Meet Armis at Black Hat 2024

Learn More
Jun 14, 2024

OT Security Goes Beyond the PLC

The threats that target Operational Technology (OT) are reshaping industries and are also expanding the attack surface. It is exposing critical infrastructure and manufacturing environments to heightened cybersecurity risks that may have not been an issue when these environments were first imagined. In order to truly secure OT, it is essential to understand the intricacies of critical infrastructure,  associated security challenges, and best practices for safeguarding these systems.

The OT Market

The OT market has seen substantial growth in recent years. According to Grandview Research, the OT market was valued at USD 190.95 billion in 2023 and is projected to grow at a compound annual growth rate (CAGR) of 10% from 2024 to 2030. This growth is driven by the increased adoption of automation and smart technologies across various sectors, including manufacturing, energy, and transportation. The expansion of the OT market underscores the need for robust and comprehensive security measures to protect these critical systems.

Threat Landscape

Attack Vectors

OT environments are increasingly targeted by a diverse array of threat actors, including hackers, insiders, cybercriminals, terrorists, and nation-states. The appeal of OT systems as targets lies in their potential to cause massive disruption. These attacks can halt production lines, disrupt supply chains, and compromise safety systems, leading to significant economic and operational impacts.

Critical Infrastructure at Risk

Critical infrastructure sectors, often referred to as the “CISA 16,” include essential services such as electricity, water, transportation, and healthcare. These sectors are vital to societal functioning and are thus prime targets for cyberattacks. Disruptions in these areas can have far-reaching consequences, affecting not only the targeted organizations but also the broader population.

Security Challenges in OT Environments

Unique Characteristics of OT Systems

OT systems, including actuators, robots, and programmable logic controllers (PLCs), are distinct from typical IT assets. Major manufacturers of OT assets include companies like ABB, Honeywell, and Yokogawa, each using unique protocols and standards. Unlike IT systems, OT systems are often designed for long lifespans and may run outdated software, making them more vulnerable to cyber threats.

Air-Gapped vs. Converged Environments

  1. Air-Gapped Environments: These environments are designed to be completely isolated from external networks, theoretically preventing cyber intrusions. However, maintaining true isolation requires the equivalence of a massive Faraday cage to eliminate all accidental convergence scenarios (see callout box). Despite these efforts, sophisticated attack vectors can still penetrate air-gapped systems through indirect means, such as physical media or electromagnetic emissions.
  2. Converged Environments: These integrate IT and OT systems, facilitating data flow and operational efficiency. While beneficial, this integration also introduces new security challenges, as IT and OT assets share a common network. This convergence blurs the boundaries between IT and OT, creating a more complex security landscape where vulnerabilities in IT can affect OT systems and vice versa.

Accidental Convergence Scenarios

Despite air-gapping efforts, sophisticated attack vectors have emerged, including:

  • FM Frequency Signals: Malicious actors can transmit data between computers and mobile phones using FM frequencies, bypassing traditional network security measures.
  • Thermal Communication Channels: Heat emissions from computers can be used to transmit data to nearby devices, exploiting temperature variations to encode information.
  • Cellular Frequencies: Cellular networks can be exploited to infiltrate isolated systems, leveraging mobile devices as a bridge to secure environments.
  • Near-Field Communication (NFC): NFC technology, commonly used for contactless payments, can be manipulated to breach security protocols in OT environments.
  • LED Light Pulses: Variations in LED light pulses in OT equipment can be exploited to transmit data, exposing critical systems to malicious activity.

 

The Commonality of the Breach

The majority of OT based breaches actually start with a beachhead for the hacker achieved by compromising an IT based device and then laterally creeping to the OT side of the house. Some recent attacks are just a few examples but they are not the only ones:

  1. Colonial Pipeline (2021): This ransomware attack targeted the pipeline’s IT systems, leading to a precautionary shutdown of the pipeline operations. The attack targeted the “third network”, resulting in shutting down the actual pipeline in an abundance of caution.
  2. Volt Typhoon (2023): A China-backed cyber espionage group compromised IT systems across multiple critical infrastructure sectors in the United States. This included communications, energy, transportation, and water systems, demonstrating the pervasive threat to national security.
  3. Muleshoe Water Filtration Plant (2023): A cyber intrusion led to the overflow of a water tank in a small Texas town, illustrating the vulnerability of local infrastructure via a remote access IT based device.
  4. Australian Seaports (2023): A ransomware attack on four major Australian seaports caused significant disruptions, forcing a week-long shutdown that impacted imports and exports.
  5. Synnovis Pathology Lab (2024): A ransomware attack disrupted diagnostic services at a prominent pathology lab in London, delaying medical care for patients and highlighting the direct impact of cyberattacks on healthcare delivery.

Best Practices for Securing IT and OT

Comprehensive Asset Inventory

Maintaining a detailed inventory of all IT, OT, IoT, and IoMT devices is crucial. This inventory should include physical, virtual, managed, and unmanaged assets. A comprehensive asset inventory helps organizations understand their attack surface and implement targeted security measures. It also aids in identifying and mitigating risks associated with outdated or unsupported devices.

Implementing Resilience and Compensating Controls

Adopt a multi-layered security approach, ensuring that compensating controls are in place to mitigate risks. Security measures should be dynamic and adaptable to the evolving threat landscape. This includes the implementation of a cooperative approach involving the entire security stack that includes but is not limited to access controls,  intrusion detection systems (IDS), intrusion prevention systems (IPS), and network segmentation to isolate critical systems and prevent lateral movement of threats.

Regulatory Compliance and Security Frameworks

While regulatory compliance (e.g., NIST, NERC) is essential, it should be viewed as the baseline. Organizations should also adhere to comprehensive security frameworks such as MITRE ATT&CK and follow guidance from the Cybersecurity and Infrastructure Security Agency (CISA). These frameworks provide a structured approach to identifying, mitigating, and responding to security threats.

Holistic Security Approach

Avoid siloed security operations. Ensure that OT security practices can address broader IT security concerns. Even in air-gapped environments, a holistic view is necessary as IT devices often co-exist with OT systems. This includes integrating IT and OT security teams, sharing threat intelligence, and coordinating incident response efforts.

Community Collaboration and Incident Reporting

Engage with the security community to share knowledge and best practices. Participate in industry forums, information-sharing groups, and collaborative initiatives. Encourage a culture of transparency and vigilance, where anomalies and potential threats are promptly reported and addressed. Leveraging the collective knowledge of the security community can enhance an organization’s ability to detect and respond to emerging threats.

Detailed Incident Response Planning

Develop and maintain a detailed incident response plan that includes procedures for both IT and OT environments. This plan should outline roles and responsibilities, communication protocols, and steps for containment, eradication, and recovery. Regularly test and update the incident response plan through drills and simulations to ensure preparedness for real-world scenarios.

Continuous And Proactive Monitoring and Threat Hunting

Implement continuous monitoring of IT and OT networks to detect and respond to suspicious activity in real time. Utilize advanced deception technologies, such as machine learning and artificial intelligence, to identify anomalies and potential threats while still in the formulation stage. Conduct regular threat-hunting exercises to proactively search for indicators of compromise (IoCs) and vulnerabilities within the environment.

In Summary

Whether your organization maintains an airgapped environment or believes that integration of IT and OT systems is inevitable and beneficial, both require a robust and adaptable security strategy to protect against sophisticated and evolving cyber threats. By understanding the unique challenges of OT environments and implementing best practices, organizations can safeguard their critical infrastructure and ensure operational resilience.

Get Updates

Sign up to receive the latest from Armis.