Is the risk of attacks on the OT infrastructure real? Opinion of a leading Fortinet specialist
Operational technologies, or OT, are a critical segment of the network used by businesses that produce goods or engage in physical processes. Industries such as manufacturing, chemical, oil and gas, mining, transport and logistics use specialized technologies to manage facilities: Assembly and production sites and power systems. The control, monitoring, and management of these systems have been gradually automated over the past few decades, and the specialized systems that perform these tasks are called industrial control systems (ICS), dispatch control, and data acquisition (SCADA), or simply OT.
About the Respondent:
Joe Robertson, chief information security officer at Fortinet
According to Wikipedia: Fortinet is an American multinational Corporation specializing in the development and promotion of software, solutions and services in the field of information security: firewalls, antivirus programs, intrusion prevention systems and endpoint security, and other products. In terms of revenue, the company ranks fourth among all companies specializing in network security.
The networks in which these OT systems operate have traditionally been separated from the corporate information technology (IT) environment, as well as from the Internet, often separated by an air layer. They are usually managed by operational personnel, not IT specialists. And for good reason. Manufacturing facilities can generate millions of dollars an hour for companies, and communities rely on critical infrastructure to provide clean water and energy. When these systems fail even for a few minutes, it can cost hundreds of thousands of dollars and even put workers and people around them at risk.
Simply put, IT is about managing data, and OT is about creating things. And because these OT systems were completely isolated, the OT world felt immune to the hacking that has become a fact of life for IT environments.
But recent attacks on OT have changed the usual order of things.
The number of cyber attacks in these systems and in OT infrastructures in General is growing, and they cause real damage. Probably the first such attack on Stuxnet occurred ten years ago. It was an air-gap system, meaning it had no connection to external networks, but it was hacked nonetheless. In 2017, the NotPetya ransomware interrupted production and closed offices. In the same year, the Trisis/Triton malware damaged security features in oil and gas production equipment. And in 2020, Ekans, or Snake Ransomware, appeared, which is specifically designed for ICS systems.
Air gap disappears
First, the air gap never provided complete security, although isolation did make it harder to hack the OT system. Getting physical access has always been possible with the help of social engineering tools, such as leaving an infected USB flash drive in the Parking lot or confidently entering the territory of the organization under the guise of an employee.
Second, if you think your OT environment is separated by an air cushion, you are probably wrong. Maintenance access to industrial machines, remote updates to ICS tools, or remote firmware updates all leave potential vulnerabilities in the OT environment that you probably don't even know about.
But most importantly, IT and OT networks combine, exposing OT to attacks across the IT world. Combining data with production allows companies to quickly respond to market changes and remotely manage and monitor systems. But these business benefits come with real risks. The new malware, specifically targeted at OT hardware, uses intelligence and delivery components that use the IT environment and its network connections to gain access to industrial control systems.
For example, the Trisis/Triton malware contains components designed directly for the security and monitoring system used by petrochemical plants. This attack is aimed specifically at OT. But the processes, procedures, and methods it uses to break into this security system are pure methods of intelligence and delivery of IT cyberattacks.
IT / OT convergence is real
Despite the additional risk to OT networks, it/OT convergence occurs because it makes financial and operational sense. Operating groups implement complex management systems that use software and databases that run on IT systems. Things like Wi-Fi-enabled thermostats and valves can be monitored and managed remotely via IT infrastructure, and CFO's don't like the cost of separate networks or separate groups required to operate them.
Combining the world of IT and OT provides greater efficiency of processes and business. So convergence is happening, and we have to recognize that it increases cyber risk in several ways.
First, it expands what is called the "digital attack surface," which is a fancy way of saying that hackers have many more devices to target. The number of web servers, branch offices, remote and home workers, and IoT devices is growing rapidly, and each of them is a potential path to the IT network and, ultimately, to your OT environment. Similarly, many OT systems that are now connected to the IT network may be older, sensitive systems that are much easier to hack.
Moreover, the threats are becoming more sophisticated. Just as companies are digitally transformed and develop universal software, attackers use the same techniques to create highly complex and versatile malware. Their attacks use various mechanisms to penetrate the IT environment, and increasingly the OT environment, while at the same time avoiding the company's defenses.
And when it comes to security tools, there are so many of them now that managing threats is in some ways more difficult than ever. Surveys have shown that most large businesses have between 30 and 90 different security tools from almost all vendors. They have different management consoles and require trained personnel to understand them. In too many cases, security personnel do not have time to understand the specifics of each tool. Cyber threats can literally get lost in this mess.
Finally, regulations governing cyber breaches and the protection of personal information have made security even more difficult for IT and OT managers. There are common standards such as PCI-DSS (payment card industry data security Specification), GDPR (General data protection regulation), and the NIST framework (national Institute of standards and technology) that organizations must understand and comply with. There are also industry standards and regulations from various organizations, such as the international organization for standardization (ISO) and the American national standards Institute (ANSI), that define how and where security should be applied.
You are the target | Don't be a victim
To put it bluntly, your OT environment is an attractive target, and if it hasn't been attacked yet, it will be in the future.
In many cases, when it comes to ICS or SCADA systems, there is a huge lack of investment in security. There are many reasons for this, but regardless of why this happens, this situation needs to be corrected. It doesn't matter if your organization combines IT and OT, you must protect OT using several key methods to ensure security:
- Recognize that the risk to your organization is growing, and take action.
- Install tools that provide a broad overview of the OT network, as well as IT. This includes device discovery and inventory, providing access control only for authorized personnel, and gaining access to applications and traffic.
- Use a segmentation strategy. Integrate gateways with strict policies between IT and OT environments and do the same between different layers of your OT network. The goal is for each system and subsystem to perform only its own work. Segmentation prevents an attack from spreading from one location to the entire system.
- Replace the open trust-based access model with a zero-trust access strategy. Install access controls that authenticate users, restrict them to only the systems they need to perform their work, and then control them when they connect to the network. This should apply to everyone, but is especially important for contractors and suppliers.
- Use automation to help analyze actions and speed up your response. Implement tools for logging activity, Analytics for searching those logs that look for abnormal behavior, and security systems that can respond to a detected threat. Given the speed at which today's attacks can occur, automation and orchestration are essential to identify threats and take action in seconds.
- Set up processes for auditing and testing systems in the event of a hack, and create rules for backup, recovery, and recovery.
There are many tools designed to protect your IT and SECURITY from different types of attacks and different stages of penetration. Look for an integrated set of tools – whether software, hardware, or both – especially those designed for the unique challenges of OT environments. This approach will provide you with maximum security.
Security tools that can communicate threat information among themselves, coordinate responses, and manage as a single unit will simplify your security without compromising it. A good example is Fortinet Security Fabric, which is an open ecosystem with multiple vendors designed to provide the benefits of a holistic security regime.