With attacks on critical infrastructure on the rise, OT security needs a rethink

The enormous cultural divide between IT and OT security is creating a massive global risk. So much so that by 2025 malicious actors will have weaponized operational technology environments so far that they could prove fatal to humans.

These are the findings of Gartner’s latest research. Attacks on OT (Operating Technology) hardware and software critical to monitoring and controlling equipment and processes have become more prevalent. Ransomware has been the number one OT attack on organizations this year, accounting for 32% of attacks.

“Inquiries with our clients reveal that organizations in asset-intensive industries like manufacturing, resources and utilities struggle to define appropriate control frameworks,” explains Wam Voster, Senior Research Director at Gartner.

Attacks are on the increase

Stuxnet, a sophisticated computer worm, appeared over a decade ago and attacked Iran’s nuclear program. It targeted programmable logic controllers (PLCs) for automated machine processes. Since then, we’ve seen it morph into many variants, including Industroyer malware, also known as CrashOverride, which caused a power outage in Ukraine, and Triton, which hit a petrochemical plant in the Middle East. More recently, the SolarWinds attack impacted IT systems and highlighted the risk of compromised Simple Network Management Protocols (SNMPs), which, being adopted in IT, are also embedded in numerous OT systems such as power distribution units and control system devices.

Earlier this year, hackers compromised the Colonial fuel pipeline, which carries gasoline and jet fuel along the East Coast of the U.S., causing shortages in what was a relatively unsophisticated ransomware attack. The malicious actors triggered the breach via a single stolen password that only had single-factor authentication. The company opted to pay the ransom, $2.43 million of which was recovered in cryptocurrency by the U.S. Justice Department.

These attacks are a wake-up call for governments and organizations to recognize the vulnerabilities in OT security that have the capabilities to bring down a country’s utilities and economy and endanger lives. According to the U.S. Department of Homeland Security, around 85% of critical U.S. infrastructure and resources, for example, is owned by the private sector responsible for public security.

In a recent study, the Ponemon Institute found that, on average, organizations had four security compromises that resulted in the loss of confidential data or disrupted OT operations. The top three cybersecurity threats cited are phishing and social engineering, ransomware and DNS-based denial of service attacks.

As OT and IT continue to converge, so the threat vista is becoming wider. Attacks can flow from OT and IT and vice versa. Attack vectors include Wi-Fi, physical access, sensor networks, IoT devices and self-propagating malware. The arrival of Industry 4.0 brings many benefits in terms of automation and intelligence, but with these increased connections comes more risks that companies operating in manufacturing, oil and gas, and nuclear power need to be prepared for.

The key issue for vulnerabilities in OT and OT security is that risk management efforts are not aligned, according to the Ponemon Institute. Sixty-three percent of respondents said their OT and IT security risk management is not coordinated, making it challenging to put a strong security posture in place in the OT environment. The critical reasons for difficulties in OT security are lack of enabling technologies in OT networks, complexity and lack of resources.

Managing a converging world

The shared responsibility for risks between IT and OT in industrial systems makes the governance complex. It is paramount to have a unified approach when it comes to safety and security.

The best way to secure both IT and OT in a converged environment is to put the teams responsible for IT and OT security under the same (senior) roof. This allows them to work across functional silos and implement new technologies as required.

Gartner recommends that organizations put in place several security controls to shore up their security and prevent incidents in the digital world adversely impacting physical environments. These include ensuring all OT staff have appropriate security awareness training, implementing and testing incident response, ensuring that proper backup restore and disaster recovery procedures are in place, and establishing adequate network segmentation. This ensures that all network traffic between OT and the rest of the network goes through a secure gateway. Multi-factor authentication should be used to authenticate interactive sessions to OT at the gateway.

It is possible to significantly reduce risk by educating suppliers about both IT and OT threats and running regular audits internally and of suppliers’ businesses when it comes to supply chains. It is also vital that enterprises know precisely where their data is, how it is used, and who manages suppliers’ data. It is also crucial to encrypt data in transit.

OT/IT: in search of common protection

OT and IT are rapidly converging, and the attack vector is expanding fast. IT and OT must speak a common language via shared procedures and policies to reinforce security to keep bad actors out, or we may see some life-threatening incidents over the coming years.

For more information, download the Orange Cyberdefense whitepaper, Obscured Vision: Why you can’t view OT security through an IT Lens.

Jan Howells

Jan has been writing about technology for over 22 years for magazines and web sites, including ComputerActive, IQ magazine and Signum. She has been a business correspondent on ComputerWorld in Sydney and covered the channel for Ziff-Davis in New York.