The Anatomy of an IT/OT Cyber Attack
This article summarizes material from a presentation, “Overcoming Industrial Security Challenges,” held during Kudelski Security’s European Cyber Summit in February 2021.
- Threats to the Combined IT/OT Environment
- Understanding the IT/OT Overlap
- Exploiting the IT/OT Overlap – Two Real-World Examples
- Overcoming the Challenges of IT/OT Security
- Get in Touch
The convergence of IT/OT is upon us, bringing new challenges for both the IT and OT units to navigate. Traditionally, operational technology has been managed by site engineers with a focus on reliability and safety. But now, as OT systems are becoming more connected, it’s imperative that these two worlds begin to operate as one.
Table of contents
Threats to the Combined IT/OT Environment
More and more, we’re seeing attackers begin to exploit vulnerabilities across the IT/OT infrastructures, often with devastating results. This combined cyber-physical world represents a high-risk, high-reward scenario for attackers, and their targets often have no choice but to comply with attacker demands to prevent a catastrophic hit to finances or worse, endangering the lives of plant workers and the communities they serve.
We saw this play out most recently with the Colonial Pipeline attack. The Colonial Pipeline provides nearly half of the fuel for the east coast of the United States, transporting 100 million gallons of fuel a day. A ransomware attack in their IT environment put their OT security at risk. The pipeline proactively shut down operations to prevent further spread, resulting in fuel shortages and disruption of fuel markets.
The company ultimately paid the equivalent of a $5 million ransom in bitcoin to regain control of their systems. We also know now that attackers were able to steal 100 gigabytes of company data while inside the network.
In the case of the Colonial Pipeline, the impacts were primarily financial. However, it’s important to understand the physical impacts that can occur when IT/OT systems are attacked.
Take for example the attack on a German steel mill in 2014, where a spearphishing attack resulted in the compromise of industrial components that prevented a blast furnace from properly shutting down. These furnaces contain molten metal heated to thousands of degrees, and any malfunctions pose a serious risk to workers.
Luckily, the only damage was to the mill itself. And while at the time the recommended prevention mechanism was to keep IT and OT networks completely separated, we know that given all the benefits of connected OT systems, that is just not practical. Therefore, it’s imperative to understand how IT and OT systems interact and how to balance secure operation of both.
Understanding the IT/OT Overlap
These IT/OT attacks are possible because IT and OT environments have begun to overlap as we trend toward OT hyperconnectivity. Hyperconnectivity comes with numerous benefits, especially when it comes to efficiency improvements and cost reductions. But the introduction of IT systems into the OT environment exposes once isolated systems and equipment to new threats. Now, a vulnerability in the IT environment could be exploited to attack an OT environment and vice versa.
Let’s take a closer look at where this overlap occurs. I like to think of the converged IT/OT environment in terms of four layers.
Layer 1 – The Control Level
Starting at the bottom, Layer 1, you have the Control Level for the OT environment. These are the in-the-field machines, the process sensors, engine controls, etc. Supported protocols at this level are extremely diverse and often proprietary making it difficult to standardize any kind of security.
Layer 2 – The Process Management Level
Layer 2 is where the IT/OT overlap begins. The Process Management Level is what allows OT engineers to manage productivity and operations in the OT environment, including SCADA supervisory control and data acquisition. This is the level that benefits from OT hyperconnectivity, leveraging new software and applications for cost and efficiency improvements.
Layer 3 – The Operations Management Level
Layer 3 is responsible for how the company as a whole is managed through the manufacturing execution system. Typically, this system is owned by the IT department.
Layer 4 – The Enterprise Level
Finally, at Layer 4, the Enterprise Level, is where company software, like ERPs that handle shipping and invoicing, as well as employee devices, email access, and cloud apps and storage all live. The protocols at Levels 3 and 4 are much more standardized and are designed with both interoperability and security in mind.
Exploiting the IT/OT Overlap – Two Real-World Examples
There are numerous attacks that have successfully exploited vulnerabilities in IT/OT systems. To name a few:
- the 2017 attack on Ukraine’s power grid,
- the 2020 ransomware attack on U.S. pipeline operations,
- and the repeated attacks on Israeli water facilities in 2020.
Because of the nature of OT environments, these attacks can have severe impacts on productivity, revenue, and, in some cases, the safety of employees and the communities they serve.
To better understand how an attacker can exploit the IT/OT overlap, let’s take a closer look at two such attacks—one that moved from the top-down and one from the bottom-up.
Dragonfly 2.0 – IT to OT Attack on the Energy Sector
Between 2015 and 2017, the Dragonfly group levied a series of attacks targeting the energy sector in the United States, Switzerland, and Turkey. This attack leveraged vulnerabilities across the layers of the IT and OT environments, beginning with spearshiphing and watering hole attacks at the Layer 4 – The Enterprise Level. These are traditional IT attack vectors that could have been prevented with traditional IT security measures.
Then, the attack introduced Trojan software in the form of OT software at Layer 2 – The Process Management Level, which provided access to the OT environment. At this point, Dragonfly was able to perform intelligence gathering in the OT environment in order to sabotage Layer 1 – The Control Level.
Stuxnet – OT to IT Attack on Iran’s Uranium Enrichment Program
In this second example, the IT/OT attack entered through the OT environment. Stuxnet, a malicious computer worm discovered in 2010, began as a pure OT attack with an infected USB device being installed on a computer at the Process Management Level (Layer 2). The worm was able to spread through that computer to two, three and ultimately thousands of other machines (Layer 4) until it reached the systems responsible for controlling the centrifuges to ultimately disrupt the centrifuge equipment at the uranium enrichment facilities (Layer 1).
Overcoming the Challenges of IT/OT Security
As demonstrated in the examples above, the convergence of IT/OT security has lagged behind the convergence of IT/OT infrastructures. This lag can be attributed to key differences in how OT systems operate compared to IT systems, including:
- Legacy assets and processes are difficult to update to account for today’s connectivity.
- Prioritization of availability and safety over security keeps maintenance windows small or non-existent.
- Geographically dispersed environments make it difficult to centrally manage security.
These differences mean closing the IT/OT security gap is not as simple as porting over IT security principles into the OT environment. Instead, CISOs must create a holistic security program that addresses IT and OT needs. To begin this journey, we recommend, at a high level, these four important steps.
- Define the OT security strategy and governance. Who will be responsible for which parts of the security program? IT or OT?
- Assess OT security risks. What is the impact of a ransomware attack? Data theft? Threats to process integrity?
- Enable communication between OT and IT units. Hold a joint workshop or offsite to share experiences, get to know each other, and understand terminologies, and priorities.
- Turn it into a win-win for IT and OT. How will OT benefit from the security program? What will the impact be to reliability, control, and visibility?
Get in Touch
For more information about how you can secure your IT/OT environment, visit https://www.kudelskisecurity.com/secure-ot-ics-networks/.