SABATOGE OF THE OT NETWORK – THE NEWEST THREAT TO BUSINESS?

By Eric Marchewitz 09/29/22

Gartner gives this definition of operational technology as, “hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events.”

Operational Technology networks are typically those that operate at the plant level and network a variety of sensors for Industry 4.0, legacy PLCs and SCADA networks. They are often pieced together because, frankly when things need to get made, it’s sometimes easier to grab an 8-port switch from Best Buy ? than to go to procurement for proper gear. OT is not the same as IOT, which may handle such things as cameras, healthcare equipment and other high tech items. OT networks are often a mix of old technology and even older machines, along with new equipment…all in the hopes of getting output in the hands of the customers.

Fresh off the press is the alleged sabotage of both the Nordstream 1 and Nordstream 2 pipelines, feeding Europe with Russian natural gas for heating, power and industry. Luckily, it appears that this can be repaired, but this event brings up an interesting topic among those in the IT security space. SCADA is a protocol that controls automation in the OT environment and it differs greatly from typical IT protocols and it is quite likely that Gasprom runs it to manage their pipeline infrastructure, making it another vector in potential attacks.

As a security professional, I am exposed to many different environments and I will tell you that often a company is far more concerned with protecting their corporate network then the proverbial “keys to the kingdom”, the OT network and devices.

What if instead of a physical sabotage, the SCADA network is compromised? Instead of physical sabotage of equipment, all a would-be bad actor needs to do is send some commands from a remote console that could have major consequences for the company, the industry and the world.

We are probably all familiar with the Colonial Pipeline attack in 2021. In 2021 a pipeline was shut down that traversed from Texas to New York, delivering kerosene, jet fuel and gasoline to critical infrastructure on the east coast. This attack was a ransomware attack where the bad actors demanded money to release the pipeline from a command-and-control attack that shut down the pipeline.

Even scarier, in June of 2022, allegedly a Russian hacking group penetrated the SCADA network of a gas processor in Texas. We can only speculate as to the true cause of the explosion, which reportedly mushroomed 450 feet in the air. It is speculated that the hacking group caused an over pressurized situation which led to an explosion and a large release of natural gas vapor.

According to Tom Rogan of the Washington Times, who writes on security matters, the company did not have detection and data security controls on their Operational Technology network to protect their SCADA control systems. This may have led to the situation which: cost dollars, impacted national security and lives. The company denies this allegation.

THE CHALLENGE WITH OT SECURITY

Unlike IT data centers, which are clean, ordered and secured, the OT network is often in the area where physical work is done. They are often dirty, patched together with a variety of off the shelf hardware and running machines that can’t be upgraded, patched or breathed on, for fear that it might cause a shutdown…costing real dollars.

Leveraging unique protocols, legacy operating systems that can date back to Windows 98 and 3rd party firmware updates delivered by unknown USB drives or worse…floppy disks, the OT network is a literal treasure trove of hacking opportunities that can cause real monetary and human loss if not protected.

How do companies operate these legacy systems? Often, they rely on 3rd party contractors that have almost free reign to the network to download code written by dubious sources. This can open up the OT network to real compromise that might not just be a simple ransomware attack but even more nefarious: financial and physical damage of property, interruption of business continuity and in the most extreme cases loss of life.

NOT JUST UTILITIES - PRODUCT MANUFACTURING TOO

As a person that looks for trends, I am noticing an increasing number of food-based recalls in the news. While, I have no direct knowledge, it appears the FDA and USDA are ramping up inspections, partly I believe to sharpen up the monitoring of food production in case of a compromise.

Food production is particularly vulnerable as often, tight temperature controls and regulations are needed to ensure food is clear of pathogens. The simple act of reducing the Time Under Temperature, a common way to pasteurize food, could easily be altered remotely, causing potentially fatal pathogens to

be at higher than acceptable level. The same could be extended to water treatment and a variety of other seemingly “low tech” surfaces of attack with potentially dire consequences.

According to the blog cyesec.com, these are some of the top risks for food manufacturing in the cyber security space:

? Production line interruptions and shutdowns that could cripple the business

? Degradation of food products, making them unsafe for sale and consumption

? Financial loss as a result of ransomware pay-outs and loss of productivity

? IP breach of food recipes and production processes

? Physical harm to personnel and equipment

? GDPR violations resulting in fines

? Reputational damage

Most that produce products use some form of automation in their environment. Whether it’s the automotive sector, food manufacturing, utilities, pharmaceuticals or even building materials, it is useful to consider the OT environment as a critical part of the business that needs security as much as the IT network.

Whether a company builds cars or model airplanes technology is being increasingly used in manufacturing to boost profits by increasing efficiency. Shut down is costly and depending on the remedy, it can cause major harm to an organizations business continuity.

WHAT CAN BE DONE TO PROPERLY SECURE THE OT INFRASTRUCTURE?

Traditionally, the OT network has been “left alone” for the plant managers, engineering staff and SCADA operators to handle, but increasingly the IT staff is looking at the OT environment as a serious security risk.

OT environments often have unique protocols, as mentioned vulnerable OS environments (anyone remember Windows Embedded?) and 3rd party access that require different incident response plans, monitoring and access.

There are three phases of OT security which should be considered:

? OT Networks and OT Specific Protocols – often these low latency networks are simply segmented off and that is considered “secure” but now that the threats are taking a higher priority, OT specific networks need specific OT security solutions.

? Legacy Endpoints – I recall one story of a client that tried to use an off the shelf endpoint product, designed for IT, and it ended up crippling numerous control workstations running legacy OS, shutting down production. Often there is a lack of visibility on what is even on the shop floor.

? 3rd Party Access – most of these PLC’s are old and dated and as the pool of technicians gets tighter due to an aging population, it is important to prevent unauthorized transmission of critical data and exploits. Guest networks provide easy access to threats that often circumvent the corporate safeguards. Even USB unsecured USB sticks provide an easy vector to access key systems and potentially sensitive data.

Some best practices for OT environments:

? OT Networks – use OT specific firewalls and IPS systems that are ruggedized, allow for a fail open architecture and OT specific protocols like SCADA.

? Legacy Endpoints – use OT specific clients that can accommodate older OS’s which can be put in a monitoring mode to evaluate any conflicts prior to putting them into a defensive posture. Use an asset discovery tool to discover what is on the network and what OS is running.

? 3rd Party Access – use a USB transfer device that is trusted (we all remember the USB root kit exploits from years ago) and has a scanning engine built in. Use TLS decryption and threat prevention for all guest downloads to look for malware on 3rd party firmware and patches. Finally, restrict access and permission to critical systems with data, like MES and ERP to only those needed by the organization.

WRAP UP

With the number of bad actors around the world stacking up like never in history, you are probably in competition with someone who would be happy to see your production crippled. OT environments are often forgotten when we think of being vulnerable to hacking groups but as a student of international politics and global trends, I feel we might find ourselves in a world where sabotage is more common than before as competitive and political pressures mount.

About the author:

Eric Marchewitz is a security solutions architect, recovering CISSP and AWS Cloud Practitioner. His career in information security has spanned 23 years, working for companies such as PGP Security, Cisco Systems and Check Point. Most recently he is a Field Solutions Architect for CDW Corporation. This article doesn’t not reflect the views of CDW and is for information purposes only and should not be considered professional advise. No warranty of the information contained within is given.

#cybersecurity #otsecurity #manufacturing #informationsecurity