In the security world, operational technology (OT) has long
been “the land of the forgotten,” taking a backseat in priority to IT network security.
This is no longer tolerable, as adversaries and malicious actors increasingly
target OT systems in attempts to extort enterprises or simply wreak havoc through
equipment damage, environmental harm or loss of life.OT network attacks are often targeted at industrial control
system (ICS) networks and supervisory control and data acquisition systems,
known as SCADA. These are the systems that control critical
infrastructure—dams, water supplies, utility grids and more. OT network attacks
have been on the rise in recent years, with the newest research
showing exploits increasing in both scale and number throughout 2018. Beyond
the more catastrophic impacts, Ernst & Young has found
that the cost of downtime from a major OT network attack can exceed $8 million per
day.Traditionally, ICS networks and SCADA systems have been
segregated from unsecure areas (corporate networks and the internet) through
air-gapping and increased physical security. But in recent years, more of these
systems have been brought online to cut costs, share operational information
and improve efficiencies—thus increasing their exposure to IT networks as
infection vectors. One of the best-known recent examples of this was NotPetya,
a ransomware exploit which began by infecting enterprise IT networks and then
spread to disrupt the OT networks of several large companies, including Merck
and FedEx.
While many OT network attacks go unreported, the damage caused
by cyberattacks reveals the vulnerabilities of ICS networks and SCADA systems.
This has led to an increased awareness among organizations to better monitor
and protect both their IT and OT
networks. Some keys for doing this include:Start by looking
more closely at the IT network: Threats targeting OT networks often
originate on IT networks, meaning security teams must gain better visibility
into IT traffic and anomalies to protect the OT network. In many cases, this
means moving from a reactive approach to a “threat hunting” stance by scouring networks
to detect and isolate advanced threats that have evaded more conventional solutions. Focus on OT system
threats: In the past year, at least three new, major ICS-targeting threat
activity groups have been identified. Many threats within the broader group
have deployed “living off the land” techniques that help them avoid detection. One
advantage of OT-network based threats is there are far fewer in number than IT
network-based threats, making the task of guarding against them more manageable,
but arguably still not scalable by humans alone. Additionally, because
malicious actors are often looking to maximize disruption within different market
segments (such as gas and electricity), organizations should pay close
attention to OT network threats that others in their industry are experiencing.Merge and integrate
your IT and OT security intelligence, in order to avoid compartmentalized views:
Just as IT networks often spread infection to OT networks, the reverse can be
true—an attack on an ICS network or SCADA system can quickly pivot to the IT
network and compromise the sensitive data that may reside there. Consider an OT
network attack at an oil refinery that enables an adversary to gain access to
customer credit card information that is gathered further downstream at a gas
station. There are numerous examples across industries of threats running bi-directionally,
and unless an organization has a comprehensive, holistic view of both their OT
and IT network environments, it is nearly impossible to track threats as they transcend
realms.Make OT security an
equal citizen: ICS networks and SCADA systems run critical
infrastructures, yet they often rely on aging software and obsolete hardware
that can be difficult to patch, which leaves them vulnerable to exploitation.
Patching these systems is critical, though it can be extremely expensive and
difficult. Consider the nature of the infrastructures being patched—many of
these run mission-critical services 24x7, and interrupting service to install a
new security patch may not be feasible.Further frustrating the situation is the fact that even with
extensive patching, many OT networks are insecure by design, as many of the
systems within them lack basic authentication procedures. This does not obviate
the need for patching, rather it speaks to the need to address OT network systems
strategically and methodically, limiting patching to only those systems where
easier approaches (such as whitelisting) may not be available.Encourage and
nurture “chameleons”: The security industry needs more chameleons—individuals
who have a deep understanding of both IT and OT network security issues, who
can see how security threats originating on one side might impact the other and
serve as a glue bonding both teams together to identify and remediate threats.
This is a rare skillset requiring expertise in different disciplines like mechanical
engineering and computer science, but is perhaps one of the most exciting
opportunities available for the next generation of security professionals—and
the colleges and universities that are preparing them for the workplace of the
future.New forms of malware originating on both IT and OT networks
are being discovered all the time, and no industry is spared from the
repercussions that can impact critical ICS networks and SCADA systems and IT
networks and assets. In this fast-changing world, organizations running OT
networks must have a comprehensive, holistic view of the end-to-end IT/OT
security picture; otherwise, they are only addressing half of their threat
surface area and leaving themselves vulnerable to significant, costly attacks.
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]
