According to Microsoft, the annual damage caused by cybercrime is expected to reach $6 trillion by 2021, up from $3 trillion in 2015. This number includes significant increases in attacks on enterprise operations technology (OT) systems. The reasons for this increase in OT attacks are twofold. First, as the increasing power of embedded electronics and connected intelligence migrate further down the levels of the OT systems automation hierarchy – including sensors and actuators – the sheer volume of potential hacker targets increases.
Second, many legacy OT systems, and their human operators have become more susceptible to risks over time as more and more systems around them are interconnected. For many operators, maintaining a high level of system security has never been a high priority. In fact, many people believe that they’re much better protected than they really are, or they fool themselves into believing that their organization is not a ripe target for hackers. The truth is just the opposite. A well-known quote attributed to Dmitri Alperovitch, a thought leader on cybersecurity strategy who has served as special advisor to the Department of Defense, says it well: “Only two types of companies exist—those who know they’ve been compromised, and those who don’t.”
Although the Information Technology (IT) world has long been active in combatting cybersecurity threats, the OT world, given its unique exposure to risk from multiple endpoints, is not as mature in its development of adequate cybersecurity strategies. OT operators must recognize that none of their everyday work systems is ever totally secure and that the potential universe of threats and risks is quite diverse.
Myth: Techniques for hardening IT systems work the same for OT
Although the work of securing OT systems is similar to the approach used to secure IT systems, some differences exist. IT personnel often believe the myth that IT principles and processes can be applied directly to OT. For example, scanning an IT system for unauthorized devices and open ports is a common IT practice, but scanning OT system for devices and open ports could overwhelm the Ethernet communications of some devices, causing their communications to lock up, effectively triggering a denial of service. In the IT world, servers and PCs can handle such scanning. However, in some cases, isolated OT devices can have limits on the kind of traffic they can withstand. Too much traffic can disrupt or lock up device communications to the point where the device must be power-cycled in order to recover, which could require an entire process to be shutdown.
Fundamentally, OT systems are interacting with and controlling the physical world, and both information and cyber-physical control points are at risk. Therefore, it is in the interest of stakeholders to have their IT staffs approach OT with an open mind, and become familiar with OT technologies, risks, and constraints when involved in deploying and maintaining OT cybersecurity solutions. In the case of both IT and OT, however, achieving successful system protection involves a healthy balance of well-trained people, monitored processes and operations, and cyber resilient technologies.
When protecting OT systems, the following approaches are recommended for lowering the risk of cyberattacks:
- Don’t depend on “air gapping” – One technique used to protect OT systems is to completely isolate a particular system from all other systems or networks. Using this “air gap” technique, no connection exists between the isolated system and any other system, not even through firewalls or a DMZ (de-militarized zone). OT operators often believe the myth that an air-gap is enough to adequately protect the system. Unfortunately, this is just not the case. Over time, air gapped systems are touched by humans who have no malicious intent but who don’t realize the importance of the need of the system to remain isolated. They have a job to do, and will accomplish that the easiest way possible based upon what they know about the system.
A person may decide to create a bridge to the air gapped system in order to acquire data for another system they are managing. Or a service person, who needs to provide an update to that OT system, brings in an update on a USB memory stick. Then, without knowing it, he leaves behind bridgeware picked up by that memory stick from another computer. The bridgeware then starts running and it has enough intelligence to scan around and learn what it can, leaving an instance of itself behind to perform further reconnaissance, deploying itself further into the system. The next time the service person comes by with a USB stick, the bridge ware updates that USB stick and laptop with what it has found. Finally, at the end of cycle, that information makes its way back to the hacker the next time the laptop connects to the Internet.
- Deploy behavioral anomaly detection through monitoring – Behavioral anomaly monitoring solutions work well within the context of control systems and related OT systems. Once these systems are up and running, the communication patterns they run are usually very consistent. Therefore, if the SCADA system, for example, starts writing to a new and different PLC, that unusual behavior may very well indicate a possible intrusion into the system. Intrusion detection monitoring solutions observe anomalies in network traffic flow patterns and help to quickly identify possible breaches.
- Educate employees as a hedge against insider threats – According to Indegy, recent studies indicate internal company employees are the biggest threat to OT security. These insider threats are not always malicious, but a comprehensive training program can help to avoid compromising situations and can also communicate the severe penalties in store for those who willingly violate security policies and procedures. Clear documentation of those rules helps reduce instances of human error and negligence. In addition, observations that note sudden changes in human behavior may also indicate potential intentional insider threats. For example, employees who, for no particular reason, begin to spend time in the office late at night, when none of their fellow employees are present, may be a cause for concern.
- Enforce disciplined network management practices – In this domain key best practices such as application white listing (prevents unwanted software from running on your server by establishing a pre-approve “white list” of validated applications), network segmentation (splitting the OT network into zones, so that, if a breach occurs, the damage is only limited to the subnetwork as opposed to the entire network) and OT specific firewalls (firewalls with knowledge of industrial protocols that are capable of performing deep packet inspection to filter traffic at the industrial protocol operational code and data element levels) all go a long way towards minimizing industrial system cybersecurity risks.
To learn more about how Schneider Electric security experts can help you strengthen the cyber resilience of your OT networks, download the “Strategies for Recognizing and Preventing Insider Attacks on Industrial Control Systems” white paper.