Critical infrastructure systems are becoming increasingly connected to traditional IT systems, and as a result, are increasingly targeted.
By Francisco Donoso, Sr. Director of Global Security Strategy at Kudelski Security
Critical infrastructure systems are becoming increasingly connected to traditional IT systems, and as a result, are being increasingly targeted. A Siemens study found that 56 percent of the world’s gas, wind, water and solar utilities experienced at least one shutdown or operational data loss per year. The potential repercussions of a critical infrastructure breach within an industrial setting go far beyond financial loss or reputational damage.
Attacks in this space have already resulted in large-scale societal consequences. A cyber attack on Colonial Pipeline, the largest pipeline system for refined oil products in the U.S., caused the company to suspend operations and left the East Coast with a temporary gas shortage. In this case, Colonial Pipeline shut down its fuel pipeline operations pre-emptively even though its’ operational technology (OT) systems were not directly impacted. Sources claimed that the shutdown was due to the invoicing and billing systems being encrypted and unavailable, leaving the business with no way to properly track or invoice clients for fuel.
Colonial Pipeline’s hack is an important case study about how critically interdependent IT and OT systems are, even if they’re segregated technically and air gapped appropriately. This incident highlighted the imminent need for cybersecurity and risk management programs for an organization’s operational/industrial control system (ICS) environments, as well as security being at the forefront for all OT engineers and plant managers.
Within the past few years, the convergence of IT and OT systems has expedited the adoption of remote access technologies in critical infrastructure settings. More recently, the COVID-19 pandemic forced organizations to limit the number of people who were physically located within a plant or OT site. This drastically increased the number of ICS management and monitoring systems that are directly connected to the internet, potentially leaving them accessible to remote attackers.
These unprotected remote access systems or solutions essentially act as bait to threat actors wanting to compromise critical infrastructure systems. For example, a security researcher from the University of Tulsa revealed the ability for hackers to control entire networks of U.S. wind farm turbines. The researchers broke into a facility and installed a Raspberry-Pi-based computer through which they were able to access the systems remotely. This experiment shone a light on the simplicity of covertly installing unauthorized remote access systems that provide easy access to OT systems that were through to be fully air gapped from the internet, and the potential damage that can be done.
Despite these glaring vulnerabilities, there is a widespread lack of knowledge about asset protection across the manufacturing, energy, and oil and gas industries. Many OT operators and engineers, unfortunately, are not yet aware of the severity of the potential risks that insecure remote access points can bring. There is a significant disconnect between risk perception and actively implementing processes and procedures to mitigate those risks, with little incentive to replace or improve equipment that still functions but does not meet security requirements. Industry professionals must be educated on the risks of vulnerable remote access points.
The reality of OT systems is that plants and manufacturing sites are often designed and built to last and to remain “stable” for decades to come. This means that there are often no plans to keep software updated by installing security patches, changing configurations to make the systems more secure, or reducing risk by turning off unnecessary features on Programmable Logic Controllers (PLCs). Consequently, the most common risks in critical infrastructure OT systems include the following: outdated operating systems, unencrypted passwords used to connect to systems over unsecured networks, remotely accessible devices, lack of passive network monitoring, weak access control systems, and the failure to keep antivirus signatures updated to track new malware strains.
It’s not uncommon for security providers to deploy passive network monitoring systems in OT environments and immediately see years old malware running rampant (such as slammer or conflicker) with the OT engineers being none the wiser. The attacks against these systems typically don’t require sophisticated zero-day vulnerabilities in the software used on engineering workstations or in PLCs but instead rely on abusing poor security hygiene and differing priorities.
Poor cyber hygiene remains the top challenge in securing these systems. Thankfully, some steps can be taken to reduce risk. One key priority is to focus on protecting IT / OT network boundaries. More specifically, focus on remote access systems and software that may allow direct access to critical OT networks to enable engineers to monitor systems remotely.
Perhaps most importantly, proper education and increased awareness remains the most effective way to prevent incidents. If detection and risk mitigation is to be a priority, education must come first. Site managers and OT engineers must be aware of these risks and work closely and collaboratively with corporate information security teams to appropriately defend these environments in a non-disruptive way.
One of the simplest ways to deploy risk mitigation measures is deploying an approved set of remote access tools designed specifically for OT environments and ensuring these systems are appropriately configured to record a user’s activity and limit their access based on least privilege.
Implementing security practices and procedures is not a choice for most business-critical OT systems. Security must be at the forefront of all new critical infrastructure systems to protect against a growing number of vulnerabilities due to the convergence of IT and OT systems and the increasing number of access points. Companies must mitigate the risk of OT breaches and ensure their risk management and information security programs also help protect these environments.
Francisco Donoso is the Senior Director of Global Security Strategy at Kudelski Security, a global cybersecurity services provider, where he previously worked as the principal architect, building out the company’s global Managed Security Services (MSS) offerings. He has been on the forefront of research into the Equation Group’s post-exploitation tools and capabilities since their release by the Shadow Brokers and has spoken about this research at Derbycon, Thotcon, Microsoft Bluehat, and other conferences.
Patti Jo Rosenthal chats about her role as Manager of K-12 STEM Education Programs at ASME where she drives nationally scaled STEM education initiatives, building pathways that foster equitable access to engineering education assets and fosters curiosity vital to “thinking like an engineer.”