The increasingly interconnected nature of today’s OT systems, especially in critical infrastructure industries such as electricity, water, oil and gas, transportation, chemical, and healthcare use for automated process control, combined with threat actors interest in compromising them for economic and non-economic purposes such as political, has made these systems more vulnerable to external compromise or a staging ground for further attacks. On this article, I will be capturing some of the good practices in the OT environment from the cybersecurity perspective. I will share an overview of OT systems, design concepts, threats and vulnerabilities and good practices from the cybersecurity standpoint.
Sample OT Systems / Components –
- Sensors — Allows interaction with the physical world such as valves, motors
- HMI — Human-Machine Interface permits the supervision and control of a subprocess
- PLC — Programmable Logic Controllers manages the sensors
- Supervision screen — Remote supervision of the industrial process
- Data Historian — Records all data from OT and ICS networks and shares it with corporate IT systems
A typical OT / ICS environment consists of applications, infrastructure and communication systems.
- Applications: HMIs, controlling coding tools, process controls systems
- Infrastructure: Controllers (PLCs, RTU etc), servers, storage etc.
- Communication: Core, firewalls, industrial networks, radio communications, voice services etc.
ANSI / S-95 Reference Model:
For reference — A typical IT / OT network design
Here is a conceptual example of how OT and IT system interoperate in the context of drilling blasting operation:
Design Concepts –
The design philosophies of IT and OT networks are quite different; hence, it’s quite challenging to determine a standard solution for both. The environments have different performance requirements, reliability requirements, operating applications and risk management goals. Some of the differences are captured below:
Threats and Vulnerabilities –
- Lack of segmentation within the OT networks and IT/OT networks — The convergence of IT and OT systems, combined with increased and accelerated use of IoT in industrial environments for gaining operational efficiencies has caused networks designed in a flat and unsegmented configuration to get things done quickly
- OT systems in IT network — It’s not uncommon to find an OT system such as a reporting server for OT environment within the IT environment, but with a direct leg to the OT network. As organisations have become data hungry, and in order to get things done quickly, often OT systems are located within the IT environment for ease of reporting
- Missing security patches — By design, the OT systems are configured to operate for long periods for productions purposes. Due to the limited maintained windows, often security patching falls back in the priority when compared to other prudent activities such as part replacement etc.
- Remote connectivity via jump boxes — The use of jump boxes, which are often remotely accessible via vendors etc. may provide significant access to the OT networks. Often these jump boxes are either not monitored (network, application, etc.) or in the worst case scenario, the security teams may not be even aware of them
- Poor Password Practices — It’s not uncommon to find OT systems without any password or easily guessable passwords. This further widens the attack surface especially considering the other issues as discussed above
- Insecure wireless networks — OT systems are often connected to radio technologies such as WiMax to communicate with the remote operations centre. The wireless equipment on OT networks may use deprecated security encryption methods which expose them to eavesdropping attacks etc
- Lack of security training and awareness program– Due to the lack of investments in cybersecurity-related training OT engineers and production managers, people on the ground often find difficulties in interacting and understanding security issues raised by the IT teams. This causes significant frustrations in the sides and further slow down the remediation efforts
- Lack of network and systems monitoring — Many organisations are struggling to gain visibility over their OT environment. Often, they aren’t even aware of a number of the systems, type of systems or versions installed in the OT environment.
OT Cyber Threat Actors –
The source of an OT Cyber-attack can arrive from a variety of threat actors with the motives ranging from financial gains to physical disruptions. Some of the actors are listed below:
Below are the notable threat actors who have, or actively targeting Energy, Utilities and Mining sectors:
- APT17 aka Deputy Dog
- APT18 aka TG-0416, Dynamite Panda, Threat Group-0416
- APT 19 aka Codoso, C0d0so0, Codoso Team, Sunshop Group
- APT 33 aka Elfin
- APT 34 aka Oilrig, IRN2, HELIX KITTEN
- Sandworm aka Quedagh, VOODOO BEAR
- DragonFly aka Energetic Bear
- MagicHound aka Rocket Kitten, Operation Saffron Rose, Ajax Security Team, Operation Woolen-Goldfish, Newscaster, Cobalt Gypsy, APT35
- BRONZE BUTLER
- Leviathan aka TEMP.Jumper, APT40, TEMP.Periscope
- menuPass aka Stone Panda, APT10, Red Apollo, CVNX, HOGFISH
- TG-3390 aka Emissary Panda, BRONZE UNION, APT27, Iron Tiger, LuckyMouse
Some of the noteworthy ICS cyber attacks we’ve seen so far –
Improved security control policies and controls enhance the reliability and availability of the OT systems. NIST 800–8211 and ISA/IEC 6244312 for ICS and OT provide a good guideline on their cyber hygiene. However, the effort requires strong collaboration efforts with the IT staff who’ve most insight about the systems they manage. Some of the good practices, but not limited to, are highlighted below:
- Collaborate with business on establishing an IT and OT Cybersecurity strategy
- Establish a clear catalogue of the OT systems and prioritise them taking a risk-based approach through collaboration with the OT staff or the business
- Establish procedures for the use or portable media — Rules and playbooks must be established on the use of removable media such as USB
- Deploy the right architecture to create a segmentation of the IT and OT networks. The Purdue model uses the concept of zones to subdivide an Enterprise (IT) and ICS (OT) network into logical segments comprised of systems that perform similar functions or have similar requirements (Source: SANS)
- Implement OT-specific patch management process — Standardised process and playbooks for patching and upgrading systems within the OT environment
- Monitor security events across the OT environment to establish situational awareness of the current activities, including changes. Organisations must also determine the logging requirements, goals, use cases for detection of malicious behaviour (MITRE provides a good guideline), log retention periods
Improve Security Culture: Establish OT security training program — Considering that the OT-staff are the most knowledgeable about the systems they are using, it’s recommended to train the OT staff through designated OT cybersecurity champions.
Improve Cyber Resiliency:
- Establish a unified cyber incident management approach for managing cyber threats across IT and OT environment — resources must clearly understand their roles and responsibilities on the event of a cyber-attack. It is also advised to conduct regular table-top exercises with the OT staff to improve the processes
- Create and test backup and restore procedures and prioritise efforts according to the business impact analysis. It is also recommended to test the backups and restoration processes at least once a year
- Implement a threat intelligence program tailored to OT environment for monitoring and tracking threats related to the OT systems and exploits
Establish OT Governance Framework:
- Establish or integrate OT within the governance framework which is approved and tracked by senior leadership
- Establish or extend third-party cyber risk management program to the OT vendors
- Taking a risk-based approach to auditing OT systems to determine high-risk issues and taking appropriate measures for remediation
Cyble Inc.’s mission is to provide organizations with a real-time view of their supply chain cyber threats and risks. Their SaaS-based solution powered by machine learning and human analysis provides organizations’ insights to cyber threats introduced by suppliers and enables them to respond to them faster and more efficiently.
Cyble strives to be a reliable partner/facilitator to its clients allowing them with unprecedented security scoring of suppliers through cyber intelligence sourced from open and closed channels such as OSINT, the dark web and deep web monitoring and passive scanning of internet presence. Furthermore, the intelligence clubbed with machine learning capabilities fused with human analysis also allows clients to gain real-time cyber threat intel and help build better and stronger resilience to cyber breaches and hacks. Due to the nature of the collected data, the company also offer threat intelligence capabilities out-of-box to their subscribers.