Data protection isn't often discussed in the context of operational technology. Data breaches are typically incidents in information technology, yet OT holds just as many trade secrets and critical information — it just looks different.
Consider a pharmaceutical plant: Within operations, a controller directs a valve attached to pipe carrying fluid. Attached to the valve is a sensor responsible for the fluid's flow rate. "That flow rate is then sent back to the controller where it is compared to the output that has been programmed by the engineers," said Brian Kime, senior analyst at Forrester, while speaking at a virtual Forrester event in September.
"If there is a difference, then the controller then changes the valve position to match the design flow rate," said Kime. If a control or sensor is manipulated through a cyberattack, the product OT helps create is at best useless, and at worst, dangerous.
OT lines the critical infrastructure of the U.S., which keeps society functioning and safe. It's also extremely antiquated. New OT solutions rely on legacy systems and old national standards.
Utilities have been watching the growing threat to OT and industrial control systems, in particular since a 2015 cyberattack in Ukraine caused more than 200,000 people to lose power.
This July, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency issued a cybersecurity alert to operators of critical infrastructure. Recommendations include disconnecting any operational systems that do not need internet connectivity for safe and reliable operations, and planning for "continued manual process operations" should industrial control systems become unavailable.
OT environments were once islands, seldom connected to the internet. Though industries are still struggling to accept it, OT came online when the digital world interrupted the physical world and perceived air gaps between IT and OT closed.
There's a disconnect between assumed security policies and "operational reality," said Chris Hallenbeck, CISO for the Americas at Tanium. Policies might falsely claim IT and OT environments don't talk to each other, yet data derived from IT "has come out from the OT environment at some level to facilitate the business."
Industries are dealing with cyberattacks filtering through IT into OT. Yet "there's strikingly low visibility into those environments," said Kime, in an interview. "When you talk about municipal water systems, they're already stretched thin, and I can't imagine that they know who's in their network."
IT/OT professionals consider manufacturing, electric utilities and building management systems the most vulnerable U.S. industries, according to a Claroty survey of 1,100 respondents.
And yet, historically the security of OT systems in a manufacturing setting was relegated to manufacturing maintenance teams, according to EY. When a manufacturer can't protect its processes, it can overflow into its products.
Wam Voster, senior director analyst at Gartner, said clients come to him wanting to make changes but are strapped by their equipment manufacturer and don't know how to proceed. "That is a ridiculous situation" and one of the problems with equipment manufacturers, he said.
Cyber goes physical
OT cyber vulnerabilities were proven exploitable with Stuxnet in 2010. The computer worm made its way into an Iranian uranium enrichment facility, one of the first known cases of a virus spreading through industrial systems.
Stuxnet's code was fashioned to search for programmable logic controllers (PLC) by Siemens. Once a PLC is found, the worm instigated a series of commands that effectively caused centrifuges within the Iranian facility to "burn themselves out," according to McAfee.
Researchers and adversaries learned from Stuxnet's code. Before, for an attacker to cause an operational meltdown through malware, they would have to be on-premise, according to Atul Vashistha, vice chair of the Business Board at the Department of Defense and chairman of Supply Wisdom.
"I'm extremely, extremely concerned when we think about critical infrastructure," said Vashistha. While "I think our country's cyber capabilities are significantly enhanced than they ever used to be .... We're going to see a lot more attacks not just on corporations but actually leveraging OT."
With COVID-19 as the backdrop to increased cyberthreats, 65% of U.S. IT/OT security professionals say their IT and OT networks became more interconnected, according to Claroty. While IT and OT converge, 62% of global security professionals say the networks are not equally secure.
Ransomware counts on organizations neglecting network detection and response (NDR) sensors between East-West data flows (traffic between servers within a company's network, including between internal and OT environments), according to a report from IronNet. Instead, North-South data flows (traffic entering and leaving a network) is often "heavily defended" with updated software and firmware patches and NDR solutions.
"NDR sensors are sometimes not afforded direct visibility into internal customer environments, due to restricted placements at North-South ingress/egress boundary points," said IronNet. But in a study of high-profile ransomware — Maze, NetWalker, Ruk, REvil, WastedLocker and Snake — didn't "produce much" in North-South data pathways. "From an NDR perspective, that's a little disheartening," according to the report.
"As our ransomware variants did access the Win10 remote fileshare, there was a boatload of East-West data, almost all of it via SMB over IPv6," said IronNet. While studying Maze, IronNet found the malware running through East-West traffic, out of sight from "most intelligent firewall and network security appliances" focused on North-South flows.
Even if rules are built into IT/OT data communication, "you almost have to build your world with the assumption that despite all of the rules, it's still going to happen," where someone intentionally or unintentionally connects systems they aren't supposed to, said Hallenbeck. And because of that, additional detection solutions are needed.
Separation of powers
Interlocked IT and OT is sometimes more efficient, even with the added security risks. Traditional security is focused on integrity and confidentiality of data, typically prioritized over availability, said Kime. But in an OT environment, availability supersedes confidentiality to maintain safety.
According to the Claroty survey, 69% of IT and OT security professionals say a cyberattack on critical infrastructure can cause more damage than an enterprise data breach. Only 31% respondents say an enterprise data breach is more harmful.
"Many of the companies that are really critical infrastructure, they're not necessarily considered 'the risk,'" said Vashistha. "What you are talking about is not about theft of consumer data, you're actually talking about outages."
And unlike data breaches, "so many organizations will not tell anybody that this has happened," said Voster, referring to ransomware attacks impacting OT. About 41% of ransomware attacks in 2020 targeted organizations with OT, according to IBM's Security X-Force. And there's only a requirement for national critical infrastructure to report these incidents.
Consider the Purdue Model, or the structure of OT engineering leading all the way from basic IT-like web servers to the physical process in need of securing. Endpoint detection or protection is not necessarily for OT.
"Things like intrusion detection systems that do deep packet inspection of all the network traffic can introduce latency," said Kime. "Endpoint detection and response tools are great in IT, but they are very burdensome in OT, because when they do detect something, they take a lot of CPU cycles" and send data to the cloud for analysis.
When cyberthreats transverse the IT/OT threshold of the Purdue model, hackers can explore OT networks for vulnerabilities. "It's not as simple as finding a standard database in your IT network, and then using a commodity exploit against it. All the capabilities used in ICS [industrial control systems] attacks are heavily researched by the threat and takes them a long time to execute their plans," said Kime.
A common misconception is that IoT or ICS having IP addresses make them equals, said Kime. The reason? "Ignorance."
Consider a safety instrumented system coming from the same manufacturer as a basic security camera. If a safety instrumented system is triggered after something crosses safety thresholds, "you definitely do not want to treat an IP camera, like a safety system," said Kime. With medical or any kind of factory, "we're seeing in ransomware targeting the 'IP-ish' type of systems that sit on the OT side of the enterprise, but they don't directly control the processes."