Topics:
A simple search on internet scanning services reveals at any point in time between 150,000 and 275,000 exposed operational technology (OT) assets on the internet.
Significant numbers of those internet-facing assets are operating in Western-based companies within critical infrastructure. These assets can expose the often-legacy protocols over which they communicate, outdated firmware versions that have not been updated despite publicly disclosed vulnerabilities and exploits in some cases.
Some research has also uncovered exposed human-machine interface (HMI) and supervisory control and data acquisition (SCADA) interfaces. Often, the only barrier in front of an attacker is a weak or default credential that would enable illicit access to assets, and process or corporate networks.
On this episode of the Nexus Podcast, Michael Pyle, Director of Product Cybersecurity at Schneider Electric (SE), joins the Nexus Podcast to discuss Internet Exposure Prevention, a new SE approach to preventing illicit connections to OT and industrial control systems (ICS) that are insecurely connected to the internet.
Attackers are adept at using scanning services to enumerate exposed devices and leveraging OT and ICS to access process and corporate networks. Pyle explains that Internet Exposure Prevention drops inbound traffic that the asset did not initiate. Checks are made on the IP address initiating the connection and whether it's a routable source IP, and an allow/deny decision is made.
“Governments around the globe view this as a significant security risk. So it's not just a lot of much ado about nothing. Many of those devices are reachable and they have basic login credentials, username and password,” Pyle said. “It's not insignificant at all in terms of the risk.
Tools like Shodan, Census, Criminal IP, they find these devices and they're easily researched to locate what you're looking for.”
Schneider Electric’s solution works on a premise similar to accepting or reject phone calls from someone not on your contact list.
“We use the term unsolicited inbound traffic to represent incoming traffic from an internet-routable source IP address that the device did not initiate communications to,” Pyle explains. “It's analogous to how you use your phone. You pick up your phone. You make an outbound call. That call operates smoothly. Hopefully somebody at the other end answers. You have the communication. You terminate the call. But if somebody calls you and they're not on your contact list, you're going to ignore them. Same concept applied here with these devices.”
Internet Exposure Prevention would live on the device, down in the stack, Pyle said.
“As a packet is received, down low in the stack, before we process it in any other way, we check that source IP address. If it is a routable source IP address, then we check it to see did we initiate communications to that in the first place,” Pyle said. “If we did not, we ignore it. If we did, we allow it through. If it's a private IP address, we allow it through.”
Pyle raised the point that many exposed OT assets are online by accident.
“They're not intentional, they're misconfigurations where secure deployment practices are not followed,” Pyle said. “Yes there are cases where somebody is intentionally exposing it to the internet because they want remote access and they don't understand the ramifications of what they've done.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
