This post first appeared on The Last Watchdog on Privacy & Security website.
Finally, the profoundly hackable state of industrial control systems (ICS) is being elevated as an issue of substantive concern and beginning to get the level of global attention it deserves.
Nation-state backed hackers knocking out power grids and discombobulating other critical infrastructure – the cyber Pearl Harbor scenario – has been discussed for years in military and intelligence circles. However, skepticism and apathy have been the watchwords among the actual operators of industrial control systems.
Discussions about better protecting these uniquely vulnerable specialized networks — now generally referred to as operational technology (OT) or industrial control systems — has historically taken a back seat to mainstream IT security issues, such as phishing, ransomware and denial of service attacks.
Fortuitously, that’s beginning to change. A series of disclosures this past year peeled back the curtain on the extent to which Russia, Iran and North Korea, in particular, have been proactively probing and infiltrating OT networks. On a parallel track, a handful of innovative startups have developed purpose-built platforms to address industrial and critical infrastructure security.
Last Watchdog recently visited with Phil Neray, vice-president of industrial cybersecurity at CyberX, suppliers of one of the first and most widely-deployed OT security platforms. The company was founded in Israel four years ago by cyber defense experts with nation-state expertise defending critical infrastructures, honed in the Israeli military. CyberX recently established its global HQ in Boston, moving its C-level and front office staff there. Here are excerpts of our discussion, edited for clarity and length.
LW: Why has OT security taken a back seat to IT security for so long?
Neray: The operational teams that run our factories and power plants own the OT systems, and their #1 priority is uptime — because downtime means lost revenue. So security wasn’t a high priority in the past. But all that changed last summer when WannaCry and NotPetya showed boards of directors and management teams that cyber vulnerabilities can cause massive plant shutdowns, which directly affects the bottom line — to the tune of nearly $1 billion across all companies that reported being affected by WannaCry and NotPetya.
So now we’re seeing CISOs tasked with getting their arms around OT security, getting visibility into what’s installed in their OT environments, and implementing continuous monitoring and other tighter controls.
LW: How is OT security different than IT security?
Most OT environments have limited controls in place, typically limited to perimeter security. And these environments are essentially “vulnerable by design,” employing legacy industrial protocols that are missing modern security characteristics like authentication and integrity.
One of the reasons for this is that the protocols were designed when it was assumed that if you had network access to the device, you also had permission to change its configuration and the code running in the device. So once an attacker gets into the OT network — via a targeted attack that steals VPN credentials from control engineers, for example, or malware like WannaCry and NotPetya that easily traverses firewalls — they typically have free reign to perform reconnaissance, move laterally and compromise any device they choose.
Also, you can’t constantly patch OT environments like in IT environments. OT environments run 24×7 so patching and reboots can be disruptive, plus you can’t blindly deploy the latest patches without extensively testing them first to make sure you don’t break any operational processes.
OT environments are also populated with legacy equipment that was deployed 10 or 20 years ago — for example, in our “Global ICS & IIoT Risk Report,” we analyzed traffic from 375 production ICS networks worldwide and found that 3 out of 4 sites are still running legacy Windows OS’s like Windows XP for which Microsoft is no longer producing patches. Half of the industrial sites aren’t even running any anti-virus, and 60% have plain-text passwords traversing their networks.
LW: Can you explain air-gapping?
Neray: For many years people felt they were safe because the OT network was totally isolated from the IT network, and totally isolated from the Internet. But there’s been a convergence between IT and OT networks to support business initiatives like smart machines and predictive maintenance, and the need to pull real-time data from OT systems into analytics applications running on the IT side.
Plus we’ve always needed remote access to these networks to support remote management and remote maintenance, which is often provided by third-parties like the OT automation vendors (Siemens, Schneider Electric, Rockwell Automation, etc.).
So that opens up additional channels between IT and OT, which broadens the attack surface and increases risk. In fact, the “Global ICS & IIoT Risk Report” showed that 1 out of 3 industrial sites are actually connected to the Internet, which should expose the myth of the air-gap once and for all.
LW: To what extent have we seen threat actors moving to take advantage?
Neray: As the attack surface has increased, the sophistication of attacks also has been increasing. A few years ago, people would say to themselves, ‘We don’t have to worry because our network is air-gapped, and besides it is not like we’re in the Ukraine, so the Russians are not going to come after us.’ WannaCry and NotPetya showed that attackers can get into their OT network and disrupt it — they were examples of sophisticated “drive-by malware” rather than the next thing we’re going to see, which is targeted OT ransomware attacks. That’s going to happen because you can make a lot more money going after a production facility where the cost of downtime is measured in 6 or 7 figures per hour, than going after a local hospital or small business PC.
Another key risk is theft of corporate trade secrets and intellectual property. A lot of sensitive information about proprietary manufacturing processes and product designs is contained in the configurations and code residing on OT devices, so that’s another motivation for nation-states and competitors to compromise our OT networks.
LW: What does CyberX bring to the table?
Neray: We’ve built a robust OT-specific platform that’s been extensively field-proven in production environments worldwide, across all industrial verticals including energy, manufacturing, pharmaceuticals, chemicals, oil & gas, water, nuclear, etc. The platform provides a number of ICS-specific capabilities including asset discovery and network topology mapping, continuous monitoring with anomaly detection, non-invasive risk assessments and vulnerability management, automated threat modeling, and threat intelligence.
We also provide optional services such as incident response, malware analysis, and OT cybersecurity strategy advice, but most of those services are provided by our MSSP partners like Deutsche-Telekom/T-Systems.
LW: Sounds much like network analysis and threat detection many companies do for their IT systems.
Neray: Yes, it’s a similar idea. But the platform needs to have a deep understanding of the scores of non-IT protocols (like MODBUS, Siemens S7, OPC, etc.) and non-standard embedded IIoT devices used in OT environments (e.g., PowerPC processors with embedded real-time operating systems).
And the behavioral analytics and machine learning algorithms are very different for OT compared to IT. In an IT network, the activity consists primarily of humans clicking on hyperlinks, and Windows programs starting up and shutting down. That’s a very non-deterministic environment. The OT environment is very deterministic, because it’s primarily machines talking to other machines. So if you try to apply algorithms that were developed for IT to an OT environment, you’re going to get a lot of false positives and it’s going to take a lot longer to learn what’s normal and what isn’t.
LW: So, in a sense, does that make it more straightforward to spot anomalies?
Neray: In a sense, that’s true. We are the only vendor that builds a finite state machine (FSM) model of the OT network to detect anomalies. If you can quickly identify the finite number of states that the network exists in, and understand all normal transitions between those states, you can model the “DNA” of the network and quickly detect any anomalous behavior. It’s complex, obviously, because there are many different protocols and many different types of devices, and you have to understand the peculiarities of each.
LW: So how long has CyberX been around, and how are you actually doing this in the field?
Neray: We were founded in 2013. Our R&D and threat intelligence teams are located in Israel and many of them worked together in the military. Our headquarters are in Boston, which is also where our CEO is based as well as many of our client-facing teams such as customer success, business development, sales, and marketing. Our clients are large Global 2000 organizations with multiple business units and facilities worldwide, so we’ve built a scalable multi-tier system that can be managed centrally as well as providing local visibility at the plant level. And we integrate with all of the major SIEM platforms so that alerts can be forwarded to the corporate SOC for incident response.
In fact, we just announced the first ICS threat monitoring app for IBM QRadar and the IBM Security App Exchange. The app provides a richer user interface for SOC analysts, enabling faster response to OT-specific threats. We developed the app because our customers are telling us they want a unified approach to IT and OT security. The app enables CISOs to build upon the significant investments they’ve already made in people, workflows, and technology for the corporate SOC, while leveraging the deeper visibility our platform provides into the specialized ICS protocols, IIoT devices, vulnerabilities, and threat behaviors found in OT environments.