OT and ICS Security: The Next Big Challenge

OT and ICS Security: The Next Big Challenge

Industries across the globe rely on operational technology (OT) and industrial control systems (ICS) to support their mission-critical infrastructures. At the same time, we expect utilities to work, water to flow, communications networks to stay on, and trains to keep moving. Industrial areas such as power grids, transportation, water monitoring and distribution, oil and gas, and communications systems, all rely on ICS systems to deliver essential services. If these systems are left vulnerable to attack, they can open the door to serious, even catastrophic events.

Some key terms

  • Operational technology (OT) refers to computing systems that are used to manage industrial operations.
  • Industrial control systems (ICS) are a major subset within the OT sector.
  • The industrial internet of things (IIoT) is the use of smart sensors and actuators to enhance manufacturing and industrial processes. It leverages the power of smart machines and real-time analytics to take advantage of the data that dumb machines produce in industrial settings.
  • Supervisory Control and Data Acquisition (SCADA) refers to hardware and software systems that allow organizations to control industrial processes, and they also provide a graphical user interface for operators to easily observe the status of a system, receive alarms, and make adjustments to processes under control.

OT and ICS security trends

While OT systems typically have narrower functionality and a smaller attack surface than traditional IT systems, they are generally problematic from a security operations perspective. These systems often have proprietary interfaces that make it difficult for cyber-defenders to understand if they are running vulnerable software or are misconfigured. Security patches are often not available, and even if they are, downtime is often not an option. The key question to ask yourself is this: Are OT and ICS assets in my cybersecurity blind spot?

According to Kaspersky Labs:

  • Over 40 percent of ICS computers it monitors were attacked by malicious software at least once during the first half of 2018.
  • 61 vulnerabilities in industrial and IIoT/IoT systems were identified, but the owners of those systems fixed only 29 of them during the year.
  • 20% of vulnerable ICS devices had vulnerabilities ranked as “critical.”
  • Close to 40,000 pieces of malware were detected.

This should be a serious wakeup call for all of us. Attacks on such systems can cause major damage (consider the 2015 hack of Ukraine’s power grid, which caused a blackout that affected over 200,000 people). Will nuclear plants, communication systems, or power grids be next?

So far, multiple cyberattacks on critical infrastructure have resulted in mere inconvenience or embarrassment, but that can’t last forever.

A couple of years back, the U.S. Energy Department warned of “an imminent threat” to the electrical grid. This was yet another reminder of just how dependent we are on critical infrastructure networks and how vulnerable these systems are to the potential of cyber-attacks. The truly scary lesson in all of this was not so much what happened as what didn’t happen. Hackers were able to successfully access major infrastructure facilities, yet no municipal water supplies were poisoned, no nuclear power plants melted down, no electrical grids went down, and no trains crashed. Hackers, in this instance, either chose not to push their limits or had limited capabilities.

The question we need to ask ourselves as we look forward is, how long can dumb luck keep us safe?

According to the 2019 Global ICS & IIoT Risk Report from CyberX:

“The data clearly shows that industrial control systems continue to be soft targets for adversaries. Lack of even basic protections like automatically updated anti-virus enables attackers to quietly perform reconnaissance before sabotaging physical processes.”

Here are some key findings:

  • 40% of industrial sites have at least one direct connection to the Internet.
  • 16% of sites have at least one wireless access point.
  • 57% have weak antivirus protection.
  • 84% have at least one remotely accessible device.
  • 69% have security gaps in areas such as plain-text passwords.

OT security in the age of Industry 4.0

The benefits of IoT or IIoT within OT networks and ICS environments are significant – lowering costs, improving efficiencies, and enabling industrial operations to tap into the power of real-time analytics and multisite connectivity.

So why have ICS and OT practitioners and stakeholders been so slow to adopt these new technologies?

According to a 2017 study from Strategy Analytics, lagging investments are largely the result of cybersecurity concerns and the serious consequences of system failures. The majority of organizations (75 percent) regard ICS security as a major priority. At the same time, organizations aren’t implementing the proper safeguards to secure their industrial control systems, and this is causing many to remain on the sidelines when it comes to ICS and IIoT adoption.

Because of their very nature, ICS devices:

  • Are built to be rugged, accessible, and always on, with minimal user maintenance.
  • Are network-capable by default and designed to continually seek out connections, making them easy prey for attackers looking for a way into a corporate network.
  • Represent new endpoints, with the ability to reach sensitive corporate data and resources, but without the capability of being secured like a conventional endpoint.
  • Are vulnerable to airborne threats targeting IoT over wireless networks.

Without proper security safeguards in place, these issues present a near perfect storm of risk – devices that are accessible, vulnerable, and unprotected.

Considerations and best practices for OT security

Organizations must attack the vulnerabilities that affect their ICS assets head on. Here are some steps that will help protect our most essential assets and processes in today’s interconnected world:

  1. Continuously discover all assets – wired and wireless, on or off the corporate network – in real-time.
  2. Calculate the business risk for every asset across the enterprise.
  3. Understand real behavior, e.g., the type of device, what it is doing, and what it is trying to connect to.
  4. Identify and prioritize vulnerabilities in your OT assets across a comprehensive set of attack vectors.
  5. Create a robust vulnerability management program that continuously tests the system.
  6. Vet ICS devices, granting access to well-behaving devices and denying access to those acting suspiciously or improperly.
  7. Reduce your attack surface; the smaller the attack surface, the lower the risk.
  8. Continuously monitor your ICS networkto immediately spot attempts to exploit systems, before attackers can do any damage.
  9. Automate threat modeling to prioritize and mitigate highest-consequence vulnerabilities based on business criticality.
  10. Address and mitigate any possibility for cyber-attacks preemptively with prescriptive fixes.

Key takeaways

Despite ongoing warnings, U.S. critical infrastructure remains vulnerable, and it doesn’t take much imagination to envision what might happen if ICS facilities or systems fall into the wrong hands. Since OT networks control critical infrastructure and processes, network failure inherently comes at a greater cost than in typical IT networks. The potential for substantial financial loss, environmental damage, and even loss of human life resulting from a security breach is a real possibility when we’re talking about ICS.

Protecting connected devices requires a new approach, one that covers all assets, applies comprehensive and robust VM management, deploys ICS security in layers to prevent attacks from both external and internal sources, and mitigates cyber-attacks preemptively. Every new ICS deployment should include the appropriate cybersecurity component to ward off attacks. SCADA programs can also be very effective tools for controlling industrial processes locally and at remote locations. And finally, business criticality should be top-of-mind when ICS security strategies are being developed and implemented.

Recommended Resources

Cyber Risk Quantification: A CISO Executive Guide
How to Calculate your Enterprise’s Breach Risk
9 Slides Every CISO Must Use in Their Board Presentation
9 Slides Every CISO Must Use in Their 2024 Board Presentation
Oerlikon case study
Case Study
Oerlikon Reduces Patch Time and Improves Management-Level Cyber Risk Visibility