All computing services and data sources are regarded as resources.
• Any program, device, or human user accessing resources must be authorized and authenticated.
• Access decisions are made without regard to network location.
To put it another way, hosts who are located in the same zone do not automatically trust one another.
• There are just two planes: the control plane, which handles requests for access to resources that are protected, and the data plane, which houses the rest of the system.
•Never rely; always make sure.
Strengthening supply chain risk management
What you should do about it, in my opinion:
As was mentioned in the prior sections, the increase in OT system attacks has revealed widespread supply chain vulnerabilities.
These attacks have also drawn more attention to the necessity for zero trust in OT’s C-SCRM (cyber supply chain risk management).
The CSA’s Critical Information Infrastructure (CII) Supply Chain Programme is anticipated to be released in Singapore.
Three guiding principles, assurance, transparency, and accountability, are at the core of this approach to control supply chain cybersecurity threats.
At the same time, it’s critical to comprehend the various threats that can be there.
Hardware, software, and vendor risks are the three basic categories into which supply chain risks can be divided.
Important security measures to reduce them include:
- Thoroughly comprehend your inventory.
To do this, a bill of materials must be created for both software and hardware, and each component’s purpose, origin, and method of integrity verification must be known. - putting security first. Similar to the software design life cycle, this calls for extensive code review, penetration testing, and pre-production vulnerability and risk assessment.
- defining the cybersecurity specifications that suppliers and goods must meet as part of the contract.
Organizations should check credentials by looking over certificates and granting audit rights.
The suggested 20 control families are listed in NIST SP 800–53 and include supply chain risk management, awareness and training, configuration management, and access control.
There are 12 controls and related control upgrades that make up the supply chain risk management control family.
This is a great resource for creating a structure for organizational C-SCRM.
Even better, each supply chain control is connected to relevant controls.
As an illustration, the link between Supply Chain (SR) Control 10 — Inspection of Systems or Components and Awareness and Training (AT)
Control
Role-Based Training
The future of OT security
As organizations adopt new technology, OT threats are predicted to grow in intensity and complexity.
Examples include distributed control system (DCS) virtualization, data analytics, and machine learning, as well as SCADA as a service (SCADA hosted on cloud).
Workloads that require zero trust security are represented by these virtual machines and cloud computing architectures.
For OT systems, however, quantum computing is a mixed blessing.
On the one hand, it improves system speed and performance, but on the other, it makes it simpler for attackers to break conventional encryption.Finally, blockchain technology is a brand-new field that offers OT professionals a lot to consider.
Although the implementation of blockchain in OT systems is still in its early stages, there will probably be a number of novel use cases in the future.
For instance, the capacity of a blockchain ledger to maintain its integrity holds promise for host-to-host transaction authentication in OT systems.
Only time will tell how OT security develops, but it is certain that companies must be ready to change swiftly to stay one step ahead of malicious competitors.
