As malware extends its reach from Information Technology (IT) to Operational Technology (OT), the focus has shifted from potential business disruptions to the looming threat of physical harm. The ultimate responsibility for addressing this evolving threat landscape rests squarely on the shoulders of the Chief Executive Officer (CEO). In light of this fundamental transformation in threat vectors and attack strategies, organizations must prioritize asset-centric cyber-physical systems and establish dedicated teams to oversee the monitoring and management of these critical systems.
Traditionally, cybersecurity professionals have honed their skills in safeguarding IT systems against malware and other cyberattacks. However, in recent years, malicious actors have increasingly turned their attention to Operational Technology (OT) systems.
But what exactly is OT? According to the UK’s National Cyber Security Centre (NCSC), OT encompasses “technology that interfaces with the physical world and includes Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), and Distributed Control Systems (DCS).” So, why has OT become a prime target? The answer is straightforward: while it is connected to the organization’s network, OT is generally not under the purview of the IT team.
Why does this present a challenge for stakeholders? While IT and cybersecurity teams often have established protocols and schedules for vulnerability assessments, regular software and firmware updates from vendors, and configuration reviews, a similar level of rigor is usually lacking in the teams responsible for operating OT equipment.
Several factors contribute to this disparity. For example, the network connectivity and operating software of OT equipment typically constitute a small portion of the broader engineering knowledge required for operating such equipment. If, for instance, you specialize in boiler maintenance within a large engineering facility, your training likely emphasizes diagnosing gas flow issues or changing oil pumps rather than comprehending the risks associated with connecting the boiler to the company’s LAN. Do routine boiler inspections include checking the vendor’s website for security-related software updates? Ideally, they should, but the reality often falls short. This situation extends beyond IT-related devices, as many non-IT devices receive inadequate software support and vulnerability management from manufacturers compared to applications or operating systems.
OT systems frequently rely on outdated operating system versions. For instance, a report by Palo Alto Networks revealed that 83% of medical imaging devices operate on unsupported operating systems. This poses a significant challenge, particularly since around 72% of healthcare organizations interconnect IT and non-IT devices on the same network segments. Upgrading the operating system is not always a straightforward solution, as application software may depend on deprecated software libraries or hardware drivers from earlier OS versions.
In cases where complex industrial systems receive support from their vendors, they often feature out-of-band connectivity, enabling remote management and diagnostics by the vendor. Unfortunately, it’s not uncommon to witness remote attacks on company systems exploiting these remote access features designed to facilitate vendor communication. If the vendor can establish a connection, so can malicious actors.
What steps can we take to mitigate the growing risks to OT systems? As cybersecurity professionals dealing with OT systems, three essential measures must be implemented. First, there should be no distinction between IT and OT concerning connectivity and security. The IT- and security-related aspects of designing and implementing OT equipment should undergo the same rigorous scrutiny, design approvals, and change control processes as new servers. While an approval process for out-of-band vendor connectivity may be necessary, the preferable approach is to prohibit it entirely. Instead, it is more prudent to utilize connectivity provided by the IT department through controlled firewalls, with connections enabled upon request and disabled by default.
Second, all OT equipment should be treated as untrusted. Just as we deploy firewalls between the company network and the internet due to a lack of trust, management interfaces of servers’ out-of-band management adaptors should be isolated in separate network segments to prevent compromised user logins from becoming high-privilege attack vectors. We must safeguard the IT network from potential vulnerabilities originating from OT systems, adopting a robust regimen that includes applying updates, installing patches, and conducting regular configuration and log reviews, similar to standard IT practices. Consideration should also be given to disabling external connectivity altogether, as the inconvenience of waiting for an on-site engineer may outweigh the risks involved.
Finally, it is imperative to recognize the risks posed by OT devices. While boilers were mentioned earlier, a wide array of large and potentially hazardous devices, such as industrial plants, medical systems, and chemical pipelines, exist within organizational infrastructures. Even inadvertent software bugs have been known to cause harm, making deliberate attacks on OT systems an even greater threat.
While OT systems may appear to have lower connectivity and exposure levels compared to IT, the diminishing security scrutiny and increasing targeted attacks demand proactive measures to maintain risk within acceptable limits.