We’ve entered a new era in which defending against cyberthreats to operational technology (OT) systems requires much more thoughtful and strategic approaches. Protecting an OT or industrial controls system (ICS) is a different proposition than protecting an information technology (IT) system because their basic missions and purposes are fundamentally different.
OT systems essentially work behind the scenes to provide the controls and functionality that allow all types of industries, commercial enterprises, institutions, utilities or government agencies to operate the basic physical infrastructure needed for day-to-day operations.
For example, the supervisory control and data acquisition (SCADA) systems that enable utilities to manage everything from substations and power plants to water distribution systems and pump stations are the central control links that allow operators to perform nearly all critical functions. SCADA systems, like many other types of OT/ICS, are essentially where the technology touches the physical infrastructure.
IT systems are generally much more visible to users and can run everything from the servers needed for email and other messaging platforms to business enterprise systems needed for accounting, finance, legal and other business activities.
Though it’s equally important to protect both IT and OT systems from cyberattacks, the means and methods of doing so can vary greatly.
False Sense of Security
Cyber infrastructure is increasingly interconnected, and many argue this is contributing to an increased vulnerability to attacks, such as the recently publicized incident where an attack on a major pipeline shut down operations for days until a ransom was paid.
Until recently, most organizations assumed that their OT/ICS were protected because most of the devices and components operated deep in the background with little chance of being detected. Moreover, most believed their devices were air-gapped — meaning they were separated and could not connect wirelessly or physically to other similar devices, even within a secure and defined network.
This not the actual reality today. Very few components and devices are truly air-gapped, and there are more points of vulnerability than most organizations realize.
Where Should Cybersecurity Begin?
The most ideal scenario is to bake cybersecurity protocols into a new OT/ICS while it is being installed. The challenge, however, is that cybersecurity protections often must be designed for various combinations of new and old systems. Adding new technology to older systems sometimes opens up points of vulnerability that may not have been anticipated.
In these scenarios, it often means that the weakest and/or most critical points must be identified. What is most critical to continued operations? What aspects of the system must not fail?
The answers often reflect the need to protect human health and safety as well as the core systems needed for continuous business operations. Whether it’s providing uninterrupted power, maintaining clean water operations, or keeping gasoline pumping through a pipeline, the protection strategy must focus on countering potential attacks that could compromise the most critical systems. Traditional antivirus and firewall protections that might be deployed to protect IT systems often are not effective in an OT environment. The protection methodology must shift to a sensor-based strategy based on an analysis of the critical systems that must be protected at all costs.
For these systems, a defense-in-depth strategy is critical. Layers of firewalls may be added around essential systems like SCADA, and those design principles can be extended to protecting other systems and devices at the edge of the network. A sensor-based protection scheme should be designed so that traffic is monitored from multiple directions.
The next step is to configure rules for the monitoring system that define what normal activity looks like and how anomalies — also known as indicators of compromise (IOCs) — are defined. Because most OT systems have narrowly defined tasks — regulating or controlling water valves, for instance — normal activity is usually easy to define, with IOCs likewise easily detected.
The rules would set up alerts to the appropriate parties if an IOC is detected. These assigned personnel would have authority to investigate and determine if there is a benign explanation for the alert, or if further action is warranted. For example, an alert that identifies traffic coming from known bad IP addresses or regions of the world that are known as a frequent source of attacks will trigger alerts that require action from operators.
New Threat Era
Threat actors and their capabilities have become increasingly sophisticated and possess tools that can be weaponized to attack any industry or business, whether it’s a utility, an oil and gas facility, or water plant. The attack vectors are evolving as devices become increasingly interconnected.
Given the elevated threat environment today, we should assume that most breaches can occur from almost anywhere, including inside the OT network.
Plant and facility operators can no longer assume they will escape attack simply because the operations are too small or may escape notice because there are many similar facilities like them.
Exhibit A might be a 2021 attack on a small municipal water utility in Oldsmar, Florida. In this instance, the control system for the Oldsmar water treatment plant was breached and attackers were able to manipulate the chemical treatment system so that large amounts of sodium hydroxide were injected into the stream, increasing the chemical to a level that could have been fatal to customers if consumed. Fortunately, a water utility employee noticed the anomaly and quickly reset the system, averting a catastrophe.
It doesn’t matter whether it’s an interstate pipeline or a small water utility: Threat actors are picking targets that range across the board. Proactive planning and defense-in-depth strategies are more of an imperative today than ever before.
Better access to higher-quality data is translating into a competitive advantage for many businesses, but this can also increase vulnerability to a range of new cyberthreats.