The Convergence of Operational and Internet Technology
The entire industry is concerned about the increasing amount of cyberattacks. A contributing factor is that the threat’s targeted surface area footprint continues to expand, with innovative technologies escalating quickly in the IT industry. It is not surprising that larger organizations are suffering data breaches because of emerging technologies like the Internet of Things (IoT) growing as a necessary and functional part of Industrial Technology.
For a long time, IT and Operational Technology (OT) have functioned separately without having to be dependent on each other. A world of possibilities and capabilities as vast as we can imagine now surround us are is only conceivable through new industrial facilities relying on integrated IT and OT. In the past, OT only included hardware and software used to regulate and operate equipment utilized in Critical Infrastructure comprising Industrial Control Systems (ICS). Initially, the OT did not require cybersecurity as it was mostly disconnected and free from the internet, keeping it safe from the outside world’s threats.
Physical security was once the primary form of security in the industries. However, soon OT started converging with IT, even becoming dependent on it, and then the manufacturing industry integrated IoT into the process. But the confluence of all these technologies without solid security starts to look like a suicide squad. With IIoT (Industrial Internet-of-Things) implementation, all the instruments, devices, sensors, etc., in use with IT/OT are vulnerable to severe cyberattacks on power grids affecting energy supplies, water supplies, food processing units, etc.
In comparison, the security industry has evolved by developing technologies like remote backups, hardware firewalls, and intrusion detection systems. Still, unfortunately, many IIoT devices are distributed with their default username/password combinations easily discoverable by the threat actors and displayed on dark web hacking forums where attacks are planned and coordinated. Threat actors have unconventional objectives when picking an enterprise to target. They are often motivated by the idea of having financial gain, for a political cause, or even with a military intent. These attacks could be state-sponsored (check out our blog on nation states and cybercrime) or come from industry competitors, ex-employees with malicious goals, or even hacktivists.
The cyber-smart attackers with sophisticated attacking skills can target industrial staff with phishing attacks that include malicious attachments allowing them to gain network access using a Remote Access Tool (RAT) malware. The RAT could be used for harvesting credentials to gain access to the ICS. This way, the attacker gets to plant a ransomware attack, encrypt all the essential data, and demand a hefty ransom. The ransomware can erase the infected hard drives and BIOS firmware, leading the industry to stop its operations. Such attacks could take months to replace and reprogram affected control systems.
The world saw the Supervisory Control and Data Acquisition (SCADA) system that Stuxnet had targeted was running an unpatched and outdated software for years. Even today, many OT devices are still running on software that has not been updated, and even their patches are outdated by ten years. Furthermore, specific devices have customized features developed by engineers in an exclusive manner that may appear obscure to engineers today but are wide open for attack.
The pandemic brought a storm on cybersecurity budgets as organizations had to also keep remote workers in mind. The essential workers like hospitals, manufacturers, and electricity providers were pressured to maintain business continuity regardless of the pandemic. It became challenging for these organizations to deliver due to cyberattacks occurring on their supply chains. Twenty-five percent of the North American utility companies were affected by the SolarWinds attack. In another instance in February of this year, a water treatment plant in Oldsmar, Florida, was cyberattacked using the remote access software TeamViewer, which almost affected 15,000 people. In this incident, the threat actor had temporarily increased the release of sodium hydroxide, which could have increased the treated water’s acidity, leading to a negative effect on the surrounding population.
When manufacturers introduced smart devices like IIoT devices, remote access for the OT, and even cloud computing, it added more complexity to the network. The managing staff in these industries often suffer from a lack of talent in cybersecurity skills and are quickly swamped with the amount of data requiring new security measures.
Manufacturers now realize a significant gap exists in the security provided to this challenging environment. They believe that the industries are at huge risk because of the following addressed issues:
- The OT and IT networks are managed separately, and so are the concerns reported to different heads, bringing a lack of communication among the managing teams.
- The workforce in the industries is not comprehensively trained to understand OT and IT.
- They cannot quickly identify the boundaries of the attack surfaces as they are not aware of things present in their network.
- The built-in security features of software implemented in these industries are lagging.
The convergence of IT and OT is significant for revolutionizing many advantages in manufacturing companies and facilitating digital transformation. IT-OT convergence security plans should keep the industrial OT requirements in mind and determine the least-privileged or minimum amount of IT connectivity required for the OT to still function properly. In other IT language, we might call this a form of segmentation. A supply-chain failure can lead to squandered revenue, inoperable devices, or worse.
While automated patching and updating are desirable, you also do not want to become the next Kaseya attack. You might consider auto-downloading patches to a server logically segmented away from your OT and other critical company functions until you have scanned and tested the patch or update on a sandboxed test system. As organizations emerge with modern technologies and transformed business paradigms, cyber security must be at the forefront as supply chain attacks and intrusions in industrial technologies can go undetected for extended periods. Preventing cyber-attacks by having a resilient cyber security presence is a critical countermeasure. No matter how your IT and OT integrate, you should consider a bidirectional, Zero Trust solution at your outermost network layers.
Dave Gast (CEH/SEC+/ITIL 4/PMP) is an INTRUSION Sr. Threat Researcher & Info/Cyber Security Subject Matter Expert with a 26 year active duty military career and 10 year government contracting consulting role including extensive cyber intelligence and threat analysis.
Ready to get protected?
INTRUSION Shield is affordable for every business, large or small. We price per seat, per month – with no annual contract and no hardware to buy.