The Critical Infrastructure Cybersecurity Dilemma
The Colonial Pipeline and Oldsmar incidents have highlighted the challenge of securing older operational technology systems. This article, originally published in Security Info Watch, explains somehow to prevent and mitigate some of the emerging risks affecting critical infrastructures today.
- Emerging Risks to Critical Infrastructure Systems
- Understanding the New IT/OT Landscape
- Preventing and Mitigating Critical Infrastructure Risks
- Get in Touch
Table of contents
Emerging Risks to Critical Infrastructure Systems
Critical infrastructure is vital to the functioning of modern societies and economies, yet often these systems are not properly protected or are easily accessed and exploited. Thus, they remain a key target for threat actors. Although awareness around the severity of operational technology (OT) risks is on the rise, the fact is OT environments remain vulnerable.
In the first few months of the year, we’ve already seen news of several vulnerabilities in the sector exploited, such as the Florida water plant breach and, most recently, the ransomware attack on Colonial Pipeline—one of the United States’ most critical fuel pipelines.
Given the longevity of the systems and technology implemented in industrial settings, security has historically been relegated to a second tier of priorities compared to uptime, reliability and stability. It comes as no surprise that 56 percent of the world’s gas, wind, water and solar utilities experience at least one shutdown or operational data loss per year, according to a Ponemon Institute report.
That number has likely grown because of the pandemic, as many organizations weren’t prepared for remote management of critical systems. In fact, although leaders agree on the importance of remote access, Claroty reported last year that 26 percent of organizations struggled with the newly dispersed workforce and 22 percent did not have a pre-existing secure remote access solution that is secure enough for OT.
Understanding the New IT/OT landscape
In the past few years, we have seen a convergence between OT and IT-based security infrastructures and processes. However, as we saw in the Colonial Pipeline attack, these integrated ecosystems have become considerably more difficult to secure for reasons such as:
- vulnerable hardware/software components
- poor cybersecurity practices
- lack of visibility into connected assets
- poor network segmentation
Beyond IT/OT convergence, the pandemic pushed many organizations to alter their cybersecurity processes to accommodate the new needs of remote work. However, adversaries quickly realized that targeting workers at home provided a viable path into OT networks. They turned to exploiting work from home, by leveraging:
- unpatched virtual private network (VPN) systems,
- interconnected IT and OT environments,
- and in legacy Windows and OT systems.
OT has fast become a prime target for motivated and well-resourced threat actors who continue to redesign their tactics to penetrate new and enhanced security measures. In fact, 2020 saw a significant increase in exploitable vulnerabilities in OT. ICS-CERT advisories increased by more than 32 percent last year compared to 2019, and more than 75 percent of advisories were about “high” or “critical” severity vulnerabilities.
ICS-CERT advisories for OT increased by 32% in 2020 with 75% of vulnerabilities classified as high or critical severity.
Threat actors are also using ransomware campaigns to target OT environments because they understand how mission-critical these environments are. For example, if a pipeline carrying 45 percent of the United States’ East Coast’s fuel is shut down, it would cost the pipeline operator millions of dollars per day.
The specialized and mission-critical nature of OT infrastructure technologies means that most security and threat intelligence solutions don’t have visibility into potential vulnerabilities, let alone the ability to defend against attacks.
Preventing and Mitigating Critical Infrastructure Risks
So, what can be done to enhance security in today’s OT landscape? To protect, prevent and mitigate risks, there are several important steps organizations can take to improve their security posture.
Implement a risk management program
OT is built around complex systems that oftentimes are not properly tracked in traditional asset management systems. Designing an effective OT security program requires a risk model that specifically maps the functional requirements of these systems while providing a holistic image of the potential real-world consequences of compromise. As part of the program, organizations that leverage the Purdue Model should ensure they’re documenting the number of traffic flows between levels, especially if the flow is across more than one Purdue level.
Build a cyber incident response plan
If there was something we should have learned from the COVID-19 pandemic, it is that we need to be ready for anything. A comprehensive cyber incident response plan that includes both proactive and reactive measures is required to help prevent incidents and better allow the organization to respond if one does occur. Make sure to print the response plan and have it handy. What happens if the systems that store your incident response plan are encrypted or unavailable due to an attack?
Protect third-party remote access
Organizations regularly rely on third-party vendors to complement their business; however, many do not have uniform cybersecurity policies and practices. Many OT sites even have third party vendors regularly conduct maintenance via remote access technology, which creates exploitable weaknesses in the operations chain. Establishing a supply chain management program that vets external vendors’ security standards and provides better control of third-party access is critical to reducing the risks third parties introduce.
Enhance system monitoring procedures
It is no longer enough to simply build a network with a hardened perimeter. Securing OT systems against modern threats requires well-planned and well-implemented strategies that will allow defense teams to quickly and effectively detect, counter and respond to adversaries. At a minimum, the following actions should be taken:
- corporate IT and OT domains should be physically and logically separated
- networks must be segmented
- critical parts of the network must be isolated from untrusted networks, especially the internet
It is also important to deploy monitoring tools such as passive intrusion detection systems (IDS) specifically designed for OT environments. Passive systems are key because proactive systems may present false positive detection that could lead to downtime of critical systems.
Develop informed security controls
To establish the required controls, we have to start with an asset inventory. Once the assets have been identified, organizations at a minimum need to implement the security features provided by device and system vendors. However, to deal with some critical vulnerabilities, we recommend turning on security features that apply Common Industrial Protocol (CIP) security controls, a fairly universal standard.
Many PLC vendors also have physical switches on their appliances that prevent the changing of the PLC’ configurations, which should be used appropriately. We see many plants and OT sites with these switches always set to “config mode,” which allows for the PLC configuration to be changed (potentially by an attacker). These should be complemented with secure and hardened configurations (read/write protections, memory protection, etc.).
Managing controls over time can be daunting and time intervals between OT system upgrades can be years long, so organizations need an effective change management program. The program should be able to identify compensatory controls that can be applied to remediate critical vulnerabilities that cannot be patched immediately. These controls can include a host monitoring system that detects and alerts when unauthorized changes are made to Human Machine Interfaces (HMIs), engineering workstations or to PLCs.
Establish audits and security assessments
Finally, numerous factors affect the security of a system throughout its life cycle, so periodic testing and verification of the system are essential. Timely audits and assessments help eliminate the “path of least resistance” that an attacker could exploit.