As companies increasingly transition to cloud and 5G in pursuit of the fourth industrial revolution, threat actors are waging malicious campaigns against U.S. critical infrastructure.
The Colonial Pipeline incident wasn't the first cyberattack against critical public infrastructure, but it served as a wake-up call regarding the scope of operational technology (OT) threats. Attacking from a remote overseas location, threat actor partners of ransomware provider DarkSide used VPN access through a leaked password to install ransomware inside a top U.S. pipeline, preventing the delivery of 2.5 million barrels of fuel. Colonial Pipeline restored operations, but only after gas shortage panics and a $4.4-million ransom payment.
Cybersecurity analysts have described this as the biggest known attack on U.S. energy. This incident underscored the immediate need for upscaled vulnerability management practices for critical infrastructure. Additionally, recent findings indicate OT threats are now growing at a rate that will surpass last year's 30 percent increase.
CISOs must be ruthlessly pragmatic about first addressing the security weaknesses with the highest risk of an attack. Unfortunately, cybercriminals are using long-ignored OT security vulnerabilities to their advantage. OT is a significant component in critical infrastructure, yet recent high-profile attacks are a reminder that traditional cybersecurity strategies are falling short.
Vulnerabilities Hiding in Plain Sight
Critical infrastructure is being targeted now for two key reasons: First, underinvestment in modern cybersecurity strategies, and second, convergence – combining IT and OT environments to connect decades-old OT devices through newer IT networks. Utilities and private sector businesses are belatedly realizing these hybrid environments lack sufficient security measures, increasing the likelihood that OT threats will compromise their business.
Some organizations have deployed newer devices to upgrade their OT environments, notably including connected sensors. Unfortunately, these devices are generally untouchable by standard vulnerability scanners, leaving OT environments exposed to significant risks. Add to that the infrequency of OT vulnerability scans and remediation, which typically happen only once or twice per year, if ever.
A security team that lacks visibility cannot fully understand its exposed vulnerabilities or protect its attack surface. Since the threat landscape is continually evolving, this myopia directly reduces an organization's cyber resilience and ability to remediate risks. Even using and managing a dedicated OT firewall isn't enough.
A modern cybersecurity strategy focused on total visibility of the attack surface can determine attack vectors, develop security architectures, and understand the environment, including connected applications. Unfortunately, legacy solutions are plagued with blind spots, ranging from access policy violations to misconfigurations to new or hidden vulnerabilities, all serving as windows of opportunity for threat actors.
There's no question at this point that OT security is decades behind its counterpart, IT security, in both technology and procedures. Many organizations assigned OT and IT security to separate teams, neglecting if not completely downplaying OT issues as unlikely to impact anyone – until the threats became deadly serious, as water treatment facilities, meat suppliers, and gas pipelines recently discovered.
Thankfully, it's possible to reverse the years of OT security neglect. The best strategy to implement is a proactive approach centered around risk analysis of exposed vulnerabilities on mission-critical assets: Organizations must invest in united IT/OT solutions powered by automation and prevention, rather than relying on legacy "detection and response" models.
Success will require collaboration between IT and OT functions, with holistic risk management across OT environments as the end goal and execution of the following steps:
- Collect passive data from the OT environment's networking and security technologies.
- Establish a complete network model encompassing IT and OT.
- Employ path analysis to understand all IT and OT connectivity, including how risks can impact either environment or traverse one to reach the other.
- Establish and enforce an access compliance policy to ensure only authorized systems can access mission critical environments and assets.
- Prioritize remediation of OT vulnerabilities based on exposure, while identifying alternative measures for mitigation, as sometimes needed for legacy equipment.
Following these steps will give security teams full context and insight into their attack surface, plus solutions beyond patching to mitigate their legacy and modern OT threats. Critically, they can proactively recognize and remediate vulnerabilities before threat actors exploit them, rather than waiting until crippling attacks have already occurred. Security teams will also be able to extend a comprehensive security policy management program from hybrid/IT environments to OT environments, further streamlining audit and compliance processes, as well as facilitating proper segmentation across hybrid infrastructure.
Maintaining OT cybersecurity has traditionally been ineffectual and expensive, so a new approach offers the opportunity to protect OT resources against threats while achieving long-awaited efficiencies meaningfully. Given the constantly shifting and expanding threat landscape, organizations need to prioritize security policy management and network modeling strategies. In addition, regulating external network access will help security teams reduce the potential for cybercrime, financial repercussions, and other damage.
The ideal solution is a comprehensive security platform capable of visualizing and evaluating IT/OT environments. Properly equipped security teams will have both a broad and deep understanding of the attack surfaces, capable of identifying both big picture weaknesses and seemingly small but potent threats. Today's threat actors are exploiting tiny cracks to achieve devastating results, making holistic protection necessary. Unifying or at least sharing OT and IT information can help organizations develop practical strategies to reduce downtime while mitigating risk factors.
Cyberattacks on critical infrastructure have made it clear that OT has become a significant weakness for utilities and organizations during a crucial period in the Industry 4.0 transition. Instead of repeating the past mistake of assuming no one will target them, businesses in OT-based sectors must accept the reality that their assets have just become a prime target for threat actors.