By Christopher Dobrec, Vice President of Product Marketing at Armis
Operational Technology (OT) systems, which include critical infrastructure, are increasingly becoming more exposed to cyber-attacks. The control and telemetry systems used in industrial plants and manufacturing environments are being connected to traditional enterprise IT networks like Ethernet or Wi-Fi. Meanwhile, device manufacturers are building OT devices and control systems on top of common operating systems such as Windows, Linux, Android, and VxWorks.
Compounding this issue is the fact that traditional consumer-centric connected devices are being brought into industrial and manufacturing environments. For example, as Ford starts to consider how manufacturing workers can return to plants following the COVID-19 impact, it’s testing wearable devices that would buzz when employees are closer than 6 feet apart.
These developments make control systems vulnerable to the same kind of attacks used to compromise devices on corporate IT networks. Recent attacks on industrial control systems (ICS) and OT environments illustrate the damage that these threats are already having. WannaCry and NotPetya malware had major impacts on manufacturing companies like Merck, causing hundreds of millions of dollars in quarterly losses due to production downtime, in addition to the loss of customer satisfaction due to missed shipments. After suffering a WannaCry attack across its worldwide network, A.P. Moller – Maersk, one of the world’s largest shipping conglomerates, lost communication with its OT network, shutting down entire ports.
In another example, the digital systems at the smelting plants of Norsk Hydro, one of the world’s largest aluminum producers, were shut down after the firm was attacked by LockerGoga. Norsk Hydro reportedly lost $40 million because of the incident, and aluminum prices were driven to a three-month high.
In order to mitigate these new threats, organizations must understand two major challenges to securing these environments and evolve their security strategies to secure and manage connected devices across both industrial and IT environments.
Connected OT Devices are Un-Agentable
The growing trend in manufacturing and industrial plants is to connect OT devices directly to the enterprise network. But one of the main challenges is that these devices often have no built-in security and cannot be protected with traditional security tools like agents used by enterprise security teams. These devices were not initially designed to be installed on the enterprise network, however, the convergence of IT and OT networks has made this a reality. Because these devices can’t run agent software, security teams have no visibility into whether device behavior is abnormal or malicious and could indicate a risk.
OT Device Vulnerabilities Are Increasing
While OT devices become more accessible to cyber attackers, they’re also increasingly vulnerable to attack. Based on ICS-CERT’s advisory page, which lists a large number of vendors that have disclosed vulnerabilities, public vulnerability advisories continue to increase year over year. There were 204 advisories in 2018, an increase of 25% compared to 2017. Over half of the ICS-related vulnerabilities reported in 2018 rated high in terms of severity level. These vulnerabilities exist in field devices, human-machine interface systems, and engineering workstation software.
In 2019, a set of 11 zero-day vulnerabilities was discovered, dubbed Urgent11, that impact seven common real-time operating systems, including VxWorks® by Wind River. These systems are widely used by SCADA systems, industrial controllers, firewalls, routers, satellite modems, VoIP phones, printers, and many other devices. Urgent11 could allow attackers to remotely exploit and take over mission-critical industrial devices, resulting in costly disruption of essential processes.
It’s clear that as these vulnerabilities grow, manufacturing and industrial leaders must devote greater attention to securing their environments.
A Different Approach to OT Security
Industrial and manufacturing organizations need a security strategy that is specifically tailored to all devices across OT and IT environments. This approach could better protect essential tools and processes with the following focus areas:
- Agentless. Most OT enterprise IoT devices, such as SCADA systems, PLC’s, RTU’s, HMI’s and engineering workstations, cannot accommodate security agents, so a security strategy should be able to function without relying on these agents.
- Passive. A security strategy that uses network scans or probes can disrupt or even crash OT devices, which would interfere with important industrial control operations like plant operations. A strong system should be able to function using only passive technologies.
- Comprehensive security controls. A security strategy designed to mitigate risks in an OT environment should have the same outcomes as one designed for IT devices. These outcomes are listed in security frameworks such as the NIST Cybersecurity Framework (CSF) or the Center for Internet Security Critical Security Controls (CSC). In the IT world, this typically requires the use of several different security tools. For the OT environment, it would be desirable to obtain comprehensive coverage of the required security controls using as few tools as possible.
- Comprehensive device coverage. A comprehensive security strategy will encompass all managed, unmanaged, or industrial IoT devices in the enterprise—from the manufacturing floor to the executive suite—because, in an interconnected environment, you can’t secure OT unless you secure IT along with it. The security platform should work for all types and brands of industrial control systems, along with other kinds of devices common to the enterprise such as HVAC systems, IP security cameras, fire alarm systems, building access management systems, switches, firewalls, wireless access points, printers, and more.
- Comprehensive communication coverage. The strategy should be able to directly monitor all communication pathways that could be used in a cyberattack, including Ethernet, Wi-Fi, Bluetooth, BLE, and possibly other wireless protocols such as Zigbee. Wireless coverage is important because attackers can exploit vulnerabilities such as BlueBorne, KRACK, and Broadpwn to compromise OT devices wirelessly, without any user interaction.
Protecting OT devices from a growing list of cyber attacks and vulnerabilities brings many challenges, but can be achieved with the right focus, backed by the right tools. What’s clear is that industrial and manufacturing organizations cannot use traditional methods to secure OT devices being used in non-traditional ways. As these essential devices continue to be integrated into enterprise networks, a new approach must be used to keep them from being exploited and, ultimately, leaving valuable processes at risk of disruption.
About the Author
Chris Dobrec, Vice President of Product Marketing, Armis.As Vice President of Product Marketing, Chris is responsible for Armis’ product marketing strategy and vision. He is a seasoned product and business development executive leading teams through the development and marketing of exceptional products and cutting-edge technologies across enterprise and consumer market segments. Prior to Armis, Chris held executive management roles in product management, product marketing, and business development at MobileIron, Cisco, Nokia, Ipsilon Networks, and Kalpana. Chris’ journey to Silicon Valley started after leaving college early to pursue his passion for building great products. He can be reached by Armis’ company website at www.armis.com.