Many enterprises in verticals such as power and energy, oil and gas, healthcare, and manufacturing have been playing catch up over the past decade in terms of securing their operational technology (OT) networks against cyberattacks. For years, industrial asset owners didn’t consider their OT environment to be a significant security risk.
But, due to extensive digital transformation initiatives, many industrial enterprises now have deeply integrated IT/OT environments whose centralized security ownership falls under the CISO. As a result, security teams must address not only the vulnerabilities within the OT environment itself, but the ways in which adversaries compromise and traverse the IT network to gather information and gain access to OT control and safety systems. Things have changed and there is a lot of ground to make up quickly.
To help, we’re launching a blog series that explores the challenges, best practices, and key considerations for validating security controls in converged OT/IT environments. In our first post below, we’ll address some of the basic questions we often get from those who are still relatively new to the OT environment. In later installments, we’ll cover more advanced topics, including specific use cases and model reference architectures.
What OT Is
Before we get ahead of ourselves, let’s level-set with a basic definition of OT. Gartner defines it as “hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events.” Think of it as the network and devices that monitor and control manufacturing and production processes like pumps and valves at a water filtration plant or robotic welders on an automotive assembly line.
A basic OT network might consist of engineering control workstations networked with human-interface controllers (HMIs) and programmable logic controllers (PLCs), which in turn control assets like sensors, pumps, valves, actuators, and all manner of Internet of Things (IoT) devices that drive industrial processes.
No Risk Perceived for OT Networks
Decades ago, when industrial processes were first automated, maximizing uptime and productivity were the primary design objectives, and cybersecurity was not a major concern. After all, the OT environment was not connected to the Internet or to the enterprise’s business networks. So, short of physical sabotage or natural disasters, there were few cyber threats to worry about.
And because the OT networks directly controlled the revenue-generating manufacturing or production processes of the business, the operations team tended to be extremely risk-averse toward anything that could cause a disruption or create downtime. Any updates to OT operating systems or applications were tightly controlled and could only be done during scheduled monthly or quarterly maintenance windows.
This slow, methodical approach to system administration is very different from the way IT systems are managed and is relatively incompatible with the more dynamic nature of cybersecurity. But again, security was a moot point for OT, as those systems were not thought to be at risk.
Digital Transformation Delivers Operational Benefits but Increased Cyber Risk
As industrial enterprises began to undergo digital transformations, a series of shifts and changes in the operational and security landscapes created something of a “perfect storm” of cyber risk for industrial asset owners. First, as operational environments became more highly networked to optimize efficiencies and facilitate data sharing across the enterprise and with third parties, the attack surface expanded. The OT network, which had traditionally been “air-gapped” (or was believed to be), was now connected to the enterprise business networks and the outside world. This convergence now increased OT’s vulnerability to “spill-over” from attacks originating in the enterprise’s IT environment. To combat this, the OT network was segmented from the rest of the enterprise. But in connecting two networks owned by two separate organizations—each with poor visibility into the other side of the fence—segmentation was often not well implemented as you can imagine.
Also, as referenced above, the operations team retained near absolute control of the OT network. So, engineering workstations and HMIs running commercial operating systems like Windows and Linux contained known vulnerabilities, but were not patched and updated as diligently as the IT network for fear that taking operational processes offline would either jeopardize production schedules or that buggy software updates could create ongoing disruption.
Operational Change Reshapes OT Security
Having undertaken extensive digital transformation initiatives, many, if not most, industrial enterprises now have deeply integrated IT/OT environments. Key performance indicators (KPIs) are tracked through production dashboards monitored “from the shop floor to the top floor.” Real-time inventory levels are shared with the finance and sales departments as well as third-party partners. And managing OT security risks is a strategic imperative.
One of the historical challenges in securing the OT environment was ownership. Operations teams generally managed all OT assets, so IT and security teams had poor visibility into that environment and could not implement, and consistently update, appropriate security controls. But due to the increased risk factors previously mentioned, corporate boards and leadership teams have increasingly centralized security ownership for both IT and OT under the CISO.
Many OT Attacks Begin with Compromise of the IT Network
Attacking an OT network is a complex undertaking that requires a great deal of planning and reconnaissance. A sophisticated adversary who is motivated to disrupt or modify an industrial process will need to maintain access to their targeted environment for enough time to collect intelligence, navigate to the OT control systems, and execute the final objective. So, remaining undetected for a prolonged period is critical in a successful attack.
Most OT attacks begin by compromising the IT network. As such, it is critical in any OT security strategy to think of the IT and OT networks as two pieces of the same puzzle. Attackers will often launch a spear phishing campaign targeting employees (or vendors in the target’s supply-chain) who are likely to have login credentials or information related to the operational environment. Once a spear phishing target is tricked into clicking on a malicious link or attachment and the adversary establishes remote access to their workstation, the reconnaissance stage begins.
Throughout this time, the adversary will attempt to learn about the target’s control processes and network mapping to formulate the attack, figure out how to pivot to the OT systems and bypass security controls. Once enough intelligence is gathered to formulate the attack plan, the attacker moves forward to their final objective. Several high-profile cyberattacks utilizing purpose-built OT malware, such as Triton, BlackEnergy, and Industroyer, were executed in exactly this way, beginning with incursion through the IT network.
BAS Platforms Can Improve Visibility & Protection
To defend against these types of attacks, security teams must look at the OT environment in a broader context. They must address not only the vulnerabilities within the OT environment itself, but at the ways in which adversaries compromise and traverse the IT network to gather information and gain access to OT control and safety systems.
Many teams are increasingly using breach and attack simulation (BAS) technologies to gain visibility into the combined IT/OT environment and test security controls across the IT network, through the OT demilitarized zone (DMZ) and the critical OT operations control layer.
A BAS platform enables security red teams to continuously run simulated attacks based on a vast library of real-world attack methods. Through these attack simulations, analysts can quickly understand what the attack surface of the integrated IT/OT environment looks like, test its resilience against thousands of real-world attack methods, and determine which security controls are providing protection and where the gaps lie. And because the simulations can be safely run on a continuous basis, it is easy to measure risk in real-time.
Check back for subsequent blogs as we dive deeper into the topic of validating security controls in converged OT/IT environments, including specific use cases and model reference architectures. In the meantime, connect with a SafeBreach cybersecurity expert, request a demo, or check out our IT/OT resource page to learn more about how the SafeBreach BAS platform can help provide better visibility and protection in your integrated IT/OT environment.