Security researchers at Forescout’s Vedere Labs have identified 56 vulnerabilities in Operational Technology (OT) systems. The bugs included high-severity vulnerabilities in 10 vendors’ products, spanning programmable logic controllers, SCADA HMI systems, and software development kits. Many of the systems are widely used in oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation.
The vulnerabilities are collectively known as OT:ICEFALL. The researchers noted that attackers with network access to an exploitable device could cause start/stop devices, disable communication links, change control logic, modify firmware, remotely execute code; bypass authentication; compromise credentials; cause denials of service; or have a variety of other operational impacts.
On the heels of this news, the Cybersecurity & Infrastructure Security Agency (CISA) released five corresponding Industrial Controls Systems Advisories (ICSAs) to provide notice of the reported vulnerabilities and “identify baseline mitigations for reducing risks to these and other cybersecurity attacks,” according to a statement from the agency.
In those advisories, CISA noted that the consequences of these systems being breached included the ability to:
- change configurations
- manipulate services
- cause a denial-of-service
- upload logic with arbitrary code
- impersonate other users
- disable communication links.
Not your father’s manufacturing floor
There are several reasons there is such concern about these vulnerabilities.
In the past, OT systems were typically not connected to other enterprise systems and most definitely not connected to the internet or cloud. That provided two essential benefits. First, it was harder to compromise a device (such as a sensor) that was part of an OT system. And second, if a device was compromised, the damage was limited to the OT environment. That's not a great thing, but it limited the potential damage that could be done.
Due to these and other factors, device security was not a primary concern. That remains the case today. “[Internet of Things] devices are often developed as commodity products that aren’t treated as enterprise products,” says Christopher Prewitt, Chief Technology Officer at Inversion6. “And the IoT software development process is immature, and focus is not on security and software lifecycle, but immediate functionality and value to the consumer.”
Recently, there have been two overarching trends that have changed that situation. The first is that there has been a push to bring IT and OT together. For example, data collected by an OT system might be used or analyzed as part of a more proactive maintenance approach. For example, a sensor reporting an elevated temperature or pressure on production line equipment might indicate a part was about to fail. Rather than waiting for the failure to shut down the production line, the information might be used to send a maintenance crew out to check on the situation. If IT systems are looped into the equation, that indication that a part might need to be replaced earlier than its expected lifetime could be used to trigger an ERP system to order the part in advance.
The synergies of uniting IT and OT systems are amazing. Unfortunately, once the systems are connected, those previously isolated OT systems are now more open to cyber attacks. Hence, the importance of the numerous vulnerabilities reported by Forescout.
The other major shift is that many of the systems are moving to the cloud. An example would be an OT system passing all its data from the shop floor or production line sensors and IoT devices to a cloud database for rapid analysis to support predictive maintenance, spot operational anomalies, and more. Again, that exposes the OT systems to outside attacks.
OT network security best practices
Earlier this year, Shailaja Suresh, Senior Solutions Architect at Amazon Web Services (AWS), and Russell de Pina, former Senior Partner Solutions Architect at AWS, wrote a blog addressing OT security issues in general and in OT systems used in manufacturing, in particular. They noted:
“In manufacturing plants, there have been IT systems used for creating, managing, and processing enterprise business data and separate OT systems used for managing operations of factories and industrial equipment. As manufacturers connect their OT systems to IT systems and networks as part of their digital transformation (Industry 4.0), they need to ensure they do it securely and apply OT security best practices.”
While they focused on manufacturing, the same issue applies to other industries that use OT systems. With that in mind, they pointed out that best practices include:
- securing all layers from the connected devices themselves to the OT systems they connect to
- securing routers, gateways, and other devices the OT systems connect with to share their data with IT and cloud systems
- encrypting connections or routing them through a private network or VPN when linking OT workloads to the cloud
- using secure communications protocols (such as Modbus or MQTT) that enable encryption for OT communications wherever possible.
Other best practices include more carefully managing devices and edge gateways, which can be exploited in attacks. Companies should disable or remove unused services, USB ports, applications, and network protocols to reduce risk. And companies should also try to harden the underlying operating systems of the edge gateways.