Understanding the threat landscape and risks of OT environments

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Chris Sistrunk, Technical Manager in Mandiant’s ICS/OT Consulting practice and former engineer at Entergy, where he was a subject matter expert on transmission and distribution of supervisory control and data acquisition (SCADA) systems. In this blog, Chris introduces operational technology (OT) security and shares the unique challenges and security risks to OT.

Natalia: What’s the difference between OT, industrial control systems (ICS), and supervisory control and data acquisition (SCADA)?

Chris: OT, ICS, and SCADA are terms that describe non-IT digital systems. The main encompassing term is operational technology, or OT, which describes digital systems that interact with physical processes in the real world—such as turbines, mixing tanks, industrial robots, and automated warehouses. If you think about manufacturing, power grids, or oil and gas, OT encompasses the cyber-physical systems (CPS) that monitor and control production—how companies make their money producing things like food, water, pharmaceuticals, chemicals, or tractors.

Industrial control systems, or ICS, is under the umbrella of OT. A control system uses automation to take the human out of the equation. For instance, a car plant might have replaced an assembly line with robots, or a food processing plant replaced manual adjustments of ingredients with specific logic code. Industrial control systems are everywhere—manufacturing, retail distribution centers, water treatment, oil and gas, transportation and mining, as well as building automation (like HVAC, elevators, access control, and CCTV) in hospitals, smart buildings, and datacenters.

Supervisory control and data acquisition, or SCADA, is a specific type of industrial control system that enables organizations to monitor and control OT equipment across a wide geographic area. Power companies, oil and gas pipelines, and water facilities have SCADA systems because they cover a large area.

Natalia: What makes securing OT uniquely challenging?

Chris: Security for IT systems has been around for a long time. In the 1980s, control systems didn’t look like normal computers. They were designed for a specific purpose—to last long and to withstand heat and very cold temperatures in wet or caustic environments. These control systems were not connected to any other networks. IT had security, but it didn’t exist in control systems.

Over the years, control systems have become more connected to IT networks—and sometimes to the internet as well—because upper management wants to get a real-time view of the next day’s production or what the projections are for next week or next month based on historical output. The only way to get that information in real-time is to connect the two systems—IT and OT. If you connect control systems to something that’s eventually connected to the internet—it might have firewalls or it might not. That’s a problem.

If you take an IT security network sensor and put it in a control system, it will only understand what it knows—standard IT protocols like HTTP and FTP. It won’t understand the Siemens S7 protocol or the GE SRTP protocol that are not used in IT systems. You also can’t put antivirus or endpoint detection and response (EDR) agents on most of these systems because they’re not Windows or Linux. They’re often real-time embedded operating systems that may be completely custom, plus they also require fast response times that could be affected by antivirus and EDR operations.

Natalia: What threats are prevalent in OT environments?

Chris: We have seen five publicly known cyberattacks against control systems, including Stuxnet, the power grid cyberattacks on Ukraine in 2015 and 2016, and the 2017 Triton attack on safety control systems in a petrochemical facility.

Insider threats are also something to pay attention to. The first publicly known attack on a control system was in the late 1990s in Australia. A fired employee still had access to the equipment and caused a sewage spill. Several years ago, someone was fired at a paper mill in Louisiana, but no one removed his remote access. He logged in and shut down the plant. They knew exactly who it was so the FBI got him, but it cost them about three days of downtime, which likely cost them millions of dollars.

Besides security threats, there’s the risk of an honest mistake. Someone is making a change at 5 PM on a Friday that they didn’t test out, and it causes a network outage, and people have to work over the weekend to fix it. Not having a good change management procedure, standard operating procedures, or rollback plan can cost millions of dollars.

Natalia: What do you think about the incident on February 5, 2021, when a hacker gained access to the water treatment system of Oldsmar, Florida?

Chris: Many water and wastewater companies are just beginning their security journey. They don’t have a large budget and may have only one or two IT folks—notice I didn’t say IT security folks—and they have to wear multiple hats. In the case of the Florida attack, I’m not surprised because most don’t have security standards like active monitoring and ensuring secure access via VPN and multifactor authentication for employees and contractors. They’re not regulated to have strong cybersecurity controls and don’t experience many attacks.

Just because someone can change something on a screen to be 100 times the original value doesn’t mean it physically can change. When you change a chemical in a water system, it is not going to instantaneously change, and it may not even be physically possible to change to that amount. Water and wastewater facilities manually take multiple samples every day so they would have caught any changes before it affected water utility customers.

Natalia: Are contractors a potential attack vector for OT?

Chris: In this case too, it’s usually a byproduct of shadow IT, where OT personnel provide remote access to contractors without going through IT to do it in a secure way using VPN, multifactor authentication, and rotating passwords. You need to provide contractors with visibility and access to the OT network for ongoing maintenance and monitoring, and there are not too many of you. Your contractors are also probably not required to have security training.

In the early 2000s, we had remote access to substations. If you knew something was wrong, you could dial in and look, and then go back to what you were doing. But if something is on the internet, opportunistic threat groups and malicious cyber criminals are going to poke around and be able to do stuff. Organizations should be concerned and look at their security, including who has remote access.

Natalia: Are you seeing more ransomware attacks impacting OT?

Chris: We are. Ransomware is terrible, and it’s affecting hospitals, which have control systems, power plants, and water facilities because they can’t rely on the city water if it goes out. They also have life support systems, imaging, and surgery support. Ransomware has also affected oil and gas companies and power companies on the IT side.

A lot of the attacks were more effective because the organizations didn’t have any segmentation between control systems and the IT network. If you’re using the open platform communications (OPC) protocol, the old version requires 64,000 TCP ports to be open, which includes ports 3389 and VNC 5900. As a result, you don’t have a firewall between IT and OT.

There must be intentionally engineered design to help protect control systems because if you don’t, you leave yourself open to something that doesn’t care what you are.

Learn more

To learn more about IoT and Microsoft Security read our IoT security blog series.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

READ MORE HERE