Make it secure

Securing OT in an ever-growing threat-landscape. By Curtis Simpson


Cyber-attacks against businesses of all sizes are increasing at an exponential rate. Throughout the past several years, we have seen how massive campaigns have been timed to coincide with large holidays in different countries, such as the 4th of July, Thanksgiving or Christmas. It’s blatantly clear that attackers are poising themselves to strike when companies are the least prepared to detect and mitigate threats to their systems and operations. More worryingly, cyber criminals are increasingly targeting critical infrastructure, manufacturing and supply chain companies. Three such attacks hit US companies Molson Coors and JBS Foods last year, not to mention the Colonial Pipeline ransomware incident. These have, in many cases, been linked back to Russian actors and other foreign agents who are intent on attacking weak links in nations’ cyber networks. As such, it is vital for businesses worldwide to deploy better cybersecurity, platforms and protocols if they are to mitigate the risk faced from cyber criminals and rogue states.

Securing OT and IT in ICS and manufacturing environments
The risk-based challenge with OT (Operational Technology) environments is that more recently, they are connecting to traditional enterprise IT and wireless networks. No longer being ‘air gapped’ or isolated, control systems are at higher risk of being compromised. This is because threat-actors now have the opportunity to breach OT systems through IT networks, particularly as OT typically lacks adequate security measures to protect from attack.

To complicate matters further, OT devices in industrial and manufacturing environments have no built-in security. It is also not possible to install an agent on many of the legacy devices, as they were designed by manufacturers who were operating on the, now invalid, assumption that these devices wouldn’t be connected to any other networks.

Unfortunately, the convergence of IT and OT means this is no longer the case, exposing OT devices to numerous threats. Without the right security capabilities designed with all types of assets (OT, IT, and IoT) in mind, practitioners are limited in their visibility into what devices are on their networks, what risks each device poses to the business, and whether they are displaying any abnormal activities that could point to an active threat or exploitation attempts. Without such capabilities in place, security leaders will be challenged to assure the business of their ability to detect and safeguard and/or restore operations from a cyberattack with an OT impact in alignment with service level expectations.

Risks to OT
The number of vulnerabilities in OT devices continue to rise and, as a result, the breaches to operational infrastructures are increasing. Over the past few years, there have been a growing number of vulnerabilities discovered in devices in OT environments. Many of these vulnerabilities involve embedded software used by many manufacturers and are associated with software on devices, such as URGENT/11, which was a set of 11 zero-day vulnerabilities that impacted various real-time operating systems (RTOS). Real-time OSes are used by SCADA systems, industrial controllers, Programmable Logic Controllers (PLCs), elevators, firewalls, routers, satellite modems, VoIP phones, printers, etc. If exploited, attackers could take over mission-critical industrial and healthcare devices, bypassing traditional perimeters and security controls. With one device compromised, threat-actors could be able to move laterally to compromise others quickly and easily, spreading rapidly throughout a system and causing immense damage.

In the wild, malware such as WannaCry and NotPetya have had major impacts on manufacturing plants, affecting availability or safety as well as company brand and customer relationships. Any attacks on OT infrastructure can be dangerous, as seen last year with the attempted changes to pH levels at a Florida Water Treatment Facility. The potential for impact, combined with the ever-increasing attack surface, has resulted in the ‘perfect storm’; threat-actors of varying skill levels now have the ability to cause more harm in hopes of increasing their chances of receiving ransom payments or having their demands met. The ways in which cyber criminals can impact OT environments include changes to process automation, which can impact product quality, stopping production lines, affecting safety controls, or even preventing access to breached networks.

The recent discovery of PLC-Blaster, a new worm that lives in a PLC and scans IP networks to identify and spread to additional vulnerable PLCs, specifically highlights the intentions and capability that cyber attackers (of all skill levels, not just nation states) have with respect to industrial control systems.

How to successfully secure OT and ICS
Security teams understand the urgency to secure OT environments in the ever-growing threat-landscape; however, these outcomes can’t be achieved with traditional security tools that aren’t compatible with OT devices. A different holistic approach is required, designed for managed and unmanaged devices and which must:

  • Be agentless, or able to function without the reliance on agents that can’t accommodate the specific devices.
  • Be passive, i.e. it should function using only passive technologies as any systems that rely on scans or probes can disrupt and even crash OT devices.
  • Have comprehensive security controls that meet most of the important cybersecurity goals specified by NIST CSF or CIS CSC. This requires the use of a variety of security tools, and in the best- case scenario would cover the required security controls using as few tools as possible.
  • Have comprehensive device coverage, which includes all unmanaged or industrial IoT devices within an enterprise. Managers can’t secure OT unless IT is also secured by a security platform that functions for all types of industrial control systems.
  • Have comprehensive communication coverage that directly monitors all communication pathways that could be used in an attack. This include ethernet, Wi-Fi, Bluetooth, and BLE.

Securing OT devices against cyber-attacks isn’t an easy task, but it is becoming increasingly vital in order to secure critical national infrastructure, manufacturing and supply chain operations. The critical risk to the availability of our OT operations is also becoming a matter of general safety within the communities within which we operate, making it a higher priority than ever. With the right tools, organizations can obtain full visibility over all devices connected to their networks, while securing both IT and OT environments with an agentless approach. This will allow them to detect suspicious behavior before threat-actors manage to launch any large-scale attacks, as well as avoid operational downtime and loss of reputation even if the attack originates in the IT environment. With the growing threat facing industries and organizations of all sizes, now is the time to ensure that your security program is enabling and maintaining secure, resilient OT operations.

Curtis Simpson
Curtis Simpson is CISO at Armis, the leading unified asset visibility and security platform designed to address the new threat landscape that connected devices create. Fortune 1000 companies trust its real-time and continuous protection to see with full context all managed, unmanaged, and IoT devices, including medical devices (IoMT), operational technology (OT), and industrial control systems (ICS). Armis provides passive and unparalleled cybersecurity asset management, risk management, and automated enforcement. Armis is a privately held company headquartered in Palo Alto, California.
www.armis.com