Andrey Armyagov - stock.adobe.co
When the first operational technology (OT) system was created in the late 1960s, it was designed as a distributed control system with a focus on safety, reliability and availability. Security for such systems primarily relied on physical gates and locks.
At that time, cyber security was not a consideration due to the absence of reported attacks against OT systems, which led to the perception that OT systems were inherently secure. Consequently, the progress in OT security has been slower compared with IT security, despite the potentially more severe consequences of a successful attack on an OT system.
Even in the face of several high-profile attacks on OT systems in recent years, complacency about OT security persists. At the recent GovWare security conference in Singapore, Goh Eng Choon, president of ST Engineering’s cyber business, highlighted common misconceptions that organisations have regarding OT security in an effort to raise awareness of the security challenges facing OT systems.
Myth one: We are not a target or priority for attackers
While this myth can be debunked with documented attacks on OT systems, Goh said it’s not surprising that some individuals still hold the misguided belief that they are not vulnerable targets because they perceive having nothing of significant value to attract attackers.
“It’s not uncommon for people to assume that these attacks are financially motivated and there’s little to gain from attacking an industrial network. However, I want to emphasise that this perception can be dangerous, because threat actors have diverse intentions and they do not share the same objectives,” he said.
Goh emphasised that such assumptions can be perilous, as threat actors have diverse intentions and objectives beyond financial gain. He cited a study by the Canadian Center of Cybersecurity, which revealed that threat actors range from cyber criminals seeking financial gains to hacktivists and geopolitical actors engaged in conflicts, such as those between Russia and Ukraine or Hamas and Israel.
“The reality is that the OT industry is under deliberate attack with the intent of disrupting critical infrastructure – and the threat is not limited to fiction. Real-world incidents have already shown the potential of catastrophic consequences,” he added.
Goh said the frequency of attacks against OT systems has also increased, from sporadic incidents that happen once every few years to yearly incidents. “Some may attribute this escalation to the increased awareness of cyber security within the OT industry, resulting in a large number of reported cyber incidents, but nevertheless, it remains an undeniable fact that OT plants are a potential target for threat actors.”
Myth two: My OT network is protected because it’s isolated and air-gapped
Goh explained that when implemented correctly, an air gap between an OT network and other networks can reduce the accessibility of the OT network to threat actors. However, even in an air-gapped network, there are legitimate reasons for files to be moved between the OT network and the external IT network, such as configuration files and software patches from OT suppliers. Adversaries can exploit this by tricking staff and contractors into installing fake software patches or transferring files containing malware.
Goh pointed to the example of the Stuxnet malware, which infiltrated an air-gapped system via a USB flash drive and subsequently spread throughout the network, exploiting four vulnerabilities, including a bug in the Windows print spooler and a zero-day targeting programmable logic controllers (PLCs).
Goh Eng Choon, ST Engineering
“It’s imperative to re-examine the definition of air gap and reassess whether our OT environments genuinely qualify as such. Is there absolutely no connection to other networks? Are there absolutely no USB file transfers? Air gaps or isolated networks can sometimes foster a false sense of security, and if you believe your OT network is safeguarded solely because it’s isolated, I strongly urge you to reconsider this belief.”
Myth three: OT uses proprietary protocols that attackers are not familiar with
Goh said this myth is associated with security by obscurity, a strategy that relies on secrecy to secure a system or component during design or implementation.
“A common belief is that the OT protocols are proprietary, and the attacker doesn’t have access to OT devices or specific proprietary protocols,” he said. “To some extent, the proprietary nature of the OT device does pose a challenge to hacking, but threat actors behind targeted attacks are usually knowledgeable, persistent and resourceful.”
Goh said such threat actors, particularly those backed by nation-states, have the resources to replicate an OT system, and create and rigorously test their malware in a lab before launching an attack. “This possibility is highly speculated in the Triton malware attack, which happened in 2017 in a malicious attempt to destroy and damage a petrochemical plant in Saudi Arabia by targeting the safety system,” he added.
In orchestrating the attack, the threat actor had to deal with a controller based on proprietary hardware that runs on the PowerPC processor, a proprietary operating system not known to the public, and a protocol that was not documented publicly.
“There were multiple layers of security by obscurity, but despite that, the attacker was able to deploy the Triton malware shortly after gaining access to the system. This is indicative that they had pre-built and tested the tools before the initial compromise, and it was highly possible that attackers had access to the hardware and software that allowed them to research, reverse engineer and develop their own library to send commands to interact with the targeted proprietary system.”
Myth four: The firewall protects OT networks from cyber attacks
In the concept of defence-in-depth, firewalls are used to separate the different layers of an OT network. Goh said while it is mandatory to use firewalls to protect an OT network from unauthorised access, this protection is only as good as the policy and the security of the firewall.
“We all know that misconfigurations of firewall rules happen and are not uncommon,” he said, citing a study that found one in five firewalls have one or two configuration issues. “Any misconfigurations of firewalls will, again, result in a false sense of security, allowing unauthorised access to your OT network.”
Goh urged organisations to incorporate other system-level measures, such as OT zero-trust security, to defend against attacks that exploit already permitted protocols and access.
Myth five: Implementing cyber security for OT systems requires you to modify your processes
Contrary to the perception that securing OT systems can impact standard operating procedures, Goh said OT security tools are specifically designed to proactively mitigate risks and safeguard OT operations by detecting threats in advance.
“ST Engineering has developed an AI [artificial intelligence]-powered anomaly detection algorithm capable of identifying not only threats but also system faults and failures. This has raised the acceptance from OT operators on implementing such a capability because it helps to enhance operations and protects them from cyber threats,” he said.
Explaining the company’s approach to securing OT systems, Goh pointed to the Purdue Model that comprises five levels, from levels zero to three where the OT environment sits, including OT devices, PLCs and Scada servers, to level four, the enterprise environment.
Goh said network monitoring across levels one to three is key, so the company has developed an advanced OT network monitoring system that not only comprehends the multitude of OT protocols, but also empowers its engineers to understand proprietary protocols that are specific to customer networks. “More importantly, we are able to deliver this capability in a non-intrusive manner. That’s very important to reduce the impact that you would have on the network,” he added.
It is also important to do level zero monitoring due to the presence of legacy instruments that do not present any digital output. Goh said these devices are susceptible to attacks that involve tampering with sensors or input/output (I/O) devices, calling for organisations to consider implementing level zero monitoring solutions to gain visibility at the lowest level of OT infrastructure where electrical signals originate.
Read more about cyber security in APAC
- Ensign InfoSecurity chairman traces the company’s journey and how it is leading the charge in cyber security by doing things differently, investing in R&D and engaging with the wider ecosystem.
- Australia is spending more than A$2bn to strengthen cyber resilience, improve digital government services and fuel AI adoption, among other areas, in its latest budget.
- Cyber Security Agency of Singapore teams up with Dragos and the US Cybersecurity and Infrastructure Security Agency to bolster the country’s OT security capabilities.
- Mimecast CEO Peter Bauer believes the company’s comprehensive approach towards email security has enabled it to remain relevant to customers for two decades.