Operational technology (OT) doesn’t get a lot of airtime in the cybersecurity industry. But cyberattacks targeting these systems have the potential to cause havoc with the critical national infrastructure (CNI) that relies on them to operate.
Unfortunately, a new report highlights that many OT devices are “insecure by design.” It found 56 bugs in products from 10 vendors, some of which are rated critical. Until manufacturers start building more secure OT products, the organizations running them should familiarize themselves with the threat landscape, security solutions, and best practice mitigations (e.g., network segmentation, correct firewall configuration, secure remote access, access control).
The report in question collectively named the vulnerabilities “OT:Icefall.” It said they impacted 324 of its customers globally, although the real figure will be much higher. The products are popular in sectors such as oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation. They include programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA) systems, building controllers, and other key bits of software used in industrial environments.
OT environments are now typically connected to the internet. Anyone could theoretically attack them remotely and cause outages.
Thanks to digital transformation initiatives across CNI sectors, OT environments are now typically connected to the internet, and this connectivity means anyone could theoretically attack them remotely and cause outages. That’s a big risk, especially when the quality of security controls and engineering in such systems is often lagging. It’s even less comfort to know that some of the industry’ biggest names were among those found to be running vulnerable products: Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.
Good to Know: In the high profile Colonial Pipeline ransomware attack threat actors used a leaked password found on the dark web to trigger the shutdown of Colonial's operational technology (OT) systems and 5,550 miles of pipe. This incident highlights the need for cybersecurity threat awareness, a robust security posture, and an incident response plan.
According to the report, there were four key categories of vulnerability:
It said the impact of each bug will vary depending on the functionality of the device it is found in. However, the most common types enable attackers to compromise credentials (38%), either because they’re stored or transmitted insecurely.
The most common types of bugs enable attackers to compromise credentials (38%), either because they’re stored or transmitted insecurely.
Rounding out the top five are:
Recommended Reading: ICS security is a major segment within the operational technology sector. It comprises systems that are used to monitor and control industrial processes. Click through to learn How To Close the Internet of Things (IoT) Security Gaps In Your Industrial Control System (ICS) Networks.
For many years, OT software benefitted from the concept of “security by obscurity.” It was thought that because there were so many siloed and specialized systems from different manufacturers, often air-gapped from the internet, that it was not worth the effort for hackers to try and compromise them. However, the ROI of attacks is changing. As mentioned, these systems are now more often than not internet-connected, making them more accessible. They might also contain more standardized components, further simplifying the process of researching attacks. And bad actors can benefit from the increasing volume of security research and threat intelligence available online.
Bad actors can benefit from the increasing volume of security research and threat intelligence available online.
The problem is that OT manufacturers don’t seem to have caught up to this new reality. Instead of building security in from the design phase on, they’re allowing dangerous vulnerabilities to make it through to production. One of the bugs highlighted by the report gets a massive 9.8 CVSS score.
Instead of building security in from the design phase on, OT manufacturers are allowing dangerous vulnerabilities to make it through to production.
The report’s authors also revealed that most (74%) of the vulnerable products they found had received some form of security certification. That’s despite the fact that the majority of the issues it uncovered should have been found relatively quickly during “in-depth vulnerability discovery.” Something is clearly going wrong somewhere. Many of these issues were also not officially assigned CVE numbers, making it difficult for asset owners to conduct effective risk management. These are all industry-wide challenges which could take a long time to fix, if at all.
Recommended Reading: Is some, or all, of your job overseeing an OT network? Has IT/OT convergence expanded your responsibilities to both IT networks and OT? See how CloudConnexa helps you establish reliable OT secure networking here.
Vulnerabilities have already been exploited to devastating effect, in attacks designed to sabotage industrial equipment and processes.
Yet there is an urgency that progress is made. Why? Because such vulnerabilities have already been exploited to devastating effect, in attacks designed to sabotage industrial equipment and processes. These include:
The report warned that offensive capabilities leveraging weaknesses in OT software could be more feasible than thought today. It said OT-focused malware “could be developed by a small but skilled team at a reasonable cost.”
Recommended Reading: Industry 4.0 is powered by OT and IIoT devices. Learn more about mitigating cyber threats and vulnerabilities in the Industry 4.0 Age in Cybersecurity for Manufacturing Industry RegulatorCloudy Compliance.
The change needed to address the OT threat will require vendors to build better vulnerability management programs and address new vulnerabilities and security issues earlier on in their development pipelines. But customers of OT products don’t have the luxury of time, as the above attacks show. In the meantime, they can take steps to reduce the potential impact of attacks by following some industry best practices, including:
Customers of OT products don’t have the luxury of time, but they can reduce the potential impact of attacks by following some industry best practices.
OT systems run the world. It’s time we address the expanded attack surface and security risks that come with them.