Jarrett Kolthoff | July 10th, 2019

Business Journal Ask the Expert Column

Operational Technology Could Become Your Achilles Heel

As more people focus on their IT security and upgrade their protections, malicious threats and cyber criminals of all types — state sponsored terrorists, financially motivated hackers and even disgruntled former employees — are fixing their sites on Operational Technology (OT), specifically, industrial controls and devices run by the Internet of Things (IoT).

Often overlooked and under-protected, a breach of your Industrial Control System Network (ICS), can have cataclysmic consequences and even result in human fatality, particularly in the case of hospitals. Beyond the obvious, an ICS breach can result in massive governmental fines, lawsuits from damaged parties, and long-term financial instability created by a lack of shareholder confidence.

Q: Why Is Operational Technology So Vulnerable To Attack?

For openers, most Industrial Control Systems were created before the age of cyber threats were even a consideration; consequently, they have an inherent design flaw. They lack built-in external security controls. Unlike IT systems which allow for relatively easy changeouts and patches, your ICS probably has custom features designed specifically for your company’s type of use or it has protocols used almost exclusively by your industry. Manufacturing downtime alone can be nightmarishly expensive when addressing security concerns, not to mention costs stemming from custom upgrades and the high fees associated with security reprogramming.

Q: What’s The First Thing Our Company Should Do To Reduce The Risk Of Our OT/ICS Being Breached?

Network segmentation, reconfiguration and intrusion detection should top your list. The weaker your configuration, the more likely you are to get breached and the easier it is for an attacker to move throughout your environment. Not establishing ACLs (access control lists) or Firewall filters that restrict where traffic can move is what makes it easy for malicious actors or malware to wreak havoc on systems. This is especially important in environments where upgrading or patching systems is challenging. It is also important that you are notified of unusual traffic. This can be done by tracking packet flows and inspecting packets for signatures. Weak configurations can make a compromise easy. For example, if you have an HVAC control which has been exposed to the internet with a poor configuration and no intrusion detection, your attacker can gain a firm foothold within your network and quickly begin compromising sensitive and valuable assets without you even knowing. One of the most famous and most costly breaches in history started using this exact scenario. As with all cyber security efforts, look for your weakest link first and address it immediately. In this case, you can’t move quickly enough. Because if you’ve been targeted, compromised internet exposure makes you easy prey.

Q: Our ICS Logging Mechanisms Don’t Meet Compliance Standards. How Do We Avoid Not Only Breaches But Regulatory Fines And Sanctions?

An audit trail is not only critical for your environment, but essential. Regulators don’t care about your problem, only your solution. And you had better have a solution! Basic record keeping can be your best friend during an incident response or should you be faced with the forensic investigation of an attack. You’ll also need necessary records for any type of regulatory compliance audit—so be prepared. Always understand the limitations of your environment, then take the necessary steps to cover all gaps. Most ICS networks have the capabilities to generate audit trails, but they often are underutilized. Even worse, many security teams lack a proper understanding of the OT technology in question, resulting in an inability to collect logs or know where to search for them. Make 100% visibility, monitoring, and control your end goal and don’t stop until you get there. Plus, develop strict protocols to ensure that all incidents are registered with your Incident Response Team, logged, and correlated using a real time audit mechanism. The process is often far from easy, but it’s necessary — and it could save you millions of headaches and potentially millions of dollars.

Q: What Is The Most Common Weakness You See In OT Networks And How Can We Avoid The Problem?

As is the case with IT networks, your greatest concern should be your employees and the human element. Social engineering, phishing attacks, and questionable browsing behaviors can open doors for attackers to exploit your OT and IT networks individually or both networks via lateral movement. As stated earlier, the human element can be very challenging to address, but as long as the networks are segmented using ACLs and firewall filters it would help limit the damage. Insider attacks are also on the rise and present a clear and present danger. To “smoke out” internal threats, we recommend a risk assessment that both identifies and addresses vulnerabilities. Look for orphaned accounts, over-privileged accounts, and, my personal favorite “smoking gun,” insiders with access to resources that fall outside of their job responsibilities.

Closing Thoughts: I’ve really just scratched the surface of this incredibly important subject. Please find a cyber security firm that’s well-versed in OT to help you address this often-overlooked point of vulnerability. Just remember, while OT and IT are vastly different on so many levels, they do share many security commonalities. So, use the lessons you use from IT on OT and visa-versa. The more you can unify best practices, the better prepared you’ll be when a sophisticated attacker decides to move against your networks.