Operational technology (OT) doesn’t get a lot of airtime in the cybersecurity industry. But cyberattacks targeting these systems have the potential to cause havoc with the critical national infrastructure (CNI) that relies on them to operate.
Unfortunately, a new report highlights that many OT devices are “insecure by design.” It found 56 bugs in products from 10 vendors, some of which are rated critical. Until manufacturers start building more secure OT products, the organizations running them should familiarize themselves with the threat landscape, security solutions, and best practice mitigations (e.g., network segmentation, correct firewall configuration, secure remote access, access control).
What is Icefall?
The report in question collectively named the vulnerabilities “OT:Icefall.” It said they impacted 324 of its customers globally, although the real figure will be much higher. The products are popular in sectors such as oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation. They include programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA) systems, building controllers, and other key bits of software used in industrial environments.
Thanks to digital transformation initiatives across CNI sectors, OT environments are now typically connected to the internet, and this connectivity means anyone could theoretically attack them remotely and cause outages. That’s a big risk, especially when the quality of security controls and engineering in such systems is often lagging. It’s even less comfort to know that some of the industry’ biggest names were among those found to be running vulnerable products: Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.
Good to Know: In the high profile Colonial Pipeline ransomware attack threat actors used a leaked password found on the dark web to trigger the shutdown of Colonial's operational technology (OT) systems and 5,550 miles of pipe. This incident highlights the need for cybersecurity threat awareness, a robust security posture, and an incident response plan.
Where are the problem areas of OT security?
According to the report, there were four key categories of vulnerability:
- Insecure engineering protocols.
- Weak cryptography or broken authentication schemes.
- Insecure firmware updates.
- Remote code execution (RCE) via native functionality.
It said the impact of each bug will vary depending on the functionality of the device it is found in. However, the most common types enable attackers to compromise credentials (38%), either because they’re stored or transmitted insecurely.
Rounding out the top five are:
- Firmware manipulation (21%), whereby attackers can tamper with systems due to insufficient authentication or integrity checks.
- Remote code execution (14%) allowing an attacker to execute arbitrary code on the impacted device, usually via a firmware update.
- Configuration manipulation (8%) which again stems from a lack of adequate authentication/authorization or integrity checking.
- Denial of service (8%), where attackers are able to take a device completely offline or block access.
Recommended Reading: ICS security is a major segment within the operational technology sector. It comprises systems that are used to monitor and control industrial processes. Click through to learn How To Close the Internet of Things (IoT) Security Gaps In Your Industrial Control System (ICS) Networks.
Why is OT so insecure?
For many years, OT software benefitted from the concept of “security by obscurity.” It was thought that because there were so many siloed and specialized systems from different manufacturers, often air-gapped from the internet, that it was not worth the effort for hackers to try and compromise them. However, the ROI of attacks is changing. As mentioned, these systems are now more often than not internet-connected, making them more accessible. They might also contain more standardized components, further simplifying the process of researching attacks. And bad actors can benefit from the increasing volume of security research and threat intelligence available online.
The problem is that OT manufacturers don’t seem to have caught up to this new reality. Instead of building security in from the design phase on, they’re allowing dangerous vulnerabilities to make it through to production. One of the bugs highlighted by the report gets a massive 9.8 CVSS score.
The report’s authors also revealed that most (74%) of the vulnerable products they found had received some form of security certification. That’s despite the fact that the majority of the issues it uncovered should have been found relatively quickly during “in-depth vulnerability discovery.” Something is clearly going wrong somewhere. Many of these issues were also not officially assigned CVE numbers, making it difficult for asset owners to conduct effective risk management. These are all industry-wide challenges which could take a long time to fix, if at all.
Recommended Reading: Is some, or all, of your job overseeing an OT network? Has IT/OT convergence expanded your responsibilities to both IT networks and OT? See how OpenVPN Cloud helps you establish reliable OT secure networking here.
A real-world impact
Yet there is an urgency that progress is made. Why? Because such vulnerabilities have already been exploited to devastating effect, in attacks designed to sabotage industrial equipment and processes. These include:
- Industroyer: A Russian state-backed destructive malware attack which caused power blackouts in Ukraine in 2016.
- Triton: Another destructive attack, targeted against a Saudi petrochemical plant in 2017.
- Industroyer 2: A second iteration of the malware used in the current war, against Ukrainian energy assets.
The report warned that offensive capabilities leveraging weaknesses in OT software could be more feasible than thought today. It said OT-focused malware “could be developed by a small but skilled team at a reasonable cost.”
Recommended Reading: Industry 4.0 is powered by OT and IIoT devices. Learn more about mitigating cyber threats and vulnerabilities in the Industry 4.0 Age in Cybersecurity for Manufacturing Industry Regulatory Compliance.
Mitigating the threat today
The change needed to address the OT threat will require vendors to build better vulnerability management programs and address new vulnerabilities and security issues earlier on in their development pipelines. But customers of OT products don’t have the luxury of time, as the above attacks show. In the meantime, they can take steps to reduce the potential impact of attacks by following some industry best practices, including:
- Compiling comprehensive asset inventories and scanning for vulnerable devices.
- Prompt patching of vulnerabilities.
- Segmentation of networks to isolate at-risk devices, especially ones that can’t be patched.
- Monitoring all network traffic for malicious packets, and blocking any suspicious or anomalous traffic.
OT systems run the world. It’s time we address the expanded attack surface and security risks that come with them.