OT systems like ICS and SCADA networks can be blind spots in your cybersecurity program — what can be done to minimize these risks?
By Ravid Circus, VP of Products, Skybox Security
Not long ago, manufacturers only had to worry about protecting their information technology (IT) infrastructure from cyberattacks, but operational technology (OT) is increasingly becoming a target. Traditionally, OT environments like industrial control systems (ICSs) weren’t connected to the IT network. That setup was more secure but less efficient. However, efficiency and operational needs have meant most organizations have now converged OT and IT networks, creating more potential headaches for security teams and business leaders.
Even if your role is outside of cybersecurity, you’ve probably heard of ransomware. It has proliferated over the past two years with an FBI estimate noting upwards of $1 billion was paid by victims in 2016 alone. Ransomware has become a major headache for organizations, both public and private, in nearly every industry. Usually distributed by email attachment, the malware encrypts data, locking out its rightful users until a ransom is paid.
Ransomware is one part of a larger subset of cybercrime called distributed crimeware. This group also includes banking Trojans, malware, exploit kits, infection tools and mass-distribution mechanisms like phishing, among others. Attacks leveraging these kinds of tools have a least one thing in common: the people behind them are trying to make as much money as they can in the easiest and fastest way possible.
Proof–of–Concept Targets: ICS and Robots
Earlier this year a trio of researchers proved ransomware can be used to take over ICSs. A proof–of–concept (PoC) study conducted by a team at Georgia Tech detailed a hypothetical attack on the systems of a water treatment plant, but the lessons learned aren’t limited to public infrastructure.
The PoC used a cross–vendor worm dubbed “LogicLocker,” to attack programmable logic controllers’ (PLCs) weak authentication. LogicLocker was able to jump from one networked neighbor to another after it took over different kinds of PLCs. The researchers were able to take control of compromised devices, locking out legitimate users, at which point they made the hypothetical threat to dump massive amounts of chlorine into the water supply if the terms of the ransom weren’t met.
More recently, and even more pertinent for manufacturers, a team from Trend Micro working with researchers from Politecnico di Milano have hacked an industrial robot. The Milan researchers programmed the robot to draw a squiggly line instead of a straight one. This fairly harmless hack on a robot gripping a stylus would look a lot more serious on a robot maneuvering a welding rig.
According to the researchers, there are 83,673 of this make of robot exposed to this kind of attack with an entire class of like machines presumably representing a much larger number in use around the world. And the distributed cybercrime loves ubiquity.
Watching for State–Sponsored Attacks
Thankfully, LogicLocker and the industrial robot hack are just proof of concepts and aren’t real threats . . . yet. If this kind of incident were to take place, the costs from disruption to critical services — not to mention public safety — could be millions of dollars. These types of attacks on ICS facilities are much more complicated in nature than those preferred by the “smash and grab” type of cybercriminal, as other industries make much easier targets for ransomware.
However, the continued rise of state–sponsored hacking and instances of it “piggybacking” on cybercriminal activity could make manufacturing and critical infrastructure a key target. These facilities need to have preventative measures already in place. Operational managers can’t assume only the lowest of the low–hanging fruit will be targeted. As the recent WannaCry attack has shown, distribute cybercrime outbreaks can have a global reach and affect organizations of any size, in any industry.
Tips for Prevention
There are a few things you can do to better prepare your OT systems like ICSs against cyberattack:
- Update Passwords, Configuration and Security Settings – Legacy systems may have been implemented without customization or changes to the original configuration. Ensure these risky configurations, like default password usage and easily discoverable and exploitable settings, are updated. See if any patches are available from the vendor and update if at all possible.
- Indirect Mitigation – Sometimes patching or other security updates are not possible due to operational reasons. In these cases, indirect mitigation can be used. This can be done by network monitoring using intrusion detection rules, adding new firewall rules around the security zone and monitoring supporting devices in the network like routers, switches, gateways, etc.
- Unify IT and OT Network Security – The best way to prepare for an attack is to break down the security management silos between IT and OT environments. Unifying the approach to IT and OT gives more comprehensive visibility of the entire attack surface allowing you to analyze access and vulnerabilities to strengthen critical infrastructure security.
By thinking critically and adding the OT side to your overall cybersecurity program, many potential issues can easily be avoided. After all, the next demonstration of ICS hacking might not be carried out by a friendly team of university researchers and their targets might not be hypothetical.
Ravid Circus is Skybox Security’s vice president of products. Circus holds several patents and is responsible for driving thought leadership around Skybox Security’s technology roadmap, platforms and products for the next era of security analytics.