Cyber-attacks on industrial control systems (ICSs) are no longer a hypothetical. As pieced together by the Wall Street Journal, in 2017, Russian hackers attacked a small construction company, exploiting the organization’s connections with utilities and government agencies. Through an integrator, the hackers accessed computer-network credentials, giving them the ability to get into computer systems that monitor and control electricity flow.
The most alarming part of the report revealed that the Russian hackers likely remain inside some systems, undetected and lying dormant until receiving further orders.
Knowing that bad actors may exist within critical systems, what can be done? How can organizations protect themselves from an imminent attack, preventing disruptions to critical systems communications and operations?
OT-IT Convergence Gives Attackers the Upper Hand
Traditionally, operational technology (OT) systems within ICSs ran on proprietary networks, used proprietary equipment, and were logically isolated, or air-gapped, from the corporate IT infrastructure. This set-up made them less efficient than many modern solutions—but also exponentially harder to breach than widely connected IT networks.
Fast forward to today, and interconnected industrial environments have given attackers the upper hand. These decade-old, proprietary systems, which were never intended to be connected or secured, are now increasingly connected without the ability to uphold standard IT security best practices.
Leaving a Back Door Open for Attacks
Industrial organizations represent tremendous economic value and contain high volume transactions. Networks within these companies are traditionally dispersed, with multiple service providers accessing equipment that effectively opens a back door to adversaries. Often, these adversaries look specifically for vendors who have extensive access to critical infrastructure networks and who are lacking strong security.
Even today, ICS networks are typically flat and widely open. They often have weak or limited authentication protocols in place and don’t encrypt communications. Field sites are commonly equipped with remote access capabilities to allow vendors and operators to perform remote diagnostics and monitoring, usually over a poorly secured connection.
The reality is that even the best and most widely used cybersecurity tools are ineffective for most OT infrastructure. Network intrusion detection systems (IDS) and firewalls for example, depend upon detection of anomalous behavior of standard protocols and applications, yet OT infrastructure is rife with proprietary operating systems, applications and protocols. Plus, IDS alert organizations about already breached networks—typically, the damage is already done, and the remedial action is disruptive and expensive. IDS can also create false positives, blocking acceptable actions that the tools deem anomalous. This could lead to certain control commands being blocked, such as a ping to open a dam or adjust temperature of a plant floor to an acceptable level.
Vigorous patch management, while widely considered one of the most effective preventative measures among IT security professionals, has also proven ineffective.In order to patch a system operators need to take it offline, which could take as long as several months for OT systems. Imagine a power company announcing extensive planned power outage to support patching requirements. It simply cannot happen.
A Cyber Threat Awakening
The cyber security narrative for industrial organizations is evolving, shifting from a hypothetical view of “if we get hacked” to “when we get hacked.” Organizations must shift from reactive to proactive security, isolating and containing OT from the IT networks, making it invisible to hackers.
Considering bad actors are likely already within critical systems, organizations should isolate potentially infected networks from uninfected networks to limit exposure. True isolation and containment, coupled with granular access control and session authentication, can cut off adversaries’ access to command and control channels, limiting the effects of the intended attack.
What’s needed is a defense-in-depth strategy that includes two or more differing security tools—dramatically increasing the effectiveness of cybersecurity programs. Here’s how to get started:
- Identify what’s in your network: Identify the variety of systems, protocols and operating systems within your environment and establish what systems and users are communicating. This involves gaining an understanding of the OT network topology in order to better protect these systems.
- Provide robust protection for all network communications: Once the network topology is mapped out and all potential vulnerable systems are identified, organizations should segment the network into secure zones so that unauthorized access isn’t permitted. Forward-thinking security professionals within industrial organizations should go beyond implementing standard firewalls and VPNs that contain critical flawsin their design Instead, implement a hardened system that isolates networks using robust authentication and encryption before any packet is ever sent across the internet to avoid common man-in-the-middle vulnerabilities.
- Implement strong two-factor authentication. The National Institute of Standards and Technology (NIST) recommends the use of strong two-factor authentication for all human remote access to OT infrastructure, as well as using credentials different than those used by the organization’s IT systems. This prevents the potential theft of low-grade credentials, such as passwords, from third-party systems tied to OT vendors, as well as the possibility of stolen IT credentials being used by attackers to access the OT systems, as was the case in the Ukraine power grid attack of 2015.
When done right, segmentation shouldn’t impact productivity or reliability in order to enhance security. Critical infrastructure should be protected without impacting day-to-day operations and organizations can trust they are taking the steps needed to protect ICS from the very real and looming threats — providing attack prevention for networks where breaches are simply not an option.
—Brandan Lickey is a Cyber Solutions Specialist at Blue Ridge Networks.