In a recent Operational Technology (OT) cyberattack, Monero Crypto-currency mining malware was discovered in the ICS network of a water utility company located in Europe. The company found the malware during a routine monitoring check of their OT network and confirmed that the malware infected five servers including the Human machine interface (HMI), which is used to control and manage physical components of OT networks. This attack provides further evidence that OT networks are not simply vulnerable, but actually easy targets.
The Post-Stuxnet OT Cyberattack Era
I believe that we can divide OT attacks into two eras: before Stuxnet and post-Stuxnet. The infamous worm was a fully loaded weapon completely made of code. The first source code was capable of shutting down oil pipelines, crashing power grids and even nuclear facilities even nine months after its first public appearance. The Stuxnet OT cyberattack added an entirely new battlefield to modern warfare.
The global cybersecurity community was instantly sensitized to the new reality in which such attacks were now a possibility. The question that was being asked repeatedly was not only who designed this worm, but would there be more such OT cyberattacks in the future? Suddenly every powerplant, transportation and water system became a potential target of cyber warfare. Stuxnet was then followed by a series of attacks on SCADA/ICS networks, confirming the new age of OT cyberattacks had been ushered in. Today, most of the SCADA/ICS networks are susceptible to such attacks.
Since Stuxnet, more OT cyberattacks have popped up; DuQu, Shamoon, German steel mill, Ukraine blackout, BlackEnergy, Wannacry & NotPetya, to name a few. US-CERT also released many Technical Alerts (TA) over the years. One of the alerts that interests me most is the TA18-074A (Dragonfly). This technical alert confirms the Russian government is involved in malicious cyber activity targeting energy and other critical infrastructure in the U.S., Turkey and Europe. The more interesting thing about Dragonfly is that it took them almost two years to successfully launch this OT cyberattack. This means the adversaries are carefully planning, preparing and launching attacks with plenty of funds and patience. Some ransomware, such as NotPetya, were not intended to collect ransom or halt operations, but to sabotage the entire critical infrastructure.
The OT cyberattacks have targeted critical infrastructure where there is high risk to human lives and zero tolerance for downtime. These targeted attacks are customized and use multiple zero-day exploits capable of debilitating a nation's critical infrastructure.
In my role at Cyberbit, I have met with many customers responsible for the security of SCADA/ICS networks. Their networks all have common traits and share common challenges. From what I have seen, the state of OT security is roughly a decade behind that of IT networks. Traditionally, OT network managers' main concern has been keeping operations online, without disruption. They obsessed about availability and control of operations, not confidentiality and security. This approach made sense back when most OT networks (SCADA, HMI, Historian server, OPC server, etc.,) were completely air-gapped and had no external internet communication. No internet exposure meant very little risk of cyberattack. But today OT networks have adopted smart manufacturing processes (Industry 4.0) and converged with the IT network and integrated many internet-connected devices, exposing them to all the same vulnerabilities as IT networks. Now OT managers find themselves rushing to play catch-up and get their cybersecurity house in order.
SCADA/ICS protocols were not built with security in mind. There is simply no authentication between master and slave, HMI and PLC or PLC and sensor. It is very easy to alter the parameters of the protocol and change the values. In 2011, hackers gained access to a water pump in the U.S. and changed the chemical quantities of the water purification process. A few changes in the parameter can create a mass disturbance or even lead to deadly results.
OT networks also suffer a long patching lag, most haven't been patched for more than five years and run on legacy OS systems. This is because upgrading them without disruption is close to impossible.
Most SCADA systems I have seen within customers' networks are heterogeneous. They use different vendors for different purposes and each vendor uses their own proprietary protocols or changes parameters within the protocols. It is very challenging to identify and keep track of all these protocols and the communication parameters within the protocols.
Preventing the next OT cyberattack
Who should be responsible for upgrading and managing the cybersecurity of converged IT/OT networks? Should IT teams expand their security scope and budgets to include OT security? Or is it best to invest the resources in developing a distinct OT security?
Since the networks are converged, they must be managed by a single, converged security policy and be executed cooperatively. That being said, most attacks on the OT network originate in the IT network. IT departments already have substantial experience and expertise defending against cyberattacks, so they naturally bring important skills to the team. Thus, the responsibility of securing these systems and integrating these assets within the IT assets is largely on the shoulders of IT teams. IT security teams have evolved over the years, are experienced to tackle attacks and are better equipped than their OT counterparts. They can leverage this experience and expertise to secure OT networks.
SCADA/ICS networks can be secured without disrupting the production network by pre-planning and implementing better coordination among teams. The integration will include complete visibility of the IT and OT networks and unified security policy across the organization.
While NIST special publication 800-82r2 provides a detailed and complete guide to establishing and securing ICS networks, I would urge organizations to also consider the bullet points below when drafting their ICS security controls and policies. Once you have the green light from the C-level executives, I recommend the first step in the integration process should always start with a security awareness program for the OT team.
- Security Awareness Training
Security awareness training for the OT team is very important as most of the OT cyberattacks now either use spear phishing, water holing, or a mix of both. The training also brings the whole team together and helps get the entire OT team on board. The training should cover OT cyberattack vectors along with regular IT attack vectors.
- Network Segmentation
Once the adversaries get a foothold in the OT network, they have complete control of the OT network. The reason they have full control is because the OT network architecture is completely flat. Hence network segmentation is quite a crucial part of the plan. The network should be segmented to easily identify IOCs (indicators of compromise) and contain attacks. Within the segmentation, the critical components must be segmented separately from non-critical. The architecture should segment safety devices, devices which should be available all the time and devices which are used to gather data and control devices. If your OT network provides access to vendors and third parties, beware that the secure connection should never land directly in the OT. These connections should be authenticated, authorized and should always be monitored for any malicious changes.
Like IT asset management, OT asset management is also critical to all organizations. The asset must show the make, model, current firmware and the list of vulnerabilities present on those devices. I firmly insist that critical infrastructure organizations invest in GDPI (Granular Deep Packet Inspection) capable products. The product should identify protocols and build an automatic baseline based on the protocols. The product should be able to identify the rate of packets and should alert the administrators when unusual traffic is passing through the network. This was how the Monero crypto mining malware was discovered in the first place. The product should also be able to identify both known and unknown threat vectors and identify any unknown assets which try to manage or change configurations.
One does not have to be specifically targeted to be a victim of an OT cyberattack. We must learn lessons from our allies who have fallen victim to targeted attacks and implement the necessary security controls as soon as possible. A deliberate or unintentional cyber threat could cause a ripple effect and financial loss averaging $11.4M per incident, according to the Accenture 2017 Cost of Cyber Crime Study. Priorities and fundamentals of OT differ from IT and this could potentially lead to conflicts within the teams. Protection is important, but production delays cause immediate business loss. Hence IT and OT teams must have a cohesive and coordinated plan to implement security while addressing operational priorities of both. Indeed, the common goals of both the teams are to innovate and increase efficiency, protect the network, and grow business. Moreover, as-is IT policies cannot be taken and extended to OT operations. We all must agree to the fact that Rome was not built in a day. This is a full lifecycle and new arena for both IT and OT teams, but we must start the process without delay. Kickoff your IT/OT security plan today and avoid being a sitting duck in the next OT cyberattack!
Ravindra Krishna, CISSP, is a Presales Engineer for India & SAARC at Cyberbit, a provider of IT/OT security solutions and a subsidiary of defense technology leader Elbit Systems (NASDAQ: ESLT).