“They’re testing out red lines, what they can get away with. You push and see if you’re pushed back. If not, you try the next step.”
Thomas Rid, Professor of War Studies at King’s College London
“The risk to OT networks is real — and it’s dangerous and perhaps even negligent for business leaders to ignore it.”
Mike Assante, ICS/SCADA Lead for the SANS Institute.
It’s clear from recent news that a number of adversaries are attempting to compromise our critical industrial networks. Their motives range from criminal intent to operational disruption and even threats to human and environmental safety.
At the same time, industry experts have been telling us for years that our Operational Technology (OT) networks are vulnerable — lacking many of the built-in controls we now take for granted in IT networks, such as automated updates and strong authentication — but we’ve never had the data to objectively evaluate the risk before.
To address this gap, CyberX used proprietary Network Traffic Analysis (NTA) algorithms to analyze traffic collected from 375 production OT networks over the past 18 months, across the US, Europe, and APAC . The networks span all sectors including energy & utilities, manufacturing, pharmaceuticals, chemicals, and oil & gas. Although questionnaire-based surveys have been conducted in the past, this type of real-world network analysis has never been conducted before.
The data clearly shows that control networks are easy targets for current adversaries. Many are exposed to the public Internet and trivial to traverse using simple vulnerabilities like plain-text passwords. Lack of even basic protections like anti-virus enables attackers to quietly perform reconnaissance before sabotaging physical processes such as assembly lines, mixing tanks, and blast furnaces.
In fact, OT networks are, as some have observed, like M&M candies — “soft on the inside.” But they’re also not particularly “hard on the outside,” either.
As a result, once attackers get into an OT network — either via the Internet or by using stolen credentials to pivot from corporate IT systems to OT networks — it’s relatively easy for them to move around and compromise industrial devices. In fact, according to a new US CERT advisory citing analysis by the DHS and FBI, threat actors are currently engaged in APT attacks using spear phishing to obtain stolen credentials from ICS personnel.
We don’t want to be cyber Cassandras — and this isn’t about creating FUD — but at the same time, we should have a realistic, data-driven view of the current risk.
Some of the eye-opening conclusions from the report include:
- Forget the myth of the air-gap: One-third of industrial sites are connected to the Internet — making them accessible by hackers and malware exploiting vulnerabilities and misconfigurations. This also explodes the myth that OT networks don’t need to be monitored or patched because they’re isolated from the Internet via “air-gaps.”
- Unpatchable Windows boxes: More than 3 out of 4 sites have obsolete Windows systems like Windows XP and 2000. Since Microsoft no longer develops security patches for legacy systems, they can easily be compromised by destructive malware such as WannaCry/NotPetya, Trojans such as Black Energy, and new forms of ransomware.
- Weak authentication: Nearly 3 out of 5 sites have plain-text passwords traversing their control networks, which can be sniffed by attackers performing cyber-reconnaissance and then used to compromise critical industrial devices.
- No anti-virus protection: Half of the sites don’t have any AV protection whatsoever— increasing the risk of silent malware infections.
- Rogue devices and wireless access: Nearly half have at least one unknown or rogue device, and 20 percent have wireless access points (WAPs), both of which can be used as entry points by attackers. WAPs can be compromised via misconfigured settings or via the recently-discovered KRAC WPA2 vulnerability, for example.
- Remote control: 82% of industrial sites are running remote management protocols like RDP, VNC, and SSH. Once attackers have compromised an OT network, this makes it easier to learn how the equipment is configured and eventually manipulate it.
What can be done? It’s unrealistic to expect asset owners to perform massive upgrades to their OT infrastructures in the short-term, which would cost their industries billions of dollars.
Nevertheless, there are a number of practical steps organizations can take today to mitigate OT risk, including:
- Providing security awareness training for plant personnel and enforcing strong corporate policies to eliminate risky behaviors like clicking links in emails, using USBs and laptops to transfer files to OT systems, and dual-homing devices between IT and OT networks.
- Top-down organizational initiatives to break down barriers between IT and OT teams, such as temporarily assigning IT security personnel to OT organizations and vice-versa to understand the differences between IT and OT.
- Using compensating controls and multi-layered defenses — such as continuous monitoring with behavioral anomaly detection — to provide early warnings of attackers inside your OT network, and to mitigate critical vulnerabilities that might take years to fully remediate.
- Proactively addressing the most critical vulnerabilities via automated threat modeling.
SANS refers to the multi-layered approach described in the last two items as “Active Cyber Defense” — using security operations to continuously identify and counter threats. According to SANS, the Active Cyber Defense Cycle consists of four phases that continuously feed each other: asset identification and network security monitoring; incident response; threat and environment manipulation (e.g., addressing vulnerabilities); and threat intelligence consumption.
As Michael Assante from SANS says, “Fortunately, we can significantly reduce the risk to vulnerable OT networks by moving beyond the limitations of perimeter security and leveraging the visibility, intelligence, and proactive actions provided by an Active Cyber Defense strategy.”
Interested in learning more about the key findings and expert recommendations? To download the full report, click here: https://cyberx-labs.com/en/risk-report-2017