Operational Technology Security: The Other Threat SurfaceNetwork connectivity in your operational technology may leave the door open for a skilled threat actor. By: Eric Escobar, Secureworks Adversary Group
When people talk about cybersecurity, chances are they’re talking about protecting IT assets: the systems, data, applications, and networks that organizations depend on every day to get work done, satisfy customers, and make money.
But there’s a whole other realm of digital infrastructure that needs protecting: OT, as in Operational Technology. And it’s growing in size, importance, and potential vulnerability all the time. That’s why understanding and testing your Operational Technology security is so important.
Keeping the lights on
Just as our businesses and our personal lives have become increasingly digital, so has the infrastructure on which we all depend every day. The electrical grid, our water supply, our transportation systems, and more have been transformed into networks of “smart infrastructure” that leverage telemetry and intelligent controls to boost efficiency, optimize uptime, and minimize mean-time-to-repair.
This massive overhaul of our critical infrastructure has been largely invisible to us. We take it for granted that we can just flip a switch to get light and turn on a faucet to get water. But the infrastructure that makes these things possible is extremely complex—and it requires significant digital capability. But the real-time control and influence these systems have on our day-to-day lives only amplifies the need for strong operational technology security.
Did you know that the electrical grid must create exactly the amount of electricity that is being used at any given moment? There are no batteries or storage to absorb any excess power,nor is there any storage to draw from if not enough power is available. So, the grid’s power generation and transmission lines must constantly adjust to demand wherever and whenever another TV or air conditioner kicks on. And that’s only possible because of the ever-increasing sophistication of the electrical utilities’ Operational technology (OT) systems.
OT systems — often referred to as Industrial Control Systems, or ICS — are also increasingly prevalent in industrial and manufacturing environments, as we’ve put robots on our assembly lines and stuck chips in virtually every piece of equipment we deploy. So, while we might at first think of the so-called “Internet of Things” (IoT) in terms of our smart homes and our cars, a large percentage of the world’s estimated 11.5 billion chip-enabled devices are OT infrastructure.
Operational technology-related risk
The risks associated with critical OT infrastructure are obvious. We’ve seen them in the movies (e.g., Die Hard 4) and in real life (e.g., Ukraine in 2015). And we’ve narrowly avoided them here in the U.S. a few times (e.g., New York’s Bowman Avenue Dam in 2013).
But as we implement more OT, our threat surface keeps growing. And as we add more features and functionality to our OT control systems, system complexity adds to our cybersecurity challenge.
Global tensions also increase our OT-related risk, since critical infrastructure is an attractive target for state actors seeking to do harm. However, OT infrastructure is also an attractive target for ransomware attacks—since it could potentially allow cybercriminals to hold vital services hostage.
Utility companies and other operators of critical infrastructure are aware of this risk, so they tightly control access to their OT systems. OT networks are also typically kept separate from IT networks and are not connected to the public internet.
This air gapping obviously poses a significant obstacle to any would-be attacker. However, there are growing caveats to this idea of air gapping. As operators of OT infrastructure get more aggressive about leveraging the intelligence of their OT networks, they increasingly need to tap into those networks via wired or wireless connections using fixed or mobile computing devices. That connectivity — as secure as operators may hope it is — often creates potential points of exposure to an extremely skilled and dedicated hacker.
Operational technology security and SwAG
The Secureworks® Adversary Group (SwAG) faces unique challenges when it comes to pentesting OT infrastructure. For one thing, these systems must stay online end-to-end 24x7x365. So, we can’t risk disrupting them even slightly. This is different than an IT network, where our objective is to move vertically/laterally across a client’s environment after initial penetration to demonstrate how and what an adversary could compromise should they gain access.
For our OT engagements we are a bit more flexible. We can simply demonstrate access to an OT network or jump host, after compromising the IT network of the organization. This is exactly how real-world threat actors do it. They phish a user, compromise remote access or otherwise gain access to the IT network and then move laterally to gain access to production OT infrastructure. Additionally, we can work through customized situations to passively monitor OT network traffic, test a full system in the lab environment, or even test individual pieces of hardware outside of production.
If your organization has OT infrastructure – as most do – I encourage you to contact Secureworks for independent validation of your cybersecurity posture. SwAG conducts these engagements on a regular basis, so we’re well qualified to dig deep and find hidden cracks in your security armor. This kind of adversarial testing is a compelling way to gain both confidence and deeper understanding around the integrity of your IT and OT infrastructure. In the worst case that we do find hazardous security vulnerabilities in your IT or OT infrastructure, you can have the reassurance that you found it with a dedicated security partner – and before a threat actor was able to leverage your vulnerabilities.
This proactive approach allows you to take an important step in protecting your organization — as well as the customers you serve – from the serious consequences that would come from a breach of your OT infrastructure. While our team attempts to access your OT network, you should also take this opportunity to see if you can detect and respond to a motivated threat actor. If visibility isn’t optimal, ask about our Taegis™ XDR platform, designed from the ground up to provide you with the visibility needed to stop an attacker before they hit the OT network.