Best Practices for Minimizing OT Threats
It’s 3 a.m. on a Sunday morning when the vice president of operation’s cell phone rings. On the other end of the call is the plant manager at one of the company’s largest factories in China.
The plant’s manufacturing lines are down due to a cyberattack that’s impacted the plant’s control systems. Before the vice president can respond, however, his cell phone rings again with a call from another plant manager in Eastern Europe experiencing the same problem.
Six hours later, plant managers across the company are reporting the same issue. The IT team has detected malware in the company’s operational technology (OT) systems, initiating incident response procedures that will take days—if not weeks—to complete and restore operations.
Of course, the incident described here is fictitious, but it mirrors dozens of real-world incidents that have cost manufacturing companies hundreds of millions of dollars.
What can companies do to minimize the likelihood of a high consequence attack? And why do so many programs fail to achieve that goal even after spending considerable resources?
The answer to these questions comes down to a failure of the company to identify the realistic threat vectors (a.k.a., attack pathways) into their critical systems.
For example, a supplier or vendor coming might come into the plant to troubleshoot a control system issue. They could accidentally introduce malware by connecting an infected laptop to the plant’s system, plugging an infected USB into a plant computer, or providing the site with a file that is, unknowingly, infected. Other threat vectors could be compromised software patches or antivirus updates that are installed in the control system environment.
A failure to implement appropriate cybersecurity measures to block these threats coupled with appropriate mitigating controls to limit the damage of an incident. These include strict policies prohibiting connecting USBs or laptops into control systems, and measures to enforce these policies like disabling or blocking USB ports, disabling or blocking unused switch ports, and implementing network access controls. Additional controls could include verifying the authenticity of patches and updates before deployment, mandating testing of patches and updates prior to deployment, and staging deployment of patches and updates.
Doing this may sound simple, but modern IT and OT systems are complicated and intertwined, so it takes considerable effort to study the potential attack pathways into a system and to identify the current security weaknesses that can be compromised by a malicious actor or software. It also takes effort to identify the measures that can be taken to quickly detect a breach and rapidly respond to contain the incident, minimizing proliferation and damage.
Unfortunately, many companies skip this critical analysis step and go directly to deploying security technology in the hopes that the technology will do the work for them. Technology can be tremendously beneficial, but it is critically important to map out the threat vectors and attack pathways before selecting the appropriate technology that's going to aid in interrupting those vectors, raising alerts, and initiating rapid response.
Technology is not the only tool at your disposal to reduce the likelihood of a successful cyber threat and the consequence of a cyber incident. The most successful programs leverage a combination of people, processes, and technology working together to protect these critical systems.
A good of example of this is a patch management program that includes technology to identify required patches, processes to gather and test patches, and personnel who have been properly trained on the testing and deployment of patches to oversee it.
The Role of Threat Intelligence
As mentioned earlier, it is important to identify the realistic threats to OT systems and the pathways those threats could exploit that will cause the greatest damage. This is where threat intelligence comes in.
Oftentimes, people assume that cyber threats are going to originate in the IT environment and propagate into the OT environment. That is certainly a common and likely pathway, but it is by far not the only one. A lot can be learned by studying prior incidents, identifying the threat actors and mapping out the attack vector used by the threat actor. Tools such as the MITRE ATT&CK and ICS ATT&CK frameworks can be helpful in mapping the attack pathways.
Additionally, methodologies such as Cyber HAZOP and Cyber Bowtie, both derived from safety engineering methodologies, are used to study and document cyber threats, vulnerabilities, and consequences, as well as pinpoint the most effective measures that can be taken to prevent and mitigate cyber incidents.
A helpful analogy is to relate cybersecurity to physical security systems that protect high value assets.
For example, think for a moment about one of your favorite movies about a bank heist or theft of priceless art or jewelry. Successful criminals are always creative and resourceful. They do not take the obvious path and attempt to enter through the front door of a high security facility. Rather, they seek out the unexpected and thus less guarded pathways into the facility. They carefully plan every move and seek ways to avoid detection. They strive to exploit the facility's security systems and use them to their advantage, such as taking over a video surveillance system or leveraging access controls to keep the authorities out while clearing a path for their own escape. Hackers and malicious software use very similar tactics, techniques, and tradecraft to achieve their goals.
Cybersecurity professionals need to think like an attacker to design and deploy the most effective defenses. This means studying and understanding various types of threats, threat actors, and their strategies. It also means studying their own systems and thinking about how would they go about attacking them to cause the greatest damage.
Furthermore, in OT and manufacturing applications, it means working with the engineers and operators who know the systems better than anyone and, therefore also know how to attack them better than anyone. For instance, inviting engineering and operations staff members to participate in OT cyber risk assessment workshops so they can share their experiences and help develop realistic threat scenarios and mitigation solutions.
Cyber threat intelligence in OT and manufacturing is more than just studying the activities and tradecraft of threat groups and actors. It also involves studying one's own systems and identifying the attack pathways attackers could use to compromise the most critical assets.
John Cusimano, CISSP, is vice president of OT security at Armexa and has more than 30 years of experience in process control, functional safety, OT, and industrial control systems cybersecurity. He is a globally recognized thought leader in the field of OT cybersecurity, a voting member of the ISA 99 cybersecurity standards committee, leading the effort to author the ISA/IEC 62443-3-2:2020 standard “IACS Security Risk Assessment & Design,” and a pioneer in the development and application of the Cyber HAZOP OT cyber risk assessment methodology. Cusimano is also the developer and primary instructor of multiple training courses on OT cybersecurity.
© Armexa LLC