Topics:
This is the first of a two-part series by Dan Ricci informing IT cybersecurity teams about the nuances of OT vulnerabilities and how to mitigate them. Part one delves into how OT threats and risks differ from those on the IT network.
IT cybersecurity teams are responsible for defending and securing an organization’s IT assets against internal and external threats. Whether IT cybersecurity teams realize it, operational technology (OT) is all around them, and understanding the differences and potential interconnections between IT and OT environments is essential.
As organizations increasingly integrate OT systems into their networks for improved efficiency and automation, the potential attack surface expands, necessitating a deeper understanding of OT vulnerabilities. Additionally, the consequences of OT security breaches extend beyond data loss to include physical damage, environmental hazards, and even threats to public safety, amplifying the urgency for robust cybersecurity measures. Therefore, comprehending the nuances of OT security challenges becomes imperative for IT cybersecurity teams to develop comprehensive defense strategies that safeguard both IT and OT environments.
There are several key factors regarding OT and industrial control system (ICS) vulnerabilities that IT cybersecurity teams and professionals must consider before understanding the difference between securing OT systems and traditional IT systems.
Converged IT/OT environments have introduced process controls, threats and risks to IT cybersecurity teams and analysts. There may be a basic understanding of OT systems’ control over physical processes in manufacturing, power generation, and transportation, for example. Understanding this difference is crucial for effectively securing OT environments. However, there are some unique characteristics to the OT threat landscape.
In OT environments, cyber threats can include physical safety risks and environmental hazards, as well as financial implications due to operational disruptions. Furthermore, cyberattacks on OT systems can result in physical damage to equipment, production downtime, and safety risks to personnel and the public.
Physical safety risks resulting from attacks against OT often arise because these devices control critical infrastructure such as industrial machinery, transportation systems, and equipment vital to utilities. Attackers targeting these systems can potentially compromise their functionality, leading to physical safety risks for workers and the general public.
In 2022, Russia-linked attacks carried out in advance of the Russian invasion of Ukraine involved state actors attempting to portions of the U.S. power grid through cyberattacks using the PIPEDREAM malware during the first few weeks of Russia’s invasion of Ukraine. This attempt intended to disrupt 12 U.S. electric and liquid natural gas sites, and if successful, would have impacted availability of these services, but also public safety.
Environmental hazards may also result from successful attacks against OT systems that manage processes that if disrupted could impact the environment. Chemical manufacturing plants and/or water treatment facilities are susceptible to cyberattacks that could disrupt the proper operation of these systems and lead to environmental contamination or pollution.
Contamination of water supplies or chemical leaks would have far-reaching consequences for ecosystems, wildlife, and public health. An example of this type of event took place in December 2023 when hackers targeted an Irish water facility’s programmable logic controller (PLCs) and human machine interfaces (HMIs) that were not adequately protected by a firewall and had default passwords. This attack resulted in the local community being without water for two days. A similar https://claroty.com/team82/blog/opportunistic-hacktivists-target-plcs-at-us-water-facility.
Safety risks to personnel may imperil operators working near industrial equipment and machinery. A cyberattack that disrupts or manipulates OT systems can create hazardous conditions for personnel. For example, unauthorized access to control systems could cause equipment to operate unpredictably or dangerously, putting workers at risk of injury or even loss of life. As of this date, there has been no known incident where humans have been killed by a cyberattack targeting an OT system in chemical, critical manufacturing, or other automated industrial control system environments. However, there has been a record of a death attributed to ransomware targeting medical health systems that occurred in 2021 at a hospital in Alabama.
Many OT systems rely on older technologies that were developed prior to current secure-by-design practices in software and product development lifecycle. This resulted in hard-coded passwords, unencrypted protocols, and insecure services that were not designed with security in mind included in production systems. These systems often lack basic built-in security features such as encryption, authentication, and regular patching (if available).
ICS devices within OT systems may not support patching but, instead, require a full software/firmware or hardware upgrade, which would cause significant interruptions in operational availability in order to uninstall and install new software or hardware. ICS vendors may offer workarounds to address these issues to compensate for the lack of patches or software upgrades, but it's not as easy to mitigate as in IT systems. Adding to this complexity, ICS devices lack the equivalent of IT patch management tools.
These factors leave OT systems exposed to cyberattacks. IT cybersecurity teams and sysadmins should understand the specific challenges OT staff encounter when mitigating ICS and OT vulnerabilities. Vulnerabilities in OT systems may linger, leaving systems exposed longer than IT teams are accustomed to. This requires IT and OT professionals to work together to establish network security strategies for monitoring and protection.
Furthermore, OT asset owners and operators have traditionally prioritized system safety and operational availability over confidentiality and integrity. If patching results in a loss of OT functionality, it may result in a loss of thousands of dollars per minute. IT cybersecurity teams and professionals should be aware of their organization's OT systems' security capabilities and limitations, and how they may or may not connect to the business operations network.
Dan Ricci is founder of the ICS Advisory Project, an open-source project to provide DHS CISA ICS Advisories data visualized as a dashboard to support vulnerability analysis for the OT/ICS community. He retired from the U.S. Navy after serving 21 years in the information warfare community.
