Deep Dive into OT Security
Mohamad Mahjoub 
Hats off to the industrial community who performed extraordinary efforts to keep the civilization running under the challenging circumstances of the COVID-19 pandemic, even post-pandemic. As a result, many industrial entities shifted their ways of conducting business to espouse an increasingly connected industrial grid.
Taking this fact into consideration, the trend continues, and cyber-attacks keep on coming with no end in sight. Billions of US dollars were spent over the past ten years on cyber-attacks. Such attacks exist in the digital space but today they are having a real and tangible effect on our physical world.
Facilities that aid economy, public safety as well as public health are categorized under the umbrella of critical infrastructure. Due to the exploding digital transformation that is happening in the recent years in the critical national infrastructure, there is a path nowadays for attackers to run from spoofed email in an email inbox all through the network to the ICS crown jewels and industrial assets. We learned a lot from the recent industrial attacks that took place in 2021 and 2022, we learned that the initial attack vector is usually simple due to poor security perimeter, we also learned that ransomware gangs are maturing more and more, and we learned that when there is a critical public service on the line there is more chance that the ransom will be paid.
Critical environments cannot afford to fail. An operational outage of even a few seconds when public safety is at stake is not tolerable. We need to build in cyber resilience so these systems are able to resist and fight back against cyber-attacks. IT and OT are different, and this is why.
In 2010, Stuxnet was made public. a trojan that exposed the vulnerability of industrial environments by attacking the PLCs in control of the centrifuges of an Iranian nuclear enrichment plant. Since this attack, which was caused by an infected USB key, the entire industrial world is at risk from cyberattacks.
Despite the passage of time, cyberattacks' methods have changed, but industrial control systems in factories continue to be a top target. Taking this into consideration, then trend goes on, Cyber attacks keep on coming with no end in sight During the last ten years, billions of USD were spent. Cyber-attacks exist in the digital space, but today they can have a real and tangible effect on the physical world. Here are few of the major incidents that happened after Stuxnet.
The same evaluation is valid in 2022. The Russian invasion of Ukraine on February 24, 2022, is the first of these risk-changing occurrences. This event increased the likelihood of significant cyber activity involving both the industrial infrastructure of the combatants and.
Ransomware is the name of the game to attack big organizations and governments, The Ransom Cartel arose in few years back. Twisted Spider, the gang behind Maze ransomware and others, is said to be the group that initiated its creation. Their primary motivation was financial gain. Victim data is not the only thing these affiliate gangs pass between each other, they share tactics, infrastructure (C&C), and offer Ransomware-as-a-Service (RaaS) packages available to other criminals
To deep dive into one instance, since its release in, Ryuk has harmed many manufacturing, healthcare, and governmental entities. The Ryuk gang uses post-exploitation frameworks like Cobalt Strike or PowerShell Empire after a TrickBot (Trojan) infection and the discovery of an intriguing target, which enables them to carry out unwanted actions on machines without invoking security alerts.
The Ryuk attackers also employ BloodHound, a tool that enables penetration testers to examine and identify potentially vulnerable relationships that exist in Active Directory setups, as well as the open-source LaZagne program to steal passwords stored on infected computers. The Ryuk attackers' ultimate objective is to locate domain controllers and take control of them, which would give them control over the entire network.
Source: Nozomi
In a study published recently by Dragos, Valid Accounts is the most common TTP used in attacking ICS systems. Shared credentials and poor security perimeters allow adversaries to leverage Valid Accounts and gain persistent access to remote ICS.
Critical national infrastructure has undergone a rapid digital transformation in recent years, opening up a channel for attackers to travel from counterfeit emails in an employee's inbox all the way to the crown jewel assets.
There are several OT problems, a recent study has found a number of third-party weaknesses in the software supply chain of many ICS systems. Most notably were the flaws known as Ripple20 and Amnesia:33, which were third-party Internet Protocol (IP) stack vulnerabilities. These flaws were found in many industrial products, including PLCs, Serial to Ethernet Converters, Protocol Converters, Remote Terminal Units (RTUs), digital protective relays, and some managed network switches and routers..
A new industrial vulnerability is found every day as a result of defects, incorrect settings, or insufficient maintenance. The majority of newly discovered vulnerabilities listed in ICS advisories continue to involve memory corruption problems. Given that many ICS assets' software stacks lack inherent security and have little security control, it is likely that this condition would persist.
The threat landscape is expanding daily, and some threats, particularly supply chain and ransomware attacks, may develop into disruptive and catastrophic capabilities.
Operations involving ransomware are still very prevalent and indiscriminately target valued businesses that could be threatened with extortion for money. Here is the outstanding OT landscape, depicted in the below image.
We know that that IT/OT convergence is happening at the network, OS, application, and the personnel levels; the below image depicts a list of to the technical controls that can be implemented within this convergence ecosystem at each layer of the Purdue model.
Given that, building a comprehensive industrial cyber security program is more important than ever. Compared to previous years, the industrial regulatory spectrum in many geographical areas in the world is becoming mature. To battle cyber threats, many countries have drafted their own custom standards as regulatory vehicles based on infamous international standards such as ISO 27001, especially now with the update of ISO 27002:2022 and the seamless integration of GDPR in it, ISA/IEC 62443, and NIST 800-82.
In addition to local, regional, and international standards which can act as an overarching regulatory umbrella to your program, you need a tactical framework to underpin your journey. What is better than the MITRE ATT&CK for ICS framework to benchmark all your efforts against. This framework provides a map for TTPS that are commonly used by adversaries. Understanding those techniques will provide you with actionable insights on how to guard your ICS environment, furthermore this framework can act as a common language used by the industrial community to effectively communicate and analyze incidents, not to mention its impact on enhancing your organizational security strategies and policies.
One of the main OT challenges faced by majority of industrial organizations is assets and network visibility. A recent study conducted by DRAGOS revealed that 90% of their clients had limited or no visibility into their industrial networks. Under many circumstances, network analysts were blind to critical network traffic, and centralized logging was not in place. Identifying your crown jewels and monitoring what is going on in your ICS network are critical steps for developing a full picture of what occurs across industrial assets and sites.
Luckily, there are many products in the market that offer network visibility, threat detection, and operational insight capabilities. Implementing such solutions goes hand in hand with digital transformation and business modernization journeys. Such solutions will enable your cyber security team to deeply monitor the OT environment and create specific use cases to quickly react on suspicious activities. IT and OT teams will be able to confidently secure the OT environment and detect cyber risks as well as mitigate them, and finally this can enable and prepare for the conversions between IT and OT which will become a reality because it will be easier to manage both environments.
Many companies have not yet implemented such solutions; but why? Well, because of their ways of working, typically organizational culture reasons. Usually, such companies do not react before a breach, enforcement of a regulation, or a mandate by the C level or board of directors. As per a study prepared by NOZOMI, 60 percent of the companies are still at this stage, 30 percent of the companies have started a POC of a certain product, they came to know the vulnerabilities they have in their OT environment, and they started taking some actions to remedy those vulnerabilities. Only 10 percent of the industrial companies are at the optimization phase, in where they have a centralized SOC along with security streamlining and orchestration in place.
The rule of thumb is “Threats can be mitigated through a well-maintained defense in-depth strategy”. Industrial environments are no different. Data, application, host, OT network, edge and boundary, in addition to physical security layers must be carefully assessed before relevant security controls can be implemented. The most important factor is the governance aspect and management support, employee’s awareness, existence of solid policies procedures, in addition to having resilient incident response and business continuity plans.
My advice to corporate cyber security teams is to go to their plants, understand the process well, learn the language of the OT people, and build relationship with them as this will help tackling cyber security concerns more efficiently.
Categories: OT Security