Infosecurity Europe
4-6 June 2024
ExCeL London

What are the Biggest Threats to OT?

Attacks and threats which are specifically targeted at operational technology (OT) environments have experienced increased scrutiny over the years.

The Colonial Pipeline ransomware incident of 2021 is still widely discussed but we can also go way back to the Stuxnet attacks of 2010 which specifically targeted Iranian SCADA systems in a Nuclear facility, to the Triton malware of 2017 which could disable safety instrumented systems.

All well documented incidents, but is this evidence of OT being consistently attacked and there being threats which are specifically targeted at these environments?

Attackers typically hit the IT environments of banks and retailers because that is where the money is. OT and industrial control system (ICS) environments are targeted for other reasons including political, in protest, for adversarial gain, or maybe just because they can be done and it’s another way to spread financially beneficial malware.

Weaknesses in OT Environments 

OT environments have their own set of weaknesses and according to a report by Check Point, the top threats are: lack of network segmentation, DDoS attacks, web application attacks, malware, and command injection and parameters manipulation. That last threat may be unfamiliar, but it is defined as “invalidated data not verified as legitimate system traffic allows attackers to execute arbitrary system commands on OT systems.”

The one that seems to be missing, but could be filed under malware, is ransomware. As much of an issue for OT environments as it is for all other victims, there have been multiple victims of this - from Colonial Pipeline to the more recent Royal Mail incident - and all can be severe.

Marty Edwards, vice president of OT Security at Tenable, says the biggest risk to OT “tends to be ransomware” as “cybercriminals will pivot into those systems and organizations are more apt to pay the ransom.” This is often because too many OT and ICS environments have no monitoring or solutions in place to detect or prevent the attacks happening, so there is a lack of transparency.

Nigel Stanley, senior director of OT cybersecurity at Jacobs, agreed and said OT systems can be vulnerable to all these attack vectors and more, “but in many cases the unique nature of OT makes it less well protected than IT systems.”

“This can be due to many things including lack of endpoint computing power, poor understanding of the specific risk to OT systems, internal politics (who is responsible for the OT systems risk – asset management team? operations teams? IT?) and in many cases companies simply being blindsided and thinking that their OT systems are invulnerable. The latter is often assumed when OT systems are ‘air gapped’ but I know from personal experience that these air gaps are often easily breached.”

This leads to the debate about how much of OT is antiquated and cannot be patched or updated easily, and if that is the biggest threat to OT. Also, can the OT be integrated with modern IT systems, and are those traditional IT security technologies designed for control systems in OT environments? Stanley said a lot of OT “is what I would characterise as old and cranky, and it is employed simply because it works and any replacement will be expensive and likely disruptive to a plant or facility.”

He admitted that OT will often have proprietary (or similar) protocols, or other technical reasons why it might not integrate into IT systems, and also when legacy OT needs to be refreshed it will be with up-to-date IP-based systems and technology “as the old serial based kit is starting to become less available, that’s when there will be pushes for integration with IT systems and that’s when very careful consideration needs to be given as to how this is implemented in a secure way.”

A More Secure Future with Smart Systems 

Stanley said not all OT “is old and cranky,” as it is worth considering the use of smart systems in modern, new build plants and cities which are very-up-to date and provide a new way of designing, building and operating in today’s world, more traditional IT security technologies often struggle in an OT environment.

“A great example being the need for many security solutions to have real time access to the cloud for updates,” he said. “The culture in many OT shops is pretty anti-cloud and they want on-prem solutions only. This causes vendors a bit of a headache.”

Edwards agreed that there are brand new implementations that have new computing technology, and there is obsolete technology in some of the older areas, but it is no longer an excuse to say it is hard to maintain. “Technology has moved on to shut down controllers and update, and technology is very safe and reliable with zero disruption. If that is your excuse, you’re setting yourself up for failure.”

He admitted that a lot of OT environments do need some “cyber maintenance and check nothing has changed and add a bit of cybersecurity grease and run environments to failure” as if operators do not, they will “pay now or pay later.”

As for future threats, Edwards said that most defenders will not keep a well-funded nation state attacker out, but they can make it challenging so the attacker goes somewhere else. If an OT defender can identify what is most at risk, and should implement proportionate, engineering lead controls to manage down this risk as best as possible.

Looking towards the future, Edwards said the Colonial Pipeline incident raised the profile of OT environments to senior policy makers and government, who could “enact policies and lean towards more regulation,” so this will make boards of directors to pay more attention.

If that does happen it could bring a wave of security measures to OT environments, but it is a shame that it has taken a bad incident to bring that change.

Enjoyed this article? Make sure to share it!

Looking for something else?