In recent years, simultaneous trends within business and cyber-criminal organizations have transformed security risks for the manufacturing sector and the broader Operational Technology, or OT, space.
Attackers’ motivations and tactics are changing. Many are shifting from making a quick profit, made possible by ransomware and phishing attacks, to causing broad and lasting disruption, and they are increasingly targeting OT and Industrial Control Systems (ICS) to do so.
It has been well-documented how businesses’ IT infrastructure has become more complex in recent years, but a lesser analyzed, and sometimes unknown reality is the convergence of IT and OT systems. As the benefits of IT within OT continues to grow exponentially, shipping, manufacturing, and other forms of heavy industry are investing in the Industrial Internet of Things (IIoT).
IIoT, sometimes referred to as Industry 4.0, includes any traditional manufacturing device that now leverages some form of connected technology, often along with cloud systems. Think Caterpillar’s usage of sensors or Amazon’s smart warehouses, along with countless other applications. IIoT offers compelling advantages for companies, including increased productivity, reduced costs, and access to valuable analytics, but it can also pose security risks.
As the usage of IIoT grows, it is rapidly accelerating the increasing convergence between regular IT and OT systems across manufacturing, with threat actors taking advantage of this convergence in a new wave of attacks. One attack that began in an IT system before spreading to impact OT, was the incident inside Honda in June of this year.
Initially gaining access through an attack against internal servers, malware successfully spread throughout the network and was ultimately able to halt manufacturing. The company stated that the problem was only affecting its ability to access its computer servers, email, and other internal systems, but later confirmed that they had suspended operations in many plants across the UK, North America, and Japan.
Cyber-attackers are innovative and constantly looking for new vulnerabilities they can leverage. IT/OT convergence has proven to be a tactic that can – and will – be used for industrial sabotage.
Evidence of Convergence
Segmentation of IT and OT systems is critical. Without it, a malicious actor, either a hacker or rogue insider, can easily access an IT network, then pivot into the more high-stakes OT environment. The separation of the two, often referred to as air-gapping, provides a necessary layer of physical security. However, a recent analysis conducted by Darktrace, a leading cyber security company leveraging AI to secure both enterprise and industrial environments, revealed that hundreds of companies were using OT protocols in enterprise environments, suggesting that their IT-OT systems were not properly segmented.
Darktrace analysts studied the use of industrial protocols in the enterprise environments of various customers, ultimately with Darktrace detecting over 6,500 suspected instances of ICS protocol used across 1,000 customers. This research reveals that many businesses are blind to the convergence in their own systems.
Unknowingly using OT protocols in corporate IT systems not only increases the attack surface but creates dangerous blind spots that can be taken advantage of by threat-actors.
The types of OT protocols that manufacturers are unknowingly using vary. Darktrace detected ‘core’ ICS protocols, Modbus and CIP (Common Industrial Protocol), but the most common was BacNet, found to be in 75 percent of the instances. This protocol connects IT systems to physical building management systems, so it is not surprising that it is widely used across multiple industries and has more overlap with corporate networks. However, its usage was still a surprise for many of the businesses’ security teams, as most security tools don’t offer visibility into those systems along with desktops and servers.
A lack of visibility into this convergence is one of the major challenges in protecting critical ICS assets, where the costs of disruption are even higher and include production delays, manufacturing defects, or power outages.
Attackers still favor targeting IT networks with their initial attack vectors, as IT infrastructure has significantly more interaction with the internet through emails and various other interconnected technologies. However, poor network segmentation allows attackers easy access to OT systems once an IT network has been compromised. Limited visibility into these systems and an inability to detect an attacker arriving, moving laterally and then pivoting is still far too common.
Indicators of compromise can include anything from new external connections, to network reconnaissance, to lateral movement using privileged credentials, ICS reprogram commands, or ICS discovery requests. With proper enterprise-wide visibility – across both IT and OT – and security tools that are focused on detecting deviations from normal rather than analyzing "known bad", a security team would be alerted to a compromise before an attacker could carry out their objectives.
It is clear that attackers will continue to exploit this increasing IT/OT convergence to carry out industrial sabotage, yet many organizations are unknowingly hosting ICS protocols in their corporate environments. This convergence both increases their attack surface and creates dangerous blind spots. A new, holistic approach to cyber defense is needed – one that can reveal this convergence of IT and OT, provide visibility, and detect deviations indicative of emerging cyber-attacks against these critical systems.
Dave Masson is the Director of Enterprise Security at Darktrace.